Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system shuts down often with a blue screen error


  • This topic is locked This topic is locked
12 replies to this topic

#1 lacchu

lacchu

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 09 October 2009 - 12:52 AM

Hi all

For the past three days I had been facing this problem -

(1) my system auto shuts down and restarts at least ten times a day with a blue screen appearing before shut down.

The blue screen says "c000021a fatal system error"

(2) when I click on google results I am redirected to spam sites

I had run the programs for detecting malwares. Please find the reports of DDS, hijack and rootrpeal attached.

Please help me fix the problem.


DDS scan report
------------------------------------------------------------------------------------------------

DDS (Ver_09-09-29.01) - NTFSx86
Run by Administrator at 10:46:11.76 on Fri 10/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.570 [GMT 5.5:30]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\alg.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\Winampa.exe
"C:\WINDOWS\system32\28463\svchost.exe"
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.in/
uInternet Settings,ProxyServer = 192.168.5.139:3128
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Taskman=c:\recycler\s-1-5-21-8729673389-7251395024-878860705-1597\hdav.exe
BHO: {01a8140f-b811-400a-b722-732b5eee9bc6} - c:\windows\system32\kufpoaov.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: : {8f61501e-0a18-47f9-a5f5-af07520cad35} - c:\windows\system32\trgmuix.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ccApp] -
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [svchost Agent] c:\windows\system32\28463\svchost.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_07\bin\jusched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dlc.sun.com/jdk/j2re-1_4_2_07-windows-i586-p.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: {41F3EFF5-542D-4907-BBF1-A13CD94A95DF} = 192.168.5.201,202.54.1.30
Notify: aeindhmv - trgmuix.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\bjqeugip.default\
FF - plugin: c:\program files\java\j2re1.4.2_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_07\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_07\bin\NPJPI142_07.dll
FF - plugin: c:\program files\java\j2re1.4.2_07\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 tbvdwgdn;tbvdwgdn;c:\windows\system32\drivers\tbvdwgdn.sys [2001-8-23 23424]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
R2 Darkness;Darkness;c:\windows\system\svchost.exe [2009-9-2 17697]
R2 ejtdwvjj;TCP/IP Protocol Support;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-10 602392]
S1 SAVRT;SAVRT;- --> - [?]
S2 msupdate;Microsoft security update service;c:\windows\system32\mssrv32.exe [2009-8-31 30208]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090929.003\naveng.sys [2009-9-30 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090929.003\navex15.sys [2009-9-30 1323568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]
S4 ccEvtMgr;Symantec Event Manager;- --> - [?]

=============== Created Last 30 ================

2009-10-09 10:25 <DIR> --d----- c:\program files\Trend Micro
2009-10-08 18:57 <DIR> --d----- c:\docume~1\admini~1\applic~1\cculcbqy

==================== Find3M ====================

2009-10-05 09:59 36,864 a------- c:\windows\system32\userinit.exe
2009-08-31 15:49 30,208 a------- c:\windows\system32\mssrv32.exe

============= FINISH: 10:47:18.23 ===============


Thanks in advance

Lacchu

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:40 PM

Posted 09 October 2009 - 05:00 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\eventlog.dll
    %systemroot%\system32\scecli.dll
    %systemroot%\netlogon.dll
    %systemroot%\system32\cngaudit.dll
    %systemroot%\system32\sceclt.dll
    %systemroot%\ntelogon.dll
    %systemroot%\system32\logevent.dll

  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 lacchu

lacchu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 12 October 2009 - 02:34 AM

Hello Sam

Thanks for your help!

I have scanned my sytem with anti-malware as advised by you. Please find the reports of Malwarebyte and OTL below:



Malwarebytes' Anti-Malware 1.41
Database version: 2945
Windows 5.1.2600 Service Pack 2

10/12/2009 11:53:40 AM
mbam-log-2009-10-12 (11-53-40).txt

Scan type: Quick Scan
Objects scanned: 100559
Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 16
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 83

