Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojen infection


  • This topic is locked This topic is locked
32 replies to this topic

#1 khalil ahamed

khalil ahamed

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 01 October 2009 - 09:50 PM

If you are seeing this for the first time restart your computer.

Check you have adequate disk space. If drivers are identified then disable the driver and check for manufacturer updates.

Try changing video adapters.

Check hardware vendor for BIOS updates.

Technical Information:

*** Stop: 0x00000007E (0x0000005, 0x89D3472F, BA4CB2FA, 0xBD4CAFF0)



DDS.TXT
======




DDS (Ver_09-09-29.01) - NTFSx86 NETWORK
Run by Administrator at 23:13:42.93 on Wed 09/30/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1680 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\admini~1\locals~1\temp\mdm.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
mRun: [11370004] c:\documents and settings\all users\application data\11370004\11370004.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [wuvemijah] Rundll32.exe "c:\windows\system32\vuyohasu.dll",a
mRun: [9285806974] c:\documents and settings\basha\application data\9285806974\9285806974.exe
dRun: [Install] c:\documents and settings\basha\application data\9285806974\9285806974.bat
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.kumudam.com/wfplayer/tdserver.cab
DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://passage.cna.com/vdesk/terminal/f5opswati.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/53.13/uploader2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll c:\windows\system32\sizesare.dll kcuekl.dll c:\windows\system32\gitabiga.dll c:\windows\system32\fakugupu.dll c:\windows\system32\zuhuyaba.dll c:\windows\system32\varofeje.dll ditetiro.dll c:\windows\system32\vuyohasu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yatawijif - {9d589ada-e5eb-4bc6-a474-143a257fdee4} - c:\windows\system32\vuyohasu.dll
STS: tokatiluy: {9d589ada-e5eb-4bc6-a474-143a257fdee4} - c:\windows\system32\vuyohasu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\sizesare.dll c:\windows\system32\zuhuyaba.dll gekininu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\va59d4le.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: XUL Cache: {B37DF0F0-9745-49D9-98F0-F7C01E8A73B4} - c:\documents and settings\basha\local settings\application data\{B37DF0F0-9745-49D9-98F0-F7C01E8A73B4}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-24 214024]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
S2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-8-23 5376]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-26 210216]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-24 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-24 144704]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-24 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-24 79880]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-24 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-24 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-24 40552]
S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-1-8 235520]
S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-1-8 7424]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-09-30 19:02 18,269 a------- c:\docume~1\admini~1\applic~1\zode.scr
2009-09-30 19:02 18,254 a------- c:\windows\system32\irizowezis.exe
2009-09-30 19:02 17,595 a------- c:\windows\system32\ligolequ.vbs
2009-09-30 19:02 16,919 a------- c:\docume~1\admini~1\applic~1\vosacovet.bin
2009-09-30 19:02 14,689 a------- c:\program files\common files\ypatiweluz.sys
2009-09-30 19:02 13,905 a------- c:\windows\hytylabe.pif
2009-09-30 19:02 11,155 a------- c:\docume~1\alluse~1\applic~1\iveripu.pif
2009-09-30 19:02 10,210 a------- c:\windows\qepelowak.dl
2009-09-30 19:02 167,424 a------- c:\windows\system32\_scui.cpl
2009-09-29 23:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\11370004
2009-09-28 22:19 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-09-27 19:44 <DIR> --d----- c:\documents and settings\Administrator
2009-09-27 19:08 19,555 a------- c:\program files\common files\owoqeveq.vbs
2009-09-27 19:08 19,341 a------- c:\windows\akufexiqeh.lib
2009-09-27 19:08 18,862 a------- c:\windows\ejomoba.inf
2009-09-27 19:08 18,602 a------- c:\windows\system32\mutitopeq.db
2009-09-27 19:08 16,621 a------- c:\windows\system32\exypi.pif
2009-09-27 19:08 16,162 a------- c:\windows\system32\tovunidav.bin
2009-09-27 19:08 15,798 a------- c:\program files\common files\upuvol.pif
2009-09-27 19:08 14,411 a------- c:\windows\system32\ykybykyk.lib
2009-09-27 19:08 14,069 a------- c:\docume~1\alluse~1\applic~1\qozyquj.com
2009-09-27 19:08 13,553 a------- c:\windows\ekelam._sy
2009-09-27 19:08 13,236 a------- c:\windows\ujaj.ban
2009-09-27 19:08 13,000 a------- c:\windows\giqu.db
2009-09-27 19:08 11,179 a------- c:\windows\nubykypuv.com
2009-09-27 19:08 10,331 a------- c:\docume~1\alluse~1\applic~1\odajolyb.exe
2009-09-27 19:08 10,157 a------- c:\program files\common files\itudazut.bin
2009-09-27 19:08 <DIR> --d----- c:\program files\AntivirusPro_2010
2009-09-27 19:00 46 a------- C:\p2hhr.bat
2009-09-27 19:00 156,672 a------- C:\vfulg.exe
2009-09-27 19:00 5,632 a------- C:\rlswn.exe
2009-09-27 19:00 104,448 a------- C:\mqhimp.exe
2009-09-27 19:00 19,456 a------- C:\xrwy.exe
2009-09-27 19:00 39,424 a------- C:\rmeprraf.exe
2009-09-27 19:00 49,152 a------- C:\yonm.exe

==================== Find3M ====================

2009-09-30 19:51 1,047,588 a--sh--- c:\windows\system32\kulufegi.exe
2009-09-30 19:50 89,088 a--sh--- c:\windows\system32\vuyohasu.dll
2009-09-30 19:50 38,400 a--sh--- c:\windows\system32\dadutiwo.dll
2009-09-30 19:02 11,725 a------- c:\program files\common files\hywidig.inf
2009-09-30 18:50 50,688 a--sh--- c:\windows\system32\yuwowijo.dll
2009-09-30 18:50 39,424 a--sh--- c:\windows\system32\kihulolu.dll
2009-09-29 23:29 1,082,404 a--sh--- c:\windows\system32\sedehobi.exe
2009-09-29 23:28 91,136 a--sh--- c:\windows\system32\gumapoke.dll
2009-09-29 23:28 39,424 a--sh--- c:\windows\system32\visoziyo.dll
2009-09-28 23:10 53,248 a--sh--- c:\windows\system32\pologodi.dll
2009-09-28 23:09 37,888 a--sh--- c:\windows\system32\sunasuyu.dll
2009-09-27 19:08 18,875 a------- c:\program files\common files\ixugo.db
2009-09-27 19:00 44,970 a--sh--- c:\windows\system32\dipafibu.exe
2009-09-27 19:00 37,376 a--sh--- c:\windows\system32\yufiyasi.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2008-01-08 14:33 76 ---shr-- c:\windows\CT4CET.bin
2009-06-27 19:00 50,176 a--sh--- c:\windows\system32\dehaseha.dll
2009-06-30 18:50 50,688 a--sh--- c:\windows\system32\ditetiro.dll
2009-06-30 18:50 50,688 a--sh--- c:\windows\system32\gekininu.dll
2009-06-28 23:09 355,328 a--sh--- c:\windows\system32\jijejeju.exe
2009-06-30 18:50 377,856 a--sh--- c:\windows\system32\pakiyavo.exe
2009-06-30 18:50 50,688 a--sh--- c:\windows\system32\rugalilu.dll
2009-06-27 19:00 1,027,072 a--sh--- c:\windows\system32\tafenugo.exe
2009-06-27 19:00 606,208 a--sh--- c:\windows\system32\vanuvera.exe
2008-08-20 09:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 23:15:30.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 khalil ahamed

khalil ahamed
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 20 October 2009 - 12:16 AM

Hi,

I have posted this topic about 20 days before but I have not got any reply so far. I'm very much struck as my computer is infected by trojens.

Can any one of you please provide me HELP to clean this trojens...

Your quick help is much appreciated....

Regards,
Khalil Ahamed

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 AM

Posted 20 October 2009 - 12:26 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 khalil ahamed

khalil ahamed
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 22 October 2009 - 06:25 PM

Hi,

Thanks for your reply.

I tried the steps you have mentioned.

I downloaded OTL and then run the scan.

The OTL.txt and Extra.txt were generated for the first time. I had some doubt on the steps I did and hence I tried run the scan again. This time the OTL.txt was generated in 10-15 mins but the Extra.txt was never generated. I run the scan for 9 hours and still it was not generated.

What should I do?

Regards,
Khalil Ahamed

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 AM

Posted 22 October 2009 - 08:39 PM

Hi,

please post the otl.txt. It is normal that the extra.txt does not appear after the initial scan.

