Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RUNDLL Errors after being infected with Vundo Trojan


  • This topic is locked This topic is locked
7 replies to this topic

#1 edjogo2

edjogo2

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 02 May 2009 - 07:12 PM

hello. Yesterday i found out that i had a virus called vundo. I searched for a fix and found

the following one on symantec:

1. Disable System Restore (Windows Me/XP)
2. Update the virus definitions
3. Restart the computer in Safe mode or VGA mode
4. Scan for and delete the infected files
5. Reverse the changes made to the registry
Click Start > Run.
Type regedit

Then click OK.

Navigate to and delete the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents\CLSID\"[DEFAULT VALUE]" =

"{02F96FB7-8AF6- 439B-B7BA-2F952F9E4800}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents.1\CLSID\"[DEFAULT VALUE]"

= "{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\"*WinLogon =

"[TROJAN FULL PATH FILE NAME] ren time:[RANDOM NUMBER]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"*[TROJAN

FILE NAME]" = "[TROJAN FULL PATH FILE NAME] rerun"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"*[TROJAN FILE

NAME]" = "[TROJAN FULL PATH FILE NAME]"

Navigate to and delete the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ActiveState
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser

Helper Objects\{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATLDistrib\CLSID\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATLDistrib.1\CLSID\


HKEY_USERS\S-1-5-21-2068663838-1736639611-1443527720-500\Software\Microsoft\Windows\CurrentV

ersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22E85F2A-4A67-4835-B2C3-C575FE4EC322}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNet.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser

Helper Objects\{22E85F2A-4A67-4835-B2C3-C575FE4EC322}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser

Helper Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60}
HKEY_CLASSES_ROOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPCUpdater.DPCUpdater
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPCUpdater.DPCUpdater.1

Exit the Registry Editor.

I did steps 1-4. My Antivirus (Nortorn Antivirus Corporate 9.0.2.1000) found 17 infections

of vundo.exe and quarantined them. I deleted them and moved on, but when i got to step 5, i

could not find any of the above entries in my registry.

When I restart my computer i get three RUNDLL errors. they are as follows:

Error loading C:\WINDOWS\system32\zasovore.dll The specified module could not be found.
Error loading C:\WINDOWS\system32\lawapuvo.dll The specified module could not be found.
Error loading C:\WINDOWS\system32\rutejera.dll The specified module could not be found.

Everything else seems to work fine, but im not sure.

DDS.txt Log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Ed Gomes at 19:05:00.92 on Sat 05/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1290 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Documents and Settings\Ed Gomes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {8d84d1a4-8663-4777-89fc-d1f5ed86071e} - c:\windows\system32\ziheruso.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\ed gomes\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [90398f75] rundll32.exe "c:\windows\system32\rutejera.dll",b
mRun: [CPM930abce9] Rundll32.exe "c:\windows\system32\lawapuvo.dll",a
mRun: [mokiwaneto] Rundll32.exe "c:\windows\system32\zasovore.dll",s
StartupFolder: c:\docume~1\edgome~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\lawapuvo.dll,c:\windows\system32\vobaruwi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: Aifomp3 - {F477DB2D-0231-4299-9514-3EEFFFB54C06} - c:\windows\system32\audalole.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lawapuvo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\lawapuvo.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\windows\system32\vobaruwi.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-10-6 1275216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090501.017\naveng.sys [2009-5-1 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090501.017\navex15.sys [2009-5-1 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-10-6 173392]