Memory Processes Infected:
C:\WINDOWS\system\svchost.exe (Malware.NSPack) -> Unloaded process successfully.
C:\WINDOWS\system32\28463\svchost.exe (PUP.ArdamaxKeyLogger) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\kufpoaov.dll (Trojan.Vundo.H) -> Delete on reboot.
\\?\globalroot\systemroot\system32\kbiwkmerfoafwx.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\trgmuix.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8f61501e-0a18-47f9-a5f5-af07520cad35} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\aeindhmv (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8f61501e-0a18-47f9-a5f5-af07520cad35} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01a8140f-b811-400a-b722-732b5eee9bc6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01a8140f-b811-400a-b722-732b5eee9bc6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{01a8140f-b811-400a-b722-732b5eee9bc6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\darkness (Malware.NSPack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\darkness (Malware.NSPack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\darkness (Malware.NSPack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate (Backdoor.Kbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msupdate (Backdoor.Kbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate (Backdoor.Kbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ejtdwvjj (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ejtdwvjj (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ejtdwvjj (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8f61501e-0a18-47f9-a5f5-af07520cad35} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost agent (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Buzus) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Buzus) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\trgmuix.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kufpoaov.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system\svchost.exe (Malware.NSPack) -> Quarantined and deleted successfully.
\\?\globalroot\systemroot\system32\kbiwkmerfoafwx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\28463\svchost.exe (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmalqppbne.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmdxnvxeyb.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmerfoafwx.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmppfmkjlc.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmqpxtunbs.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmwwxvnseq.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmxbfdxnqr.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmyueteooi.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\mssrv32.exe (Backdoor.Kbot) -> Delete on reboot.
C:\WINDOWS\system32\xatanmc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\kbiwkmlnyvbrqh.sys (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\xbyphhoovu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmiwwimvkder.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmjkibapbwwb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmjpyeqqpxxo.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmjxrxtuiqqb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmkdnyyxcopq.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmlwuxpprpvs.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmmtwmsxisyf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmmxthpylnki.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmncjlpfvnvr.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmnkroytxqfi.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmnosvrciprq.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmnreopnwibo.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmntivtqienq.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmoijibexejp.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmonlqipfvrn.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmotailyyuhy.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmpesmitnwxv.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmpxjsewhxeh.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmqdsticqdwf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmachxqtvuqm.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmbdxtebxuec.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmbeebfufusp.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmbtipmtixxm.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmddmqornmst.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmdmqppqdrba.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmdpspeoctkb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmdueiqafumg.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmdwbdrlqbvf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmecbvpdmvwg.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmfnikrnqtss.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmfxnptgnnwc.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmhmdmlrlyck.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmhrhaddbynb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmhxeimgntrp.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmiaesqxyfxb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmqnbvaqwuid.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmqowhgvpiov.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmqvcpcrikgy.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmrmwdktpohm.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmrnmspfvhcm.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmrnssppfhwm.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmrtwsgcaitj.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmscuualnley.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmsetixrphps.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmsrhwmlmtss.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmtbsydaiyes.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmumpokttkdm.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmwprpuctcou.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmwqxpecxuco.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmxctunvwtsp.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmxgfgaqtxpe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmxrcqiixdto.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmxrvbvxoriy.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmylysqulaqe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmiufpfvitet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmqdwpsesdrw.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\662.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ie93A.tmp (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\705.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\873.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RU1CBL3F\1255087014[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\09MCYMLU\2k[1].exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ie3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lakshmi\Local Settings\Temp\ie3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmdqjtpuwm.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmmswbabgn.dat (Rootkit.TDSS) -> Delete on reboot.


----------------------------------------------------------------------------------------------------------------------------------------------


OTL report:

OTL logfile created on: 10/12/2009 12:58:33 PM - Run 1
OTL by OldTimer - Version 3.0.20.0 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.43 Mb Total Physical Memory | 645.41 Mb Available Physical Memory | 63.06% Memory free
2.40 Gb Paging File | 2.14 Gb Available in Paging File | 88.84% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 5.50 Gb Free Space | 28.14% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 19.53 Gb Total Space | 7.82 Gb Free Space | 40.06% Space Free | Partition Type: NTFS
Drive F: | 19.53 Gb Total Space | 15.65 Gb Free Space | 80.13% Space Free | Partition Type: NTFS
Drive G: | 232.83 Gb Total Space | 192.86 Gb Free Space | 82.83% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HEMA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/10/12 12:58:02 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\My Documents\Downloads\OTL.exe
PRC - [2009/09/18 10:02:59 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/05/26 21:06:32 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
PRC - [2009/03/21 01:27:10 | 00,851,968 | ---- | M] (Nullsoft) -- C:\Program Files\Winamp\Winamp.exe
PRC - [2009/03/21 01:27:10 | 00,024,576 | ---- | M] () -- C:\Program Files\Winamp\Winampa.exe
PRC - [2008/11/10 02:18:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2005/01/15 12:24:18 | 00,032,881 | ---- | M] () -- C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
PRC - [2004/08/04 00:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2004/08/04 00:56:50 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/03/12 15:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2004/02/29 16:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2004/02/11 09:00:00 | 00,118,784 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
PRC - [2003/08/12 22:25:24 | 00,319,488 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2003/08/12 21:10:00 | 00,335,872 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