I will be away till monday and unable to reply. Sorry for the inconvenience.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 khalil ahamed

khalil ahamed
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 27 October 2009 - 11:19 PM

Hi,

Here is the content of OTL.TXT,

============ Start ===============

OTL logfile created on: 10/22/2009 6:41:35 AM - Run 6
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.67 Gb Available Physical Memory | 83.66% Memory free
3.84 Gb Paging File | 3.69 Gb Available in Paging File | 95.96% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 60.00 Gb Total Space | 36.59 Gb Free Space | 60.97% Space Free | Partition Type: NTFS
Drive D: | 86.46 Gb Total Space | 63.31 Gb Free Space | 73.23% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FARAH
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/10/20 23:42:18 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/01/08 21:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/01/08 21:30:26 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2008/12/19 00:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/04/13 19:12:14 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2007/06/06 16:30:28 | 00,252,696 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxsrvc.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Stopped])
SRV - [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Stopped])
SRV - [2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [On_Demand | Stopped])
SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Stopped])
SRV - [2009/01/09 14:05:26 | 00,068,112 | ---- | M] (McAfee) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor [On_Demand | Stopped])
SRV - [2009/01/09 12:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc [Auto | Stopped])
SRV - [2009/01/09 10:22:10 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service [Auto | Stopped])
SRV - [2009/01/09 09:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Stopped])
SRV - [2009/01/08 21:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2008/09/12 18:48:54 | 05,119,392 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc [On_Demand | Stopped])
SRV - [2008/09/12 18:48:22 | 00,245,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc [On_Demand | Stopped])
SRV - [2008/09/12 18:46:32 | 00,061,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ZuneBusEnum.exe -- (ZuneBusEnum [Auto | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/04/13 19:11:48 | 00,100,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\6to4svc.dll -- (6to4 [Auto | Stopped])
SRV - [2007/12/11 14:22:36 | 00,024,064 | ---- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc [Auto | Stopped])
SRV - [2007/10/11 10:49:46 | 00,076,016 | ---- | M] () -- C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe -- (DellAMBrokerService [On_Demand | Stopped])
SRV - [2007/05/25 12:38:46 | 00,112,176 | ---- | M] (SingleClick Systems) -- C:\Program Files\Dell Network Assistant\hnm_svc.exe -- (hnmsvc [Disabled | Stopped])
SRV - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Auto | Stopped])
SRV - [2007/02/10 05:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ [Auto | Stopped])
SRV - [2007/02/10 05:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Disabled | Stopped])
SRV - [2007/01/03 20:40:21 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Disabled | Stopped])
SRV - [2006/11/05 12:15:12 | 00,880,640 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Stopped])
SRV - [2006/11/05 12:13:00 | 00,159,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Auto | Stopped])
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2006/09/14 15:54:34 | 00,073,728 | ---- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [Disabled | Stopped])
SRV - [2006/06/05 13:59:18 | 00,174,080 | ---- | M] (Nokia.) -- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe -- (ServiceLayer [On_Demand | Stopped])
SRV - [2005/10/14 02:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2004/10/22 04:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [Disabled | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/08/05 16:06:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/08/05 16:06:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Stopped])
DRV - [2009/08/05 16:06:28 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Stopped])
DRV - [2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Stopped])
DRV - [2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys -- (mfehidk [System | Stopped])
DRV - [2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Stopped])
DRV - [2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Stopped])
DRV - [2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
DRV - [2008/11/20 14:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2008/10/23 14:08:54 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\Drivers\Mpfp.sys -- (MPFP [System | Running])
DRV - [2008/09/12 18:32:04 | 00,040,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\zumbus.sys -- (zumbus [Auto | Running])
DRV - [2008/06/20 06:08:27 | 00,225,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\tcpip6.sys -- (Tcpip6 [System | Running])
DRV - [2008/04/13 13:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2008/04/13 13:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/12/11 14:22:24 | 01,123,328 | ---- | M] (Broadcom Corp.) -- C:\WINDOWS\System32\DRIVERS\bcmwl5.sys -- (BCM43XX [On_Demand | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/08/28 15:55:06 | 00,007,424 | ---- | M] (EyePower Games Pte. Ltd.) -- C:\WINDOWS\System32\DRIVERS\OEM02Vfx.sys -- (OEM02Vfx [On_Demand | Stopped])
DRV - [2007/08/28 15:54:56 | 00,235,520 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\DRIVERS\OEM02Dev.sys -- (OEM02Dev [On_Demand | Stopped])
DRV - [2007/08/23 19:29:10 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\System32\DRIVERS\datunidr.sys -- (datunidr [Auto | Stopped])
DRV - [2007/06/06 16:30:32 | 05,707,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Stopped])
DRV - [2007/06/06 16:28:16 | 01,222,840 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\System32\drivers\sthda.sys -- (STHDA [On_Demand | Stopped])
DRV - [2007/06/03 15:20:58 | 00,202,912 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2007/05/08 22:49:02 | 00,045,568 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
DRV - [2007/05/08 22:46:12 | 00,037,376 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rixdptsk.sys -- (rismxdp [Auto | Running])
DRV - [2007/05/08 22:46:08 | 00,043,520 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rimsptsk.sys -- (rimsptsk [Auto | Running])
DRV - [2007/05/08 22:46:06 | 00,032,256 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rimmptsk.sys -- (rimmptsk [Auto | Running])
DRV - [2007/05/08 21:22:58 | 00,277,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2007/04/23 22:15:48 | 00,012,672 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Stopped])
DRV - [2007/04/23 22:15:46 | 00,989,696 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Stopped])
DRV - [2007/04/23 22:15:46 | 00,730,112 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Stopped])
DRV - [2007/04/23 22:15:44 | 00,209,152 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys -- (HSFHWAZL [On_Demand | Stopped])
DRV - [2007/02/14 11:37:08 | 00,010,480 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\BACS\BASFND.sys -- (BASFND [Auto | Stopped])
DRV - [2007/02/09 13:34:16 | 00,051,768 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Stopped])
DRV - [2007/02/08 21:05:30 | 00,028,120 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLARTL_M.SYS -- (DLARTL_M [System | Running])
DRV - [2007/02/08 21:05:30 | 00,012,856 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM [System | Running])
DRV - [2006/12/18 20:01:20 | 00,012,672 | ---- | M] (SingleClick Systems) -- C:\WINDOWS\System32\DRIVERS\packet.sys -- (Packet [Auto | Stopped])
DRV - [2006/11/02 13:31:38 | 00,103,168 | ---- | M] (Knowles Acoustics) -- C:\WINDOWS\System32\drivers\dxec02.sys -- (DXEC02 [On_Demand | Stopped])
DRV - [2006/11/02 07:00:08 | 00,039,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\WinUSB.sys -- (WinUSB [On_Demand | Stopped])
DRV - [2006/10/26 17:22:02 | 00,009,400 | ---- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLADResM.SYS -- (DLADResM [Auto | Stopped])
DRV - [2006/10/26 17:21:34 | 00,094,648 | ---- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Stopped])
DRV - [2006/10/26 17:21:34 | 00,035,096 | ---- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLABMFSM.SYS -- (DLABMFSM [Auto | Stopped])
DRV - [2006/10/26 17:21:32 | 00,097,848 | ---- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Stopped])
DRV - [2006/10/26 17:21:30 | 00,026,296 | ---- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Stopped])
DRV - [2006/10/26 17:21:28 | 00,032,472 | ---- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS -- (DLABOIOM [Auto | Stopped])
DRV - [2006/10/26 17:21:26 | 00,014,520 | ---- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS -- (DLAPoolM [Auto | Stopped])
DRV - [2006/10/26 17:21:24 | 00,104,536 | ---- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Stopped])
DRV - [2006/10/05 17:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellAutomatedPCTuneUp\GTAction\triggers\PTproct.sys -- (PTproct [On_Demand | Stopped])
DRV - [2006/07/21 12:21:26 | 00,099,176 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
DRV - [2006/05/29 08:26:38 | 00,127,488 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcd.sys -- (Nokia USB Phone Parent [On_Demand | Stopped])
DRV - [2006/05/29 08:26:36 | 00,013,312 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdcm.sys -- (Nokia USB Modem [On_Demand | Stopped])
DRV - [2006/05/29 08:26:36 | 00,008,704 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdc.sys -- (Nokia USB Generic [On_Demand | Stopped])
DRV - [2005/08/12 18:50:46 | 00,016,128 | ---- | M] (Dell Inc) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV [System | Stopped])
DRV - [2004/08/04 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/08/03 23:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2004/04/13 20:20:08 | 00,015,781 | R--- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\System32\DRIVERS\mdc8021x.sys -- (MDC8021X [Auto | Stopped])
DRV - [2001/08/17 15:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2001/08/17 15:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2001/08/17 15:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 15:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 15:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 14:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2001/08/17 14:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 14:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 14:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2001/08/17 14:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2001/08/17 14:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2001/08/17 14:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 14:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2001/08/17 14:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2001/08/17 14:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 13:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3634047883-2941098505-1824055141-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108
IE - HKU\S-1-5-21-3634047883-2941098505-1824055141-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-3634047883-2941098505-1824055141-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/...html?channel=us
IE - HKU\S-1-5-21-3634047883-2941098505-1824055141-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-3634047883-2941098505-1824055141-500\S-1-5-21-3634047883-2941098505-1824055141-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}:6.0.06
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {B37DF0F0-9745-49D9-98F0-F7C01E8A73B4}:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.9
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/01/20 14:30:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{025928C4-75BA-40C2-95A3-0DC73D39A421}: C:\Documents and Settings\Khalil\Local Settings\Application Data\{025928C4-75BA-40C2-95A3-0DC73D39A421}
FF - HKLM\software\mozilla\Firefox\Extensions\\{B37DF0F0-9745-49D9-98F0-F7C01E8A73B4}: C:\Documents and Settings\basha\Local Settings\Application Data\{B37DF0F0-9745-49D9-98F0-F7C01E8A73B4} [2008/12/23 21:26:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/09/02 23:54:18 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/30 00:04:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/03 19:34:10 | 00,000,000 | ---D | M]