=============== Created Last 30 ================

2009-05-02 18:07 <DIR> --d----- c:\program files\Trend Micro
2009-05-02 08:13 <DIR> --d----- C:\VundoFix Backups
2009-05-02 08:09 77,464,712 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-05-01 10:33 1,434,346 ---sh--- c:\windows\system32\arejetur.ini
2009-04-30 22:33 1,434,346 ---sh--- c:\windows\system32\ilebiber.ini
2009-04-30 10:33 1,434,346 ---sh--- c:\windows\system32\ojibibud.ini
2009-04-29 22:34 1,407,011 ---sh--- c:\windows\system32\esanajad.ini
2009-04-29 18:19 5,632 a------- c:\windows\system32\ptpusb.dll
2009-04-29 18:19 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-04-29 18:19 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-04-29 18:19 159,232 a------- c:\windows\system32\ptpusd.dll
2009-04-28 18:07 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-04-28 18:07 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-28 18:07 <DIR> --d----- c:\program files\iPod
2009-04-28 18:07 <DIR> --d----- c:\program files\iTunes
2009-04-28 18:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-28 18:05 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-04-28 18:05 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-04-27 08:21 <DIR> --d----- c:\program files\MSXML 4.0
2009-04-27 08:18 <DIR> --d----- c:\windows\pss
2009-04-26 18:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2009-04-26 17:32 4,767 a------- c:\windows\Irremote.ini
2009-04-26 17:11 <DIR> --d----- c:\program files\Nero
2009-04-26 17:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-04-26 10:29 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-26 10:29 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-26 10:29 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-26 10:29 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-26 10:29 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-26 10:29 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-26 10:29 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-26 10:29 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-26 10:29 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-26 10:28 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-26 10:28 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-26 10:28 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 19:18 148,480 a------- c:\windows\system32\tblorcab.dll
2009-04-09 17:00 <DIR> --d----- c:\program files\Xilisoft
2009-04-09 16:51 <DIR> --d----- c:\docume~1\edgome~1\applic~1\AVS4YOU
2009-04-09 16:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-04-09 16:50 <DIR> --d----- c:\program files\common files\AVSMedia
2009-04-09 16:50 974,848 a------- c:\windows\system32\mfc70.dll
2009-04-09 16:50 1,700,352 a------- c:\windows\system32\GdiPlus.dll
2009-04-09 16:50 24,576 a------- c:\windows\system32\msxml3a.dll
2009-04-09 16:50 <DIR> --d----- c:\program files\AVS4YOU

==================== Find3M ====================

2009-03-21 09:06 158,061 a------- c:\windows\system32\notopeng32.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-01 00:36 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-28 14:37 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-28 13:42 319,488 a------- c:\windows\HideWin.exe
2009-02-28 13:22 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-02-20 13:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 19:05:39.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 edjogo2

edjogo2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 03 May 2009 - 09:33 AM

did i post this correctly?

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:31 AM

Posted 03 May 2009 - 11:15 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 edjogo2

edjogo2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 03 May 2009 - 04:24 PM

Hi.

I downloaded the programs and followed the instructions that you gave me. Good news is, after i ran the Malwarebytes Anti-Malware program and removed the threats, the DLL errors werent there after restart. The log i for the Malwarebytes Anti-Malware program is as follows:

Malwarebytes' Anti-Malware 1.36
Database version: 2071
Windows 5.1.2600 Service Pack 3

5/3/2009 4:11:09 PM
mbam-log-2009-05-03 (16-11-09).txt

Scan type: Quick Scan
Objects scanned: 87887
Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8d84d1a4-8663-4777-89fc-d1f5ed86071e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8d84d1a4-8663-4777-89fc-d1f5ed86071e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90398f75 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm930abce9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mokiwaneto (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The OTListIt2 Report is as follows:

OTListIt logfile created on: 5/3/2009 4:18:29 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.3 Folder = C:\Documents and Settings\Ed Gomes\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.46 Gb Available Physical Memory | 73.49% Memory free
3.83 Gb Paging File | 3.43 Gb Available in Paging File | 89.42% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 217.14 Gb Free Space | 72.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SILVER
Current User Name: Ed Gomes
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2004/06/09 21:31:14 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2004/06/09 21:31:08 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/06/18 19:01:56 | 00,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2008/06/19 17:42:44 | 02,808,832 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
PRC - [2008/06/19 17:20:52 | 00,057,344 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCMTR.EXE
PRC - [2007/08/24 07:00:48 | 00,033,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2004/12/14 03:12:02 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
PRC - [2004/06/09 21:31:06 | 00,066,680 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/10/06 18:56:52 | 00,161,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/11/03 16:22:36 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/11/03 16:26:30 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2009/04/02 16:11:02 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/02/28 16:16:05 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
PRC - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2004/10/06 18:56:36 | 00,030,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2008/06/09 10:21:58 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2008/12/05 16:11:54 | 00,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2004/10/06 18:56:44 | 01,275,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/04/22 01:53:06 | 00,766,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/04/22 01:53:06 | 00,766,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/05/03 16:03:54 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed Gomes\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2004/06/09 21:31:08 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2004/06/09 21:31:12 | 00,087,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2004/06/09 21:31:14 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2004/10/06 18:56:36 | 00,030,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2009/02/28 16:23:17 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2008/06/09 10:21:58 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2007/08/24 06:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
SRV - [2008/12/05 16:11:54 | 00,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0 [Auto | Running])
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2004/10/06 18:56:48 | 00,173,392 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2004/06/11 19:28:30 | 00,201,944 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2004/10/06 18:56:44 | 01,275,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2007/11/16 12:55:00 | 00,165,496 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2005/01/07 18:07:16 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\HdAudio.sys -- (HdAudAddService [On_Demand | Stopped])
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/11/03 16:50:58 | 01,353,820 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2008/07/24 19:02:44 | 04,749,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/09/05 01:53:02 | 00,030,816 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\system32\Drivers\iqvw32.sys -- (NAL [On_Demand | Stopped])
DRV - [2009/05/01 03:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090501.017\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/05/01 03:00:00 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090501.017\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2004/08/04 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/02/09 16:43:56 | 00,301,200 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
DRV - [2004/02/09 16:43:56 | 00,037,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [Auto | Running])
DRV - [2008/04/13 11:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/03/05 00:46:46 | 00,082,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2004/06/11 19:28:08 | 00,016,280 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
DRV - [2004/06/11 19:28:10 | 00,263,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2009/03/26 15:23:46 | 00,036,864 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1343024091-1214440339-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1343024091-1214440339-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1343024091-1214440339-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-21-1343024091-1214440339-682003330-1004\S-1-5-21-1343024091-1214440339-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1343024091-1214440339-682003330-1004\S-1-5-21-1343024091-1214440339-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: (797 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1343024091-1214440339-682003330-1004\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
O4 - HKLM..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-20..\Run: [mokiwaneto] Rundll32.exe "C:\WINDOWS\system32\zasovore.dll",s File not found
O4 - HKU\S-1-5-21-1343024091-1214440339-682003330-1004..\Run: [Google Update] "C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\Ed Gomes\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1343024091-1214440339-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\windows\system32\lawapuvo.dll) - c:\windows\system32\lawapuvo.dll File not found
O20 - AppInit_DLLs: (C:\WINDOWS\system32\vobaruwi.dll) - C:\WINDOWS\system32\vobaruwi.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O21 - SSODL: Aifomp3 - {F477DB2D-0231-4299-9514-3EEFFFB54C06} - C:\WINDOWS\system32\audalole.dll [FILE handle not seen by OS]
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/28 13:24:49 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[FILE handle not seen by OS] -- C:\WINDOWS\System32\notopeng32.dll
[FILE handle not seen by OS] -- C:\WINDOWS\System32\gifikpac.dll
[FILE handle not seen by OS] -- C:\WINDOWS\System32\disotsql.dll
[FILE handle not seen by OS] -- C:\WINDOWS\System32\ddevilan.dll
[FILE handle not seen by OS] -- C:\WINDOWS\System32\bihochm.exe
[FILE handle not seen by OS] -- C:\WINDOWS\System32\audalole.dll
[2009/05/03 16:04:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ed Gomes\Application Data\Malwarebytes
[2009/05/03 16:04:43 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/03 16:04:43 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/03 16:04:41 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/03 16:04:39 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/03 16:04:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/03 16:03:54 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ed Gomes\Desktop\OTListIt2.exe
[2009/05/03 16:03:13 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Ed Gomes\Desktop\mbam-setup.exe
[2009/05/03 10:16:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ed Gomes\Desktop\iphone jailbreak
[2009/05/03 10:12:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ed Gomes\Desktop\virus issue
[2009/05/02 18:07:52 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/05/02 08:13:25 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/05/02 08:09:44 | 77,464,712 | ---- | C] () -- C:\SYM_REGISTRY_BACKUP.reg
[2009/05/01 10:33:25 | 01,434,346 | -HS- | C] () -- C:\WINDOWS\System32\arejetur.ini
[2009/04/30 22:33:15 | 01,434,346 | -HS- | C] () -- C:\WINDOWS\System32\ilebiber.ini