[2009/09/30 00:04:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2009/09/30 00:04:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/30 00:04:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\va59d4le.default\extensions
[2009/10/21 07:29:24 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/01/20 14:28:58 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/09/19 11:01:41 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/01/27 21:45:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/03/15 10:15:19 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/07/01 00:08:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
[2008/07/30 21:22:45 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2008/01/20 14:28:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\real-networks@partners.mozilla.com
[2009/09/19 11:01:41 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/19 11:01:41 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/06/17 16:12:42 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2007/12/19 07:57:38 | 00,310,272 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
[2009/09/19 11:01:44 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2007/05/10 23:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/01/20 14:30:17 | 00,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll
[2008/01/20 14:30:34 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll
[2008/01/20 14:30:05 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll
[2009/07/30 02:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/30 02:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/08/22 14:50:10 | 00,001,497 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml
[2009/07/30 02:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 02:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/30 02:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/30 02:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (728 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [11370004] C:\Documents and Settings\All Users\Application Data\11370004\11370004.exe ()
O4 - HKLM..\Run: [13426925] C:\Documents and Settings\All Users\Application Data\13426925\13426925.exe ()
O4 - HKLM..\Run: [26699638] C:\Documents and Settings\All Users\Application Data\26699638\26699638.exe ()
O4 - HKLM..\Run: [4214803815] C:\Documents and Settings\basha\Application Data\4214803815\4214803815.exe ()
O4 - HKLM..\Run: [47363124] C:\Documents and Settings\All Users\Application Data\47363124\47363124.exe ()
O4 - HKLM..\Run: [47394734] C:\Documents and Settings\All Users\Application Data\47394734\47394734.exe ()
O4 - HKLM..\Run: [49029125] C:\Documents and Settings\All Users\Application Data\49029125\49029125.exe ()
O4 - HKLM..\Run: [73526629] C:\Documents and Settings\All Users\Application Data\73526629\73526629.exe ()
O4 - HKLM..\Run: [8006631117] C:\Documents and Settings\basha\Application Data\8006631117\8006631117.exe ()
O4 - HKLM..\Run: [9023843680] C:\Documents and Settings\basha\Application Data\9023843680\9023843680.exe ()
O4 - HKLM..\Run: [9285806974] C:\Documents and Settings\basha\Application Data\9285806974\9285806974.exe ()
O4 - HKLM..\Run: [Antivirus Pro 2010] C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (TheBestSoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe ()
O4 - HKLM..\Run: [wuvemijah] C:\WINDOWS\System32\tofanuwo.DLL ()
O4 - HKU\.DEFAULT..\Run: [Install] C:\Documents and Settings\basha\Application Data\9285806974\9285806974.bat ()
O4 - HKU\S-1-5-18..\Run: [Install] C:\Documents and Settings\basha\Application Data\9285806974\9285806974.bat ()
O4 - HKU\S-1-5-19..\Run: [yosakowowu] C:\WINDOWS\System32\nowepeto.DLL File not found
O4 - HKU\S-1-5-20..\Run: [yosakowowu] C:\WINDOWS\System32\nowepeto.DLL File not found
O4 - HKU\S-1-5-21-3634047883-2941098505-1824055141-500..\Run: [DellAutomatedPCTuneUp] C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-3634047883-2941098505-1824055141-500..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\Documents and Settings\Administrator\Local Settings\Temp\mdm.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3634047883-2941098505-1824055141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3634047883-2941098505-1824055141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-21-3634047883-2941098505-1824055141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O7 - HKU\S-1-5-21-3634047883-2941098505-1824055141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} http://www.kumudam.com/wfplayer/tdserver.cab (TDServer Control)
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab (F-Secure Online Scanner Launcher)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} https://passage.cna.com/vdesk/terminal/f5opswati.cab (OPSWAT AntiViruses Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/53.13/uploader2.cab (UploadListView Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL File not found
O20 - AppInit_DLLs: (C:\WINDOWS\system32\sizesare.dll) - C:\WINDOWS\System32\sizesare.dll File not found
O20 - AppInit_DLLs: (kcuekl.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\gitabiga.dll) - C:\WINDOWS\System32\gitabiga.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\fakugupu.dll) - C:\WINDOWS\System32\fakugupu.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\varofeje.dll) - C:\WINDOWS\System32\varofeje.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\bigivofo.dll) - C:\WINDOWS\System32\bigivofo.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\zuhuyaba.dll) - C:\WINDOWS\System32\zuhuyaba.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\jasadiwi.dll) - C:\WINDOWS\System32\jasadiwi.dll File not found
O20 - AppInit_DLLs: (serubifa.dll) - C:\WINDOWS\System32\serubifa.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\tofanuwo.dll) - C:\WINDOWS\System32\tofanuwo.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: bizutoguf - {e60fafff-1afe-4fe9-a52f-a6f86bc03ed9} - C:\WINDOWS\System32\tofanuwo.dll ()
O21 - SSODL: foyupalel - {57c3730d-25f4-4bce-90f7-003e291221a5} - C:\WINDOWS\System32\bigivofo.dll File not found
O21 - SSODL: lorutodol - {be74266a-2ecb-42a3-9749-1a1b5a9b0cf8} - C:\WINDOWS\System32\zuhuyaba.dll File not found
O21 - SSODL: muhimesel - {18e63a55-396d-4b1c-b114-7e54c9b4cf05} - C:\WINDOWS\System32\hudiyili.dll File not found
O21 - SSODL: penimukek - {1051d8fe-66cd-4fd6-a44c-196400ba008d} - C:\WINDOWS\System32\hudiyili.dll File not found
O21 - SSODL: pezowavel - {da9cb2da-3836-4d43-bc46-5ba5a1aa129e} - C:\WINDOWS\System32\bigivofo.dll File not found
O21 - SSODL: vujigohip - {01c54dac-f2da-485e-94db-c389824e613e} - C:\WINDOWS\System32\bigivofo.dll File not found
O22 - SharedTaskScheduler: {01c54dac-f2da-485e-94db-c389824e613e} - kupuhivus - C:\WINDOWS\System32\bigivofo.dll File not found
O22 - SharedTaskScheduler: {1051d8fe-66cd-4fd6-a44c-196400ba008d} - mujuzedij - C:\WINDOWS\System32\hudiyili.dll File not found
O22 - SharedTaskScheduler: {18e63a55-396d-4b1c-b114-7e54c9b4cf05} - kupuhivus - C:\WINDOWS\System32\hudiyili.dll File not found
O22 - SharedTaskScheduler: {57c3730d-25f4-4bce-90f7-003e291221a5} - jugezatag - C:\WINDOWS\System32\bigivofo.dll File not found
O22 - SharedTaskScheduler: {be74266a-2ecb-42a3-9749-1a1b5a9b0cf8} - jugezatag - C:\WINDOWS\System32\zuhuyaba.dll File not found
O22 - SharedTaskScheduler: {da9cb2da-3836-4d43-bc46-5ba5a1aa129e} - mujuzedij - C:\WINDOWS\System32\bigivofo.dll File not found
O22 - SharedTaskScheduler: {e60fafff-1afe-4fe9-a52f-a6f86bc03ed9} - gahurihor - C:\WINDOWS\System32\tofanuwo.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/07/28 11:09:40 | 00,000,090 | ---- | M] () - D:\AUTORUN.INF -- [ NTFS ]
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setupSNK.exe -- [2008/04/14 05:42:42 | 00,028,672 | ---- | M] (Microsoft Corporation)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- C:\WINDOWS\system32\pump.exe "%1" %* ()

========== Files/Folders - Created Within 30 Days ==========

[14 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/09/29 23:29:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\11370004
[2009/10/21 13:27:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\13426925
[2009/10/07 19:10:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\26699638
[2009/10/19 21:20:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\47363124
[2009/10/21 01:25:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\47394734
[2009/10/22 01:27:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\49029125
[2009/10/19 02:23:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\73526629
[2009/10/03 19:27:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/09/27 19:44:15 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2009/09/28 23:18:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2009/09/27 19:44:16 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Application Data\GTek
[2009/09/27 19:44:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2009/09/27 19:44:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\InstallShield
[2009/09/29 23:39:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2009/09/28 22:19:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/09/27 19:44:15 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2009/09/30 00:04:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Roxio
[2009/09/27 19:44:15 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\BVRP Software
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\MediaDirect
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2009/09/30 00:04:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Roxio
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\SingleClick Systems
[2009/10/19 02:24:24 | 00,000,000 | ---D | C] -- C:\Program Files\AdvancedVirusRemover
[2009/09/27 19:08:33 | 00,000,000 | ---D | C] -- C:\Program Files\AntivirusPro_2010
[2009/10/03 21:31:41 | 00,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2009/10/16 19:26:15 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Police Pro
[2009/10/22 06:40:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\bleeping
[2009/10/20 23:42:15 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/10/16 19:30:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\schtml
[2009/09/30 23:26:52 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.exe
[2009/09/30 19:02:41 | 00,167,424 | ---- | C] (Legal Corporation) -- C:\WINDOWS\System32\_scui.cpl
[2009/09/30 18:49:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/09/28 23:22:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Malware
[2009/09/27 19:44:15 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2009/09/27 19:44:15 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2009/09/27 19:44:15 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2009/09/27 19:44:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\My Google Gadgets

========== Files - Modified Within 30 Days ==========

[14 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/10/22 06:41:41 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\getukida
[2009/10/22 01:27:05 | 01,051,170 | -HS- | M] () -- C:\WINDOWS\System32\jelivehi.exe
[2009/10/22 01:26:37 | 00,091,648 | -HS- | M] () -- C:\WINDOWS\System32\tofanuwo.dll
[2009/10/22 01:26:36 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\rezizafo.dll
[2009/10/21 20:41:09 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/21 13:27:26 | 01,052,194 | -HS- | M] () -- C:\WINDOWS\System32\ralujabu.exe
[2009/10/21 13:26:09 | 00,091,136 | -HS- | M] () -- C:\WINDOWS\System32\nukubufa.dll
[2009/10/21 13:26:09 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\yamadeko.dll
[2009/10/21 07:48:09 | 04,240,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/10/21 01:25:17 | 01,050,658 | -HS- | M] () -- C:\WINDOWS\System32\zapujevu.exe
[2009/10/21 01:25:06 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\dayiwiwu.dll
[2009/10/20 23:42:18 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/10/20 23:35:34 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/20 23:33:58 | 00,019,313 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/10/20 23:19:00 | 00,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3634047883-2941098505-1824055141-1006UA.job
[2009/10/20 13:25:05 | 00,052,736 | -HS- | M] () -- C:\WINDOWS\System32\wawupobe.dll
[2009/10/20 13:24:43 | 00,091,648 | -HS- | M] () -- C:\WINDOWS\System32\vufewuta.dll
[2009/10/20 13:24:38 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\sagopise.dll
[2009/10/19 21:20:23 | 01,051,170 | -HS- | M] () -- C:\WINDOWS\System32\ruyugapi.exe
[2009/10/19 21:19:40 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\rowabera.dll
[2009/10/19 21:19:33 | 00,090,624 | -HS- | M] () -- C:\WINDOWS\System32\sejezeni.dll
[2009/10/19 02:44:18 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[2009/10/19 02:24:21 | 00,511,488 | ---- | M] () -- C:\WINDOWS\System32\pump.exe
[2009/10/19 02:24:21 | 00,000,058 | ---- | M] () -- C:\WINDOWS\wp4.dat
[2009/10/19 02:24:21 | 00,000,001 | ---- | M] () -- C:\WINDOWS\wp3.dat
[2009/10/19 02:24:18 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\41.exe
[2009/10/19 02:24:17 | 02,041,856 | ---- | M] () -- C:\WINDOWS\System32\AVR09.exe
[2009/10/19 02:23:54 | 01,051,170 | -HS- | M] () -- C:\WINDOWS\System32\fuzuwigi.exe
[2009/10/19 02:23:50 | 01,011,511 | -HS- | M] (Igor Pavlov) -- C:\WINDOWS\System32\soruhuma.exe
[2009/10/19 02:23:22 | 00,022,528 | ---- | M] () -- C:\WINDOWS\System32\winhelper.dll
[2009/10/19 02:23:11 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\kewevuro.dll
[2009/10/19 02:23:11 | 00,024,576 | -HS- | M] () -- C:\WINDOWS\System32\winupdate.exe
[2009/10/19 02:23:11 | 00,024,576 | -HS- | M] () -- C:\WINDOWS\System32\nilejonu.exe
[2009/10/19 01:22:37 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/17 12:37:59 | 01,115,785 | -HS- | M] (Igor Pavlov) -- C:\WINDOWS\System32\ledalesa.exe
[2009/10/17 12:36:59 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\dojisino.dll
[2009/10/17 00:40:02 | 00,539,084 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/17 00:40:02 | 00,449,682 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/17 00:40:02 | 00,080,940 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/16 20:25:59 | 01,111,915 | -HS- | M] (Igor Pavlov) -- C:\WINDOWS\System32\mijinube.exe
[2009/10/16 20:25:49 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\dewukobe.dll
[2009/10/16 19:27:43 | 00,287,232 | ---- | M] () -- C:\WINDOWS\svohost.exe
[2009/10/16 19:26:28 | 00,052,224 | -HS- | M] () -- C:\WINDOWS\System32\pufuniso.dll
[2009/10/16 19:26:04 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\jubevuto.dll
[2009/10/16 19:25:47 | 00,091,136 | -HS- | M] () -- C:\WINDOWS\System32\dukizohi.dll
[2009/10/10 11:34:13 | 01,011,119 | -HS- | M] (Igor Pavlov) -- C:\WINDOWS\System32\bizugosi.exe
[2009/10/10 11:33:29 | 00,090,624 | -HS- | M] () -- C:\WINDOWS\System32\fopinope.dll
[2009/10/10 11:33:24 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\hirihubi.dll
[2009/10/09 21:53:14 | 00,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/10/09 16:01:03 | 01,011,112 | -HS- | M] (Igor Pavlov) -- C:\WINDOWS\System32\hirihubi.exe
[2009/10/09 16:00:24 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\hijagolu.dll
[2009/10/09 00:30:19 | 01,011,656 | -HS- | M] (Igor Pavlov) -- C:\WINDOWS\System32\gevimasi.exe
[2009/10/09 00:30:01 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\hapoyuho.dll
[2009/10/07 19:10:14 | 01,050,659 | -HS- | M] () -- C:\WINDOWS\System32\guvodudi.exe
[2009/10/07 19:09:21 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\gomebomu.dll
[2009/10/06 14:01:48 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\jehodini.dll
[2009/10/05 13:42:21 | 01,047,587 | -HS- | M] () -- C:\WINDOWS\System32\fogebota.exe
[2009/10/05 13:41:39 | 00,038,912 | -HS- | M] () -- C:\WINDOWS\System32\wirimiru.dll
[2009/10/04 10:51:01 | 01,048,611 | -HS- | M] () -- C:\WINDOWS\System32\virodufe.exe
[2009/10/04 10:50:13 | 00,038,912 | -HS- | M] () -- C:\WINDOWS\System32\zogovaro.dll
[2009/10/03 20:14:29 | 01,048,099 | -HS- | M] () -- C:\WINDOWS\System32\kawolumi.exe
[2009/10/03 20:14:21 | 00,038,912 | -HS- | M] () -- C:\WINDOWS\System32\jifopufo.dll
[2009/10/02 14:55:51 | 00,052,224 | -HS- | M] () -- C:\WINDOWS\System32\takamegu.dll
[2009/10/01 21:23:43 | 00,027,136 | -HS- | M] () -- C:\WINDOWS\System32\bajajiyi.dll
[2009/10/01 21:23:41 | 00,038,912 | -HS- | M] () -- C:\WINDOWS\System32\viyezoya.dll
[2009/09/30 23:28:13 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\settings.dat
[2009/09/30 23:26:55 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.exe
[2009/09/30 23:12:36 | 00,361,369 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/09/30 19:51:09 | 01,047,588 | -HS- | M] () -- C:\WINDOWS\System32\kulufegi.exe
[2009/09/30 19:50:18 | 00,038,400 | -HS- | M] () -- C:\WINDOWS\System32\dadutiwo.dll
[2009/09/30 19:02:51 | 00,019,293 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\lacu.exe
[2009/09/30 19:02:51 | 00,018,269 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\zode.scr
[2009/09/30 19:02:51 | 00,018,254 | ---- | M] () -- C:\WINDOWS\System32\irizowezis.exe
[2009/09/30 19:02:51 | 00,018,218 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\dezoc.lib
[2009/09/30 19:02:51 | 00,017,595 | ---- | M] () -- C:\WINDOWS\System32\ligolequ.vbs
[2009/09/30 19:02:51 | 00,017,378 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\qefexere.ban
[2009/09/30 19:02:51 | 00,016,919 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\vosacovet.bin
[2009/09/30 19:02:51 | 00,015,758 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ohyhyfohox.bat
[2009/09/30 19:02:51 | 00,014,689 | ---- | M] () -- C:\Program Files\Common Files\ypatiweluz.sys
[2009/09/30 19:02:51 | 00,014,333 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\osyru.bat
[2009/09/30 19:02:51 | 00,013,905 | ---- | M] () -- C:\WINDOWS\hytylabe.pif
[2009/09/30 19:02:51 | 00,013,875 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\zonafije.vbs
[2009/09/30 19:02:51 | 00,011,725 | ---- | M] () -- C:\Program Files\Common Files\hywidig.inf
[2009/09/30 19:02:51 | 00,011,155 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\iveripu.pif
[2009/09/30 19:02:51 | 00,010,366 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\adofeqypi.sys
[2009/09/30 19:02:51 | 00,010,210 | ---- | M] () -- C:\WINDOWS\qepelowak.dl
[2009/09/30 19:02:44 | 00,167,424 | ---- | M] (Legal Corporation) -- C:\WINDOWS\System32\_scui.cpl
[2009/09/30 18:50:41 | 00,050,688 | -HS- | M] () -- C:\WINDOWS\System32\yuwowijo.dll
[2009/09/30 18:50:29 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\kihulolu.dll
[2009/09/29 23:39:08 | 00,001,848 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Total Security 2009.lnk
[2009/09/29 23:29:52 | 01,082,404 | -HS- | M] () -- C:\WINDOWS\System32\sedehobi.exe
[2009/09/29 23:28:51 | 00,091,136 | -HS- | M] () -- C:\WINDOWS\System32\gumapoke.dll
[2009/09/29 23:28:48 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\visoziyo.dll
[2009/09/28 23:10:06 | 00,053,248 | -HS- | M] () -- C:\WINDOWS\System32\pologodi.dll
[2009/09/28 23:09:39 | 00,037,888 | -HS- | M] () -- C:\WINDOWS\System32\sunasuyu.dll
[2009/09/27 19:08:47 | 00,019,555 | ---- | M] () -- C:\Program Files\Common Files\owoqeveq.vbs
[2009/09/27 19:08:47 | 00,019,341 | ---- | M] () -- C:\WINDOWS\akufexiqeh.lib
[2009/09/27 19:08:47 | 00,018,875 | ---- | M] () -- C:\Program Files\Common Files\ixugo.db
[2009/09/27 19:08:47 | 00,018,862 | ---- | M] () -- C:\WINDOWS\ejomoba.inf
[2009/09/27 19:08:47 | 00,018,602 | ---- | M] () -- C:\WINDOWS\System32\mutitopeq.db
[2009/09/27 19:08:47 | 00,016,621 | ---- | M] () -- C:\WINDOWS\System32\exypi.pif
[2009/09/27 19:08:47 | 00,016,162 | ---- | M] () -- C:\WINDOWS\System32\tovunidav.bin
[2009/09/27 19:08:47 | 00,015,798 | ---- | M] () -- C:\Program Files\Common Files\upuvol.pif
[2009/09/27 19:08:47 | 00,014,411 | ---- | M] () -- C:\WINDOWS\System32\ykybykyk.lib
[2009/09/27 19:08:47 | 00,014,069 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\qozyquj.com
[2009/09/27 19:08:47 | 00,013,553 | ---- | M] () -- C:\WINDOWS\ekelam._sy
[2009/09/27 19:08:47 | 00,013,236 | ---- | M] () -- C:\WINDOWS\ujaj.ban
[2009/09/27 19:08:47 | 00,013,000 | ---- | M] () -- C:\WINDOWS\giqu.db
[2009/09/27 19:08:47 | 00,011,179 | ---- | M] () -- C:\WINDOWS\nubykypuv.com
[2009/09/27 19:08:47 | 00,010,331 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\odajolyb.exe
[2009/09/27 19:08:47 | 00,010,157 | ---- | M] () -- C:\Program Files\Common Files\itudazut.bin
[2009/09/27 19:08:47 | 00,010,048 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\vyxesulyf.scr
[2009/09/27 19:00:40 | 00,000,046 | ---- | M] () -- C:\p2hhr.bat
[2009/09/27 19:00:36 | 00,044,970 | -HS- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dipafibu.exe
[2009/09/27 19:00:29 | 00,156,672 | ---- | M] () -- C:\vfulg.exe
[2009/09/27 19:00:27 | 00,037,376 | -HS- | M] () -- C:\WINDOWS\System32\yufiyasi.dll
[2009/09/27 19:00:23 | 00,005,632 | ---- | M] () -- C:\rlswn.exe
[2009/09/27 19:00:18 | 00,104,448 | ---- | M] () -- C:\mqhimp.exe
[2009/09/27 19:00:12 | 00,019,456 | ---- | M] () -- C:\xrwy.exe
[2009/09/27 19:00:11 | 00,039,424 | ---- | M] () -- C:\rmeprraf.exe
[2009/09/27 19:00:08 | 00,049,152 | ---- | M] () -- C:\yonm.exe
[2009/09/26 21:18:00 | 00,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3634047883-2941098505-1824055141-1006Core.job