[2009/04/30 19:57:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ed Gomes\Local Settings\Apps
[2009/04/30 10:33:05 | 01,434,346 | -HS- | C] () -- C:\WINDOWS\System32\ojibibud.ini
[2009/04/29 22:34:32 | 01,407,011 | -HS- | C] () -- C:\WINDOWS\System32\esanajad.ini
[2009/04/29 18:55:07 | 00,000,000 | R-SD | C] -- C:\WINDOWS\assembly
[2009/04/29 18:54:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET
[2009/04/29 18:19:54 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll
[2009/04/29 18:19:52 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbscan.sys
[2009/04/29 18:19:52 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2009/04/29 18:19:51 | 00,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll
[2009/04/28 18:07:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ed Gomes\Application Data\Apple Computer
[2009/04/28 18:07:14 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/04/28 18:07:12 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/04/28 18:07:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/04/28 18:06:14 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/04/28 18:06:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/04/28 18:06:05 | 00,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/28 18:06:02 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2009/04/28 18:05:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/04/28 18:05:36 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2009/04/28 18:05:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/04/27 08:21:13 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2009/04/27 08:18:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/04/26 18:09:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2009/04/26 18:03:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ed Gomes\Application Data\Nero
[2009/04/26 18:03:03 | 00,053,248 | ---- | C] () -- C:\Documents and Settings\Ed Gomes\My Documents\gatesville prison stuff.doc
[2009/04/26 17:32:46 | 00,004,767 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/04/26 17:29:15 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2009/04/26 17:11:07 | 00,000,000 | ---D | C] -- C:\Program Files\Nero
[2009/04/26 17:10:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2009/04/26 17:10:21 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2009/04/26 17:10:06 | 02,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2009/04/26 17:09:39 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\LightScribe
[2009/04/26 10:29:52 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/26 10:29:51 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/26 10:29:51 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/26 10:29:51 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/26 10:29:51 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/26 10:29:51 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/26 10:29:50 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/26 10:29:50 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/26 10:29:50 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/26 10:28:45 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/26 10:28:45 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/26 10:28:44 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/15 19:18:30 | 00,148,480 | ---- | C] () -- C:\WINDOWS\System32\tblorcab.dll
[2009/04/11 22:02:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2009/04/09 17:00:29 | 00,000,000 | ---D | C] -- C:\Program Files\Xilisoft
[2009/04/09 16:51:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ed Gomes\Application Data\AVS4YOU
[2009/04/09 16:51:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU
[2009/04/09 16:50:34 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AVSMedia
[2009/04/09 16:50:19 | 00,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc70.dll
[2009/04/09 16:50:18 | 01,700,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\GdiPlus.dll
[2009/04/09 16:50:18 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml3a.dll
[2009/04/09 16:50:18 | 00,000,000 | ---D | C] -- C:\Program Files\AVS4YOU
[2009/04/07 17:34:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ed Gomes\Application Data\AdobeUM
[2009/02/28 22:29:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2009/02/28 16:15:07 | 00,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/02/28 16:15:06 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/02/28 16:15:04 | 02,283,027 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009/02/28 16:15:04 | 00,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/02/28 16:15:04 | 00,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/02/28 16:15:03 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/02/28 16:15:02 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/02/28 16:15:02 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/02/28 14:54:39 | 00,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2004/08/04 07:00:00 | 00,000,582 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[5 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[FILE handle not seen by OS] -- C:\WINDOWS\System32\notopeng32.dll
[FILE handle not seen by OS] -- C:\WINDOWS\System32\gifikpac.dll
[FILE handle not seen by OS] -- C:\WINDOWS\System32\disotsql.dll
[FILE handle not seen by OS] -- C:\WINDOWS\System32\ddevilan.dll
[FILE handle not seen by OS] -- C:\WINDOWS\System32\bihochm.exe
[FILE handle not seen by OS] -- C:\WINDOWS\System32\audalole.dll
[2009/05/03 16:13:12 | 00,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2009/05/03 16:13:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/03 16:13:02 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Ed Gomes\Local Settings\desktop.ini
[2009/05/03 16:12:58 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/03 16:04:43 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/03 16:03:54 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed Gomes\Desktop\OTListIt2.exe
[2009/05/03 16:03:24 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Ed Gomes\Desktop\mbam-setup.exe
[2009/05/03 14:46:31 | 00,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1214440339-682003330-1004.job
[2009/05/02 08:09:54 | 77,464,712 | ---- | M] () -- C:\SYM_REGISTRY_BACKUP.reg
[2009/05/01 23:53:11 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/01 23:49:33 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\pugidazo
[2009/05/01 10:33:36 | 01,434,346 | -HS- | M] () -- C:\WINDOWS\System32\arejetur.ini
[2009/04/30 22:33:26 | 01,434,346 | -HS- | M] () -- C:\WINDOWS\System32\ilebiber.ini
[2009/04/30 10:54:26 | 01,434,346 | -HS- | M] () -- C:\WINDOWS\System32\ojibibud.ini
[2009/04/29 22:55:43 | 01,407,011 | -HS- | M] () -- C:\WINDOWS\System32\esanajad.ini
[2009/04/29 18:57:01 | 00,438,362 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/29 18:57:01 | 00,416,574 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/29 18:57:01 | 00,066,698 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/28 18:06:06 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/27 08:19:29 | 00,000,582 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/27 08:19:29 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/27 08:19:29 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/04/26 18:03:03 | 00,053,248 | ---- | M] () -- C:\Documents and Settings\Ed Gomes\My Documents\gatesville prison stuff.doc
[2009/04/26 17:41:27 | 00,012,726 | ---- | M] () -- C:\Documents and Settings\Ed Gomes\Desktop\per diem for PA.xlsx
[2009/04/26 17:32:46 | 00,004,767 | ---- | M] () -- C:\WINDOWS\Irremote.ini
[2009/04/26 10:35:59 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/15 19:18:30 | 00,148,480 | ---- | M] () -- C:\WINDOWS\System32\tblorcab.dll
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
< End of report >