========== Files - No Company Name ==========
[2099/01/01 12:00:00 | 00,011,168 | -H-- | C] () -- C:\WINDOWS\System32\getukida
[2009/10/19 02:44:18 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2009/10/19 02:24:18 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\41.exe
[2009/10/19 02:23:22 | 02,041,856 | ---- | C] () -- C:\WINDOWS\System32\AVR09.exe
[2009/10/19 02:23:20 | 00,022,528 | ---- | C] () -- C:\WINDOWS\System32\winhelper.dll
[2009/10/19 02:23:14 | 00,024,576 | -HS- | C] () -- C:\WINDOWS\System32\winupdate.exe
[2009/10/16 19:27:43 | 00,511,488 | ---- | C] () -- C:\WINDOWS\System32\pump.exe
[2009/10/16 19:27:43 | 00,287,232 | ---- | C] () -- C:\WINDOWS\svohost.exe
[2009/10/16 19:27:43 | 00,000,058 | ---- | C] () -- C:\WINDOWS\wp4.dat
[2009/10/16 19:27:43 | 00,000,001 | ---- | C] () -- C:\WINDOWS\wp3.dat
[2009/09/30 23:28:13 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\settings.dat
[2009/09/30 23:12:34 | 00,361,369 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/09/30 19:02:51 | 00,019,293 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\lacu.exe
[2009/09/30 19:02:51 | 00,018,269 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\zode.scr
[2009/09/30 19:02:51 | 00,018,254 | ---- | C] () -- C:\WINDOWS\System32\irizowezis.exe
[2009/09/30 19:02:51 | 00,018,218 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\dezoc.lib
[2009/09/30 19:02:51 | 00,017,595 | ---- | C] () -- C:\WINDOWS\System32\ligolequ.vbs
[2009/09/30 19:02:51 | 00,017,378 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\qefexere.ban
[2009/09/30 19:02:51 | 00,016,919 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\vosacovet.bin
[2009/09/30 19:02:51 | 00,015,758 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ohyhyfohox.bat
[2009/09/30 19:02:51 | 00,014,689 | ---- | C] () -- C:\Program Files\Common Files\ypatiweluz.sys
[2009/09/30 19:02:51 | 00,014,333 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\osyru.bat
[2009/09/30 19:02:51 | 00,013,905 | ---- | C] () -- C:\WINDOWS\hytylabe.pif
[2009/09/30 19:02:51 | 00,013,875 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\zonafije.vbs
[2009/09/30 19:02:51 | 00,011,725 | ---- | C] () -- C:\Program Files\Common Files\hywidig.inf
[2009/09/30 19:02:51 | 00,011,155 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\iveripu.pif
[2009/09/30 19:02:51 | 00,010,366 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\adofeqypi.sys
[2009/09/30 19:02:51 | 00,010,210 | ---- | C] () -- C:\WINDOWS\qepelowak.dl
[2009/09/29 23:39:08 | 00,001,848 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Total Security 2009.lnk
[2009/09/27 19:44:18 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini
[2009/09/27 19:44:16 | 04,240,656 | -H-- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/09/27 19:44:16 | 00,044,976 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/27 19:08:47 | 00,019,555 | ---- | C] () -- C:\Program Files\Common Files\owoqeveq.vbs
[2009/09/27 19:08:47 | 00,019,341 | ---- | C] () -- C:\WINDOWS\akufexiqeh.lib
[2009/09/27 19:08:47 | 00,018,875 | ---- | C] () -- C:\Program Files\Common Files\ixugo.db
[2009/09/27 19:08:47 | 00,018,862 | ---- | C] () -- C:\WINDOWS\ejomoba.inf
[2009/09/27 19:08:47 | 00,018,602 | ---- | C] () -- C:\WINDOWS\System32\mutitopeq.db
[2009/09/27 19:08:47 | 00,016,621 | ---- | C] () -- C:\WINDOWS\System32\exypi.pif
[2009/09/27 19:08:47 | 00,016,162 | ---- | C] () -- C:\WINDOWS\System32\tovunidav.bin
[2009/09/27 19:08:47 | 00,015,798 | ---- | C] () -- C:\Program Files\Common Files\upuvol.pif
[2009/09/27 19:08:47 | 00,014,411 | ---- | C] () -- C:\WINDOWS\System32\ykybykyk.lib
[2009/09/27 19:08:47 | 00,014,069 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\qozyquj.com
[2009/09/27 19:08:47 | 00,013,553 | ---- | C] () -- C:\WINDOWS\ekelam._sy
[2009/09/27 19:08:47 | 00,013,236 | ---- | C] () -- C:\WINDOWS\ujaj.ban
[2009/09/27 19:08:47 | 00,013,000 | ---- | C] () -- C:\WINDOWS\giqu.db
[2009/09/27 19:08:47 | 00,011,179 | ---- | C] () -- C:\WINDOWS\nubykypuv.com
[2009/09/27 19:08:47 | 00,010,331 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\odajolyb.exe
[2009/09/27 19:08:47 | 00,010,157 | ---- | C] () -- C:\Program Files\Common Files\itudazut.bin
[2009/09/27 19:08:47 | 00,010,048 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\vyxesulyf.scr
[2009/09/27 19:00:40 | 00,000,046 | ---- | C] () -- C:\p2hhr.bat
[2009/09/27 19:00:22 | 00,156,672 | ---- | C] () -- C:\vfulg.exe
[2009/09/27 19:00:22 | 00,005,632 | ---- | C] () -- C:\rlswn.exe
[2009/09/27 19:00:13 | 00,104,448 | ---- | C] () -- C:\mqhimp.exe
[2009/09/27 19:00:11 | 00,019,456 | ---- | C] () -- C:\xrwy.exe
[2009/09/27 19:00:08 | 00,039,424 | ---- | C] () -- C:\rmeprraf.exe
[2009/09/27 19:00:05 | 00,049,152 | ---- | C] () -- C:\yonm.exe
[2009/07/22 01:26:33 | 00,091,648 | -HS- | C] () -- C:\WINDOWS\System32\tofanuwo.dll
[2009/07/22 01:26:33 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\rezizafo.dll
[2009/07/21 13:26:07 | 00,091,136 | -HS- | C] () -- C:\WINDOWS\System32\nukubufa.dll
[2009/07/21 13:26:07 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\yamadeko.dll
[2009/07/21 01:25:05 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\dayiwiwu.dll
[2009/07/20 13:25:39 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\serubifa.dll
[2009/07/20 13:25:39 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\linoseku.dll
[2009/07/20 13:25:39 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\jehofoku.dll
[2009/07/20 13:24:36 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\sagopise.dll
[2009/07/20 13:24:35 | 00,091,648 | -HS- | C] () -- C:\WINDOWS\System32\vufewuta.dll
[2009/07/20 13:24:33 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\wawupobe.dll
[2009/07/19 21:19:30 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\rowabera.dll
[2009/07/19 21:19:26 | 00,090,624 | -HS- | C] () -- C:\WINDOWS\System32\sejezeni.dll
[2009/07/19 02:23:09 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\kewevuro.dll
[2009/07/17 12:36:57 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\dojisino.dll
[2009/07/16 20:25:48 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\dewukobe.dll
[2009/07/16 19:25:54 | 00,052,224 | -HS- | C] () -- C:\WINDOWS\System32\pufuniso.dll
[2009/07/16 19:25:45 | 00,091,136 | -HS- | C] () -- C:\WINDOWS\System32\dukizohi.dll
[2009/07/16 19:25:45 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\jubevuto.dll
[2009/07/10 11:33:20 | 00,090,624 | -HS- | C] () -- C:\WINDOWS\System32\fopinope.dll
[2009/07/10 11:33:20 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\hirihubi.dll
[2009/07/09 16:00:23 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\hijagolu.dll
[2009/07/09 00:29:59 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\hapoyuho.dll
[2009/07/07 19:09:20 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\gomebomu.dll
[2009/07/06 14:01:46 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\jehodini.dll
[2009/07/05 13:41:37 | 00,038,912 | -HS- | C] () -- C:\WINDOWS\System32\wirimiru.dll
[2009/07/04 10:50:12 | 00,038,912 | -HS- | C] () -- C:\WINDOWS\System32\zogovaro.dll
[2009/07/03 20:14:18 | 00,038,912 | -HS- | C] () -- C:\WINDOWS\System32\jifopufo.dll
[2009/07/02 14:55:19 | 00,052,224 | -HS- | C] () -- C:\WINDOWS\System32\takamegu.dll
[2009/07/01 21:23:41 | 00,027,136 | -HS- | C] () -- C:\WINDOWS\System32\bajajiyi.dll
[2009/07/01 21:23:40 | 00,038,912 | -HS- | C] () -- C:\WINDOWS\System32\viyezoya.dll
[2009/06/30 19:50:17 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\dadutiwo.dll
[2009/06/30 18:50:13 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\kihulolu.dll
[2009/06/30 18:50:10 | 00,050,688 | -HS- | C] () -- C:\WINDOWS\System32\yuwowijo.dll
[2009/06/29 23:28:47 | 00,091,136 | -HS- | C] () -- C:\WINDOWS\System32\gumapoke.dll
[2009/06/29 23:28:47 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\visoziyo.dll
[2009/06/28 23:09:38 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\sunasuyu.dll
[2009/06/28 23:09:35 | 00,053,248 | -HS- | C] () -- C:\WINDOWS\System32\pologodi.dll
[2009/06/27 19:00:25 | 00,050,176 | -HS- | C] () -- C:\WINDOWS\System32\dehaseha.dll
[2009/06/27 19:00:25 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\yufiyasi.dll
[2009/01/08 00:25:39 | 00,001,214 | ---- | C] () -- C:\WINDOWS\prov.ini
[2008/08/10 00:35:10 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/08/10 00:35:10 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/08/05 16:58:56 | 00,000,006 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
[2008/01/25 17:43:08 | 00,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/01/15 23:17:44 | 00,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/01/08 14:49:40 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/01/08 14:45:05 | 00,000,859 | ---- | C] () -- C:\WINDOWS\{0240BDFB-2995-4A3F-8C96-18D41282B716}_WiseFW.ini
[2008/01/08 14:43:07 | 00,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2008/01/08 14:42:35 | 00,000,275 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/01/08 14:34:24 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/01/08 14:34:21 | 00,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/01/08 14:06:55 | 00,910,304 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008/01/08 14:06:55 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4831.dll
[2008/01/08 14:06:53 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2008/01/08 14:04:54 | 00,001,118 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2007/10/31 10:39:54 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2007/08/06 18:22:15 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2007/05/17 14:58:10 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
[2006/09/17 00:36:50 | 00,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/17 00:36:50 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2005/12/07 12:31:00 | 00,202,752 | R--- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
[2004/08/10 14:12:05 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:01:18 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 13:57:41 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/08/10 13:51:28 | 00,000,507 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/10 13:51:26 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794
< End of report >


============ End ===============

Regards,
Khalil Ahamed

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 AM

Posted 28 October 2009 - 07:25 AM

Hi,

please run the following two tools. Malwarebytes should remove the main part of the infection. Rootrepeal will check for further infections.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
Please post back both logs in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 khalil ahamed

khalil ahamed
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 31 October 2009 - 01:38 AM

Hi,

Please find below for the follwoing two scna reports,

1. Malwarebyte scan report
2. RootRepeal scan report


Malwarebyte Scan Report
=======================
Malwarebytes' Anti-Malware 1.41
Database version: 3051
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/31/2009 12:52:41 AM
mbam-log-2009-10-31 (00-52-41).txt

Scan type: Quick Scan
Objects scanned: 122060
Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 2
Registry Values Infected: 6
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\yitidena.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\zaworido.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lugesate.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\zuhuyaba.dll (Trojan.Vundo) -> Delete on reboot.
\\?\globalroot\systemroot\system32\gasfkyevxvkbdi.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{253a8bae-b80b-40e5-8583-d719de6ade46} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c36b169c-d72f-4415-8489-8cbd18ae8452} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuvemijah (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66762532 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{253a8bae-b80b-40e5-8583-d719de6ade46} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wopamoyov (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c36b169c-d72f-4415-8489-8cbd18ae8452} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\yalezipow (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\yitidena.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\yitidena.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zaworido.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zaworido.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\66762532 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\zaworido.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\66762532\66762532.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\66762532\66762532.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\yitidena.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lugesate.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\zuhuyaba.dll (Trojan.Vundo) -> Delete on reboot.
\\?\globalroot\systemroot\system32\gasfkyevxvkbdi.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\genakoso.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jipafofa.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wokoguri.dll (Trojan.Vundo) -> Quarantined and deleted successfully.






RootRepeal Scan Report
======================
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/31 01:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB9EE1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB961B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\WINDOWS\system32\gasfkybnmtalkd.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyevxvkbdi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyiqjgexou.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyqxxnopxm.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkysiwqwmiv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkywyktlemo.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyymaxrsth.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkynntikwsppy.tmp
Status: Invisible to the Windows API!

Path: c:\windows\temp\sqlite_rfpawwimjzantpk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\gasfkynofteismnu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkypethxvccrg.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyqbnenbdipc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyqrxnsajikb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyrnjtdwqxon.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyrpvouqfwby.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyswhfuflbyg.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkytimbdribcc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkytpecvkorap.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyvbqhxyrilq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyvjkqibisjw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyxgyunefobm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyxnmhqpftht.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyycicrppbwu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyygracrpast.tmp
Status: Invisible to the Windows API!

Path: c:\windows\temp\sqlite_imavfnibkh7xwe5
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\gasfkyabvpdrtcre.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkybymxnoside.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkychtspexfpy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkycpisribkmq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyeyxuspibto.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkygaikbcrpti.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyibkqercnct.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyjdpbartfro.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkykbtiqnevms.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkykmrfntijjw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkymqeadftibi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkymybdibcepy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gasfkyvxepxexm.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\basha\Local Settings\Apps\2.0\6Z7Z3MTO.OZM\8YQPOPDJ.OKP\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\basha\Local Settings\Apps\2.0\6Z7Z3MTO.OZM\8YQPOPDJ.OKP\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkybnmtalkd.dll]
Process: svchost.exe (PID: 1212) Address: 0x00a00000 Size: 53248

Hidden Services
-------------------
Service Name: gasfkylvrbejwq
Image Path: C:\WINDOWS\system32\drivers\gasfkyvxepxexm.sys

==EOF==



Regards,
Khalil Ahamed

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 AM

Posted 31 October 2009 - 09:43 AM

Hi,

You have caught a rootkit, which we will try to remove with ComboFix:
Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 khalil ahamed

khalil ahamed
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 02 November 2009 - 07:35 PM

Hi,

I just moved to a new apt. I need to apply for internet service in this apt. Once I get the internet service at home I'll follow the steps you have mentioned and will send you the log.

Please don't close this thread if it take few days delay from myside.