Thank you for your help. I will await further instructions.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:31 AM

Posted 04 May 2009 - 08:58 AM

You've still got some troublemakers there.


Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O1 - Hosts: 82.98.231.89 url.adtrgt.com
    O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found
    4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
    O4 - HKU\S-1-5-20..\Run: [mokiwaneto] Rundll32.exe "C:\WINDOWS\system32\zasovore.dll",s File not found
    O20 - AppInit_DLLs: (c:\windows\system32\lawapuvo.dll) - c:\windows\system32\lawapuvo.dll File not found
    O20 - AppInit_DLLs: (C:\WINDOWS\system32\vobaruwi.dll) - C:\WINDOWS\system32\vobaruwi.dll File not found
    O21 - SSODL: Aifomp3 - {F477DB2D-0231-4299-9514-3EEFFFB54C06} - C:\WINDOWS\system32\audalole.dll [FILE handle not seen by OS]
    
    :Files
    C:\WINDOWS\System32\notopeng32.dll
    C:\WINDOWS\System32\gifikpac.dll
    C:\WINDOWS\System32\disotsql.dll
    C:\WINDOWS\System32\ddevilan.dll
    C:\WINDOWS\System32\bihochm.exe
    C:\WINDOWS\System32\audalole.dll
    C:\WINDOWS\System32\arejetur.ini
    C:\WINDOWS\System32\ilebiber.ini
    C:\WINDOWS\System32\ojibibud.ini
    C:\WINDOWS\System32\esanajad.ini
    
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

How is your computer behaving now? Any issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 edjogo2

edjogo2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 04 May 2009 - 11:20 PM

Thanks for the reply. I posted the fix that you told me to and rebooted. after it rebooted i got this in a notepad file:

========== OTLISTIT ==========
Process explorer.exe killed successfully!
82.98.231.89 url.adtrgt.com removed from HOSTS file successfully
82.98.231.89 googleads2.gdoubleclick.net removed from HOSTS file successfully
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\\mokiwaneto deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\lawapuvo.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\vobaruwi.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\Aifomp3 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F477DB2D-0231-4299-9514-3EEFFFB54C06}\ deleted successfully.
LoadLibrary failed for C:\WINDOWS\system32\audalole.dll
C:\WINDOWS\system32\audalole.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\audalole.dll scheduled to be moved on reboot.
========== FILES ==========
File\Folder C:\WINDOWS\System32\notopeng32.dll not found.
File\Folder C:\WINDOWS\System32\gifikpac.dll not found.
File\Folder C:\WINDOWS\System32\disotsql.dll not found.
File\Folder C:\WINDOWS\System32\ddevilan.dll not found.
File\Folder C:\WINDOWS\System32\bihochm.exe not found.
File\Folder C:\WINDOWS\System32\audalole.dll not found.
C:\WINDOWS\System32\arejetur.ini moved successfully.
C:\WINDOWS\System32\ilebiber.ini moved successfully.
C:\WINDOWS\System32\ojibibud.ini moved successfully.
C:\WINDOWS\System32\esanajad.ini moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Ed Gomes\Local Settings\Temp\etilqs_13MfPmpdBYmsc0r scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Ed Gomes\Local Settings\Temp\etilqs_PNEKUn10e0EAZup scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.3 log created on 05042009_231501

Files moved on Reboot...
C:\WINDOWS\system32\audalole.dll NOT unregistered.
C:\WINDOWS\system32\audalole.dll moved successfully.
File C:\Documents and Settings\Ed Gomes\Local Settings\Temp\etilqs_13MfPmpdBYmsc0r not found!
File C:\Documents and Settings\Ed Gomes\Local Settings\Temp\etilqs_PNEKUn10e0EAZup not found!

Registry entries deleted on Reboot...

after i ran the malwarebytes thing, my computer seemed like it was running fine. i noticed on this log it said that a couple of other things were deleted. were those viruses?

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:31 AM

Posted 05 May 2009 - 09:58 AM

Yep, those were remnants left behind from your Vundo infection.
Please post a new log from DDS and I'll make sure it's all clear.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:31 AM

Posted 25 May 2009 - 10:06 AM

Unfortunately there has been no response. :thumbup2:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users