Regards,
Khalil Ahamed

#11 khalil ahamed

khalil ahamed
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 05 November 2009 - 09:53 PM

Hi,

Below is the ComboFix report,

log.txt
====


ComboFix 09-11-05.01 - Administrator 11/05/2009 20:37.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1780 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Cookies\gytadi.reg
c:\documents and settings\Administrator\Cookies\opobi.db
c:\documents and settings\Administrator\Local Settings\Application Data\ohyhyfohox.bat
c:\documents and settings\Administrator\Local Settings\Application Data\zonafije.vbs
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\zenep.bat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Documents\osyru.bat
c:\documents and settings\basha\Application Data\iniasd.txt
c:\documents and settings\basha\Application Data\qilokitu.vbs
c:\documents and settings\basha\Local Settings\Temporary Internet Files\adel.vbs
c:\documents and settings\basha\Local Settings\Temporary Internet Files\okifeqofi.com
c:\documents and settings\basha\Local Settings\Temporary Internet Files\yteqevi.dat
C:\p2hhr.bat
c:\program files\Common Files\hywidig.inf
c:\program files\Common Files\owoqeveq.vbs
c:\windows\ejomoba.inf
c:\windows\ekelam._sy
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\bajajiyi.dll
c:\windows\system32\drivers\gasfkyvxepxexm.sys
c:\windows\system32\gasfkybnmtalkd.dll
c:\windows\system32\gasfkyevxvkbdi.dll
c:\windows\system32\gasfkyiqjgexou.dll
c:\windows\system32\gasfkyqxxnopxm.dat
c:\windows\system32\gasfkysiwqwmiv.dll
c:\windows\system32\gasfkywyktlemo.dat
c:\windows\system32\gasfkyymaxrsth.dll
c:\windows\system32\gumapoke.dll
c:\windows\system32\jukajeyi.dll
c:\windows\system32\ligolequ.vbs
c:\windows\system32\lugesate.dll
c:\windows\system32\pidagimu.dll
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\zuhuyaba.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkylvrbejwq


((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-06 02:43 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-29 05:20 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 05:20 . 2009-10-29 05:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 05:20 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-10 02:47 . 2009-10-10 02:51 -------- d-----w- c:\documents and settings\basha\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 02:53 . 2008-01-23 06:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-04 02:31 . 2009-10-04 02:31 -------- d-----w- c:\program files\VideoLAN
2009-10-04 00:34 . 2009-10-04 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-01 00:02 . 2009-10-01 00:02 19293 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\lacu.exe
2009-10-01 00:02 . 2009-10-01 00:02 18269 ----a-w- c:\documents and settings\Administrator\Application Data\zode.scr
2009-10-01 00:02 . 2009-10-01 00:02 18269 ----a-w- c:\documents and settings\Administrator\Application Data\zode.scr
2009-10-01 00:02 . 2009-10-01 00:02 18254 ----a-w- c:\windows\system32\irizowezis.exe
2009-10-01 00:02 . 2009-10-01 00:02 16919 ----a-w- c:\documents and settings\Administrator\Application Data\vosacovet.bin
2009-10-01 00:02 . 2009-10-01 00:02 14689 ----a-w- c:\program files\Common Files\ypatiweluz.sys
2009-10-01 00:02 . 2009-10-01 00:02 13905 ----a-w- c:\windows\hytylabe.pif
2009-10-01 00:02 . 2009-10-01 00:02 11155 ----a-w- c:\documents and settings\All Users\Application Data\iveripu.pif
2009-10-01 00:02 . 2009-10-01 00:02 11155 ----a-w- c:\documents and settings\All Users\Application Data\iveripu.pif
2009-10-01 00:02 . 2009-10-01 00:02 10366 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\adofeqypi.sys
2009-09-29 03:19 . 2009-09-29 03:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-28 00:08 . 2009-09-28 00:08 18875 ----a-w- c:\program files\Common Files\ixugo.db
2009-09-28 00:08 . 2009-09-28 00:08 16621 ----a-w- c:\windows\system32\exypi.pif
2009-09-28 00:08 . 2009-09-28 00:08 16162 ----a-w- c:\windows\system32\tovunidav.bin
2009-09-28 00:08 . 2009-09-28 00:08 15798 ----a-w- c:\program files\Common Files\upuvol.pif
2009-09-28 00:08 . 2009-09-28 00:08 14069 ----a-w- c:\documents and settings\All Users\Application Data\qozyquj.com
2009-09-28 00:08 . 2009-09-28 00:08 14069 ----a-w- c:\documents and settings\All Users\Application Data\qozyquj.com
2009-09-28 00:08 . 2009-09-28 00:08 11179 ----a-w- c:\windows\nubykypuv.com
2009-09-28 00:08 . 2009-09-28 00:08 11042 ----a-w- c:\documents and settings\basha\Local Settings\Application Data\omyhibon.pif
2009-09-28 00:08 . 2009-09-28 00:08 10901 ----a-w- c:\documents and settings\basha\Local Settings\Application Data\uwefudo.bin
2009-09-28 00:08 . 2009-09-28 00:08 10331 ----a-w- c:\documents and settings\All Users\Application Data\odajolyb.exe
2009-09-28 00:08 . 2009-09-28 00:08 10331 ----a-w- c:\documents and settings\All Users\Application Data\odajolyb.exe
2009-09-28 00:08 . 2009-09-28 00:08 10157 ----a-w- c:\program files\Common Files\itudazut.bin
2009-09-26 02:52 . 2009-08-05 13:19 -------- d-----w- c:\documents and settings\basha\Application Data\Skype
2009-08-22 21:20 . 2009-08-22 21:07 117760 ----a-w- c:\documents and settings\basha\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2008-01-08 19:33 . 2008-01-08 19:33 76 --sh--r- c:\windows\CT4CET.bin
2009-07-29 06:57 . 2009-07-29 06:57 1024 --sha-w- c:\windows\system32\waluyelo.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-20 185896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photags AutoDetect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photags AutoDetect.lnk
backup=c:\windows\pss\Photags AutoDetect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Khalil^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Khalil\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
"IDriverT"=3 (0x3)
"hnmsvc"=2 (0x2)
"gusvc"=3 (0x3)
"Dot3svc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
S2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [8/23/2007 6:29 PM 5376]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/26/2008 10:37 PM 210216]
S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [1/8/2008 1:06 PM 235520]
S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [1/8/2008 1:06 PM 7424]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-12-24 16:53]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-12-24 16:53]

2009-04-23 c:\windows\Tasks\Norton Security Scan for Khalil.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://passage.cna.com/vdesk/terminal/f5opswati.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\va59d4le.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: XUL Cache: {B37DF0F0-9745-49D9-98F0-F7C01E8A73B4} - c:\documents and settings\basha\Local Settings\Application Data\{B37DF0F0-9745-49D9-98F0-F7C01E8A73B4}
.
- - - - ORPHANS REMOVED - - - -

BHO-{320e08ca-98a5-4f6e-be1d-884080b3077d} - wetibolo.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-wuvemijah - c:\windows\system32\jukajeyi.dll
HKLM-Run-yosakowowu - zuhuyaba.dll
SharedTaskScheduler-{1051d8fe-66cd-4fd6-a44c-196400ba008d} - c:\windows\system32\hudiyili.dll
SharedTaskScheduler-{18e63a55-396d-4b1c-b114-7e54c9b4cf05} - c:\windows\system32\hudiyili.dll
SharedTaskScheduler-{01c54dac-f2da-485e-94db-c389824e613e} - c:\windows\system32\bigivofo.dll
SharedTaskScheduler-{57c3730d-25f4-4bce-90f7-003e291221a5} - c:\windows\system32\bigivofo.dll
SharedTaskScheduler-{da9cb2da-3836-4d43-bc46-5ba5a1aa129e} - c:\windows\system32\bigivofo.dll
SharedTaskScheduler-{c36b169c-d72f-4415-8489-8cbd18ae8452} - c:\windows\system32\yitidena.dll
SharedTaskScheduler-{80a8807b-c3c8-4842-b839-25233ed4a44d} - c:\windows\system32\jukajeyi.dll
SSODL-penimukek-{1051d8fe-66cd-4fd6-a44c-196400ba008d} - c:\windows\system32\hudiyili.dll
SSODL-muhimesel-{18e63a55-396d-4b1c-b114-7e54c9b4cf05} - c:\windows\system32\hudiyili.dll
SSODL-vujigohip-{01c54dac-f2da-485e-94db-c389824e613e} - c:\windows\system32\bigivofo.dll
SSODL-foyupalel-{57c3730d-25f4-4bce-90f7-003e291221a5} - c:\windows\system32\bigivofo.dll
SSODL-pezowavel-{da9cb2da-3836-4d43-bc46-5ba5a1aa129e} - c:\windows\system32\bigivofo.dll
SSODL-yalezipow-{c36b169c-d72f-4415-8489-8cbd18ae8452} - c:\windows\system32\yitidena.dll
SSODL-hasenakon-{80a8807b-c3c8-4842-b839-25233ed4a44d} - c:\windows\system32\jukajeyi.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 20:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Optimization\JKWL]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2009-11-06 20:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 02:49

Pre-Run: 39,284,133,888 bytes free
Post-Run: 39,637,897,216 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 7E47164874DB1AECC2B9D43341E3D934


Regards,
Khalil Ahamed

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 AM

Posted 06 November 2009 - 04:34 AM

Hi,

Combofix took care of a rootkit, however there are still a couple of things left:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

And we need to run another scan with Combofix:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\Administrator\Local Settings\Application Data\lacu.exe
c:\documents and settings\Administrator\Application Data\zode.scr
c:\windows\system32\irizowezis.exe
c:\documents and settings\Administrator\Application Data\vosacovet.bin
c:\program files\Common Files\ypatiweluz.sys
c:\windows\hytylabe.pif
c:\documents and settings\All Users\Application Data\iveripu.pif
c:\documents and settings\Administrator\Local Settings\Application Data\adofeqypi.sys
c:\program files\Common Files\ixugo.db
c:\windows\system32\exypi.pif
c:\windows\system32\tovunidav.bin
c:\program files\Common Files\upuvol.pif
c:\documents and settings\All Users\Application Data\qozyquj.com
c:\documents and settings\All Users\Application Data\qozyquj.com
c:\windows\nubykypuv.com
c:\documents and settings\basha\Local Settings\Application Data\omyhibon.pif
c:\documents and settings\basha\Local Settings\Application Data\uwefudo.bin
c:\documents and settings\All Users\Application Data\odajolyb.exe
c:\program files\Common Files\itudazut.bin
c:\windows\system32\waluyelo.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\drivers\\svchost.exe"=-
"c:\\WINDOWS\\system32\\taskmgr.exe"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 khalil ahamed

khalil ahamed
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 06 November 2009 - 09:37 PM

Hi,

Here are the two reports,

GooredFix.txt
=========

GooredFix by jpshortstuff (24.09.09.1)
Log created at 19:53 on 06/11/2009 (Administrator)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{B37DF0F0-9745-49D9-98F0-F7C01E8A73B4} -> Success!
Deleting C:\Documents and Settings\basha\Local Settings\Application Data\{B37DF0F0-9745-49D9-98F0-F7C01E8A73B4} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
real-networks@partners.mozilla.com [19:28 20/01/2008]
{3112ca9c-de6d-4884-a869-9855de68056c} [19:28 20/01/2008]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:28 20/01/2008]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [02:45 28/01/2008]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [15:15 15/03/2008]
{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} [05:08 01/07/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [02:22 31/07/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [19:30 20/01/2008]
"{025928C4-75BA-40C2-95A3-0DC73D39A421}"="C:\Documents and Settings\Khalil\Local Settings\Application Data\{025928C4-75BA-40C2-95A3-0DC73D39A421}" []
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [04:36 27/12/2008]

-=E.O.F=-










ComboFix.txt
=========
ComboFix 09-11-05.05 - Administrator 11/06/2009 20:21.3.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1764 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\Administrator\Application Data\vosacovet.bin"
"c:\documents and settings\Administrator\Application Data\zode.scr"
"c:\documents and settings\Administrator\Local Settings\Application Data\adofeqypi.sys"
"c:\documents and settings\Administrator\Local Settings\Application Data\lacu.exe"
"c:\documents and settings\All Users\Application Data\iveripu.pif"
"c:\documents and settings\All Users\Application Data\odajolyb.exe"
"c:\documents and settings\All Users\Application Data\qozyquj.com"
"c:\documents and settings\basha\Local Settings\Application Data\omyhibon.pif"
"c:\documents and settings\basha\Local Settings\Application Data\uwefudo.bin"
"c:\program files\Common Files\itudazut.bin"
"c:\program files\Common Files\ixugo.db"
"c:\program files\Common Files\upuvol.pif"
"c:\program files\Common Files\ypatiweluz.sys"
"c:\windows\hytylabe.pif"
"c:\windows\nubykypuv.com"
"c:\windows\system32\exypi.pif"
"c:\windows\system32\irizowezis.exe"
"c:\windows\system32\tovunidav.bin"
"c:\windows\system32\waluyelo.exe"
.

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-06 02:43 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-29 05:20 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 05:20 . 2009-10-29 05:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 05:20 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-10 02:47 . 2009-10-10 02:51 -------- d-----w- c:\documents and settings\basha\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 02:53 . 2008-01-23 06:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-04 02:31 . 2009-10-04 02:31 -------- d-----w- c:\program files\VideoLAN
2009-10-04 00:34 . 2009-10-04 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-29 03:19 . 2009-09-29 03:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-26 02:52 . 2009-08-05 13:19 -------- d-----w- c:\documents and settings\basha\Application Data\Skype
2009-08-22 21:20 . 2009-08-22 21:07 117760 ----a-w- c:\documents and settings\basha\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2008-01-08 19:33 . 2008-01-08 19:33 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_02.46.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 18:51 . 2009-11-07 02:21 80538 c:\windows\system32\perfc009.dat
- 2004-08-10 18:51 . 2009-11-06 02:40 80538 c:\windows\system32\perfc009.dat
+ 2004-08-10 18:51 . 2009-11-07 02:21 449114 c:\windows\system32\perfh009.dat
- 2004-08-10 18:51 . 2009-11-06 02:40 449114 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-20 185896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photags AutoDetect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photags AutoDetect.lnk
backup=c:\windows\pss\Photags AutoDetect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Khalil^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Khalil\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
"IDriverT"=3 (0x3)
"hnmsvc"=2 (0x2)
"gusvc"=3 (0x3)
"Dot3svc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
S2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [8/23/2007 6:29 PM 5376]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/26/2008 10:37 PM 210216]
S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [1/8/2008 1:06 PM 235520]
S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [1/8/2008 1:06 PM 7424]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-12-24 16:53]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-12-24 16:53]

2009-04-23 c:\windows\Tasks\Norton Security Scan for Khalil.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://passage.cna.com/vdesk/terminal/f5opswati.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\va59d4le.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 20:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Optimization\JKWL]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-11-07 20:28
ComboFix-quarantined-files.txt 2009-11-07 02:28
ComboFix2.txt 2009-11-07 02:05
ComboFix3.txt 2009-11-06 02:49

Pre-Run: 39,617,384,448 bytes free
Post-Run: 39,581,044,736 bytes free

- - End Of File - - 75C9350B9C7BC6415C1BFCF4DC0E0D50



Regards,
Khalil Ahamed

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 AM

Posted 07 November 2009 - 11:22 AM

Hi,

can you please post the content of the following file:
C:\qoobox\ComboFix2.txt


thanks,

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 khalil ahamed

khalil ahamed
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 09 November 2009 - 12:33 AM

Hi,

Here is the report,

c:/qoobox/ComboFix2.txt
================

ComboFix 09-11-05.05 - Administrator 11/06/2009 19:58.2.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1768 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\Administrator\Application Data\vosacovet.bin"
"c:\documents and settings\Administrator\Application Data\zode.scr"
"c:\documents and settings\Administrator\Local Settings\Application Data\adofeqypi.sys"
"c:\documents and settings\Administrator\Local Settings\Application Data\lacu.exe"
"c:\documents and settings\All Users\Application Data\iveripu.pif"
"c:\documents and settings\All Users\Application Data\odajolyb.exe"
"c:\documents and settings\All Users\Application Data\qozyquj.com"
"c:\documents and settings\basha\Local Settings\Application Data\omyhibon.pif"
"c:\documents and settings\basha\Local Settings\Application Data\uwefudo.bin"
"c:\program files\Common Files\itudazut.bin"
"c:\program files\Common Files\ixugo.db"
"c:\program files\Common Files\upuvol.pif"
"c:\program files\Common Files\ypatiweluz.sys"
"c:\windows\hytylabe.pif"
"c:\windows\nubykypuv.com"
"c:\windows\system32\exypi.pif"
"c:\windows\system32\irizowezis.exe"
"c:\windows\system32\tovunidav.bin"
"c:\windows\system32\waluyelo.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\vosacovet.bin
c:\documents and settings\Administrator\Application Data\zode.scr
c:\documents and settings\Administrator\Local Settings\Application Data\adofeqypi.sys
c:\documents and settings\Administrator\Local Settings\Application Data\lacu.exe
c:\documents and settings\All Users\Application Data\iveripu.pif
c:\documents and settings\All Users\Application Data\odajolyb.exe
c:\documents and settings\All Users\Application Data\qozyquj.com
c:\documents and settings\basha\Local Settings\Application Data\omyhibon.pif
c:\documents and settings\basha\Local Settings\Application Data\uwefudo.bin
c:\program files\Common Files\itudazut.bin
c:\program files\Common Files\ixugo.db
c:\program files\Common Files\upuvol.pif
c:\program files\Common Files\ypatiweluz.sys
c:\windows\hytylabe.pif
c:\windows\nubykypuv.com
c:\windows\system32\exypi.pif
c:\windows\system32\irizowezis.exe
c:\windows\system32\tovunidav.bin
c:\windows\system32\waluyelo.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-06 02:43 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-29 05:20 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 05:20 . 2009-10-29 05:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 05:20 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-10 02:47 . 2009-10-10 02:51 -------- d-----w- c:\documents and settings\basha\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 02:53 . 2008-01-23 06:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-04 02:31 . 2009-10-04 02:31 -------- d-----w- c:\program files\VideoLAN
2009-10-04 00:34 . 2009-10-04 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-29 03:19 . 2009-09-29 03:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-26 02:52 . 2009-08-05 13:19 -------- d-----w- c:\documents and settings\basha\Application Data\Skype
2009-08-22 21:20 . 2009-08-22 21:07 117760 ----a-w- c:\documents and settings\basha\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2008-01-08 19:33 . 2008-01-08 19:33 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_02.46.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 18:51 . 2009-11-07 01:43 80538 c:\windows\system32\perfc009.dat
- 2004-08-10 18:51 . 2009-11-06 02:40 80538 c:\windows\system32\perfc009.dat
+ 2004-08-10 18:51 . 2009-11-07 01:43 449114 c:\windows\system32\perfh009.dat
- 2004-08-10 18:51 . 2009-11-06 02:40 449114 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-20 185896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photags AutoDetect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photags AutoDetect.lnk
backup=c:\windows\pss\Photags AutoDetect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Khalil^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Khalil\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
"IDriverT"=3 (0x3)
"hnmsvc"=2 (0x2)
"gusvc"=3 (0x3)
"Dot3svc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
S2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [8/23/2007 6:29 PM 5376]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/26/2008 10:37 PM 210216]
S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [1/8/2008 1:06 PM 235520]
S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [1/8/2008 1:06 PM 7424]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-12-24 16:53]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-12-24 16:53]

2009-04-23 c:\windows\Tasks\Norton Security Scan for Khalil.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://passage.cna.com/vdesk/terminal/f5opswati.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\va59d4le.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 20:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Optimization\JKWL]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-11-07 20:05
ComboFix-quarantined-files.txt 2009-11-07 02:05
ComboFix2.txt 2009-11-06 02:49

Pre-Run: 39,640,723,456 bytes free
Post-Run: 39,607,537,664 bytes free

- - End Of File - - F5DD6812EC4FCE127AF551087B0F0B30




Regards,
Khalil Ahamed




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users