========== Win32 Services (SafeList) ==========

SRV - File not found -- Service key not found. -- (ejtdwvjj [Unknown | Stopped])
SRV - File not found -- -- (SNDSrvc [Disabled | Stopped])
SRV - File not found -- -- (ccEvtMgr [Disabled | Stopped])
SRV - [2008/11/10 02:18:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService [Auto | Running])
SRV - [2006/11/08 16:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2006/11/08 16:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZinw12.dll -- (Net Driver HPZ12 [Auto | Running])
SRV - [2004/08/04 00:56:46 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/03/12 15:18:06 | 00,169,192 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2004/03/12 15:17:46 | 01,221,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [On_Demand | Stopped])
SRV - [2004/03/12 15:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2004/02/29 16:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2004/02/29 16:44:52 | 00,087,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2003/08/12 22:25:24 | 00,319,488 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 0F 14 A8 01 11 B8 0A 40 B7 22 73 2B 5E EE 9B C6 [binary data]
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 0F 14 A8 01 11 B8 0A 40 B7 22 73 2B 5E EE 9B C6 [binary data]
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 0F 14 A8 01 11 B8 0A 40 B7 22 73 2B 5E EE 9B C6 [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 0F 14 A8 01 11 B8 0A 40 B7 22 73 2B 5E EE 9B C6 [binary data]

IE - HKU\S-1-5-21-842925246-1682526488-1060284298-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-842925246-1682526488-1060284298-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-842925246-1682526488-1060284298-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
IE - HKU\S-1-5-21-842925246-1682526488-1060284298-500\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 0F 14 A8 01 11 B8 0A 40 B7 22 73 2B 5E EE 9B C6 [binary data]
IE - HKU\S-1-5-21-842925246-1682526488-1060284298-500\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-842925246-1682526488-1060284298-500\S-1-5-21-842925246-1682526488-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-842925246-1682526488-1060284298-500\S-1-5-21-842925246-1682526488-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-842925246-1682526488-1060284298-500\S-1-5-21-842925246-1682526488-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 192.168.5.139:3128

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {cb5bc8e2-0f86-42f3-a6ba-760170276f51}:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..network.proxy.http: "192.168.5.139"
FF - prefs.js..network.proxy.http_port: 3128


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/29 10:52:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/18 10:03:03 | 00,000,000 | ---D | M]

[2009/07/14 14:32:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2009/07/14 14:32:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/10/05 14:11:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\bjqeugip.default\extensions
[2009/07/16 10:41:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\bjqeugip.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/10/12 11:37:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\bjqeugip.default\extensions\{cb5bc8e2-0f86-42f3-a6ba-760170276f51}
[2009/07/14 14:32:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/18 10:03:03 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/09/18 10:02:59 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/18 10:02:59 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/09/18 10:03:00 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/06/24 16:57:00 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/06/24 16:57:00 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/06/24 16:57:00 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/06/24 16:57:00 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/06/24 16:57:00 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/06/24 16:57:00 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/06/24 16:57:00 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {8F61501E-0A18-47F9-A5F5-AF07520CAD35} - C:\WINDOWS\System32\trgmuix.dll ()
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-842925246-1682526488-1060284298-500\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [ccApp] File not found
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe ()
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\Winampa.exe ()
O4 - HKU\S-1-5-21-842925246-1682526488-1060284298-500..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-842925246-1682526488-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-842925246-1682526488-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NofolderOptions = 0
O7 - HKU\S-1-5-21-842925246-1682526488-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dlc.sun.com/jdk/j2re-1_4_2_07-windows-i586-p.exe (Java Plug-in 1.4.2_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_07)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe ()
O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-8729673389-7251395024-878860705-1597\hdav.exe) - C:\RECYCLER\S-1-5-21-8729673389-7251395024-878860705-1597\hdav.exe ()
O20 - Winlogon\Notify\aeindhmv: DllName - trgmuix.dll - C:\WINDOWS\System32\trgmuix.dll ()
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\System32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/21 21:29:21 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - Unable to obtain root file information for disk G:\
O33 - MountPoints2\{0d5956c0-5b09-11de-9bd5-000bdb021a4a}\Shell - "" = AutoRun
O33 - MountPoints2\{0d5956c0-5b09-11de-9bd5-000bdb021a4a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{270d3960-1613-11de-9b94-000bdb021a4a}\Shell\AutoRun\command - "" = G:\DRIVE\file.exe -- [2009/05/18 15:17:58 | 00,214,979 | RHS- | M] ()
O33 - MountPoints2\{270d3960-1613-11de-9b94-000bdb021a4a}\Shell\open\command - "" = G:\DRIVE\file.exe -- [2009/05/18 15:17:58 | 00,214,979 | RHS- | M] ()
O33 - MountPoints2\{317041f0-1fb2-11de-9b9f-000bdb021a4a}\Shell\AutoRun\command - "" = G:\RECYCL\autrun.exe -- [2009/09/03 13:42:46 | 00,120,832 | RHS- | M] ()
O33 - MountPoints2\{317041f0-1fb2-11de-9b9f-000bdb021a4a}\Shell\open\command - "" = G:\RECYCL\autrun.exe -- [2009/09/03 13:42:46 | 00,120,832 | RHS- | M] ()
O33 - MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\Shell\Autoplay\cOmmand - "" = Mediacontrol.exe
O33 - MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\Shell\AutoRun\command - "" = Mediacontrol.exe
O33 - MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\Shell\Explore\commAnd - "" = Mediacontrol.exe
O33 - MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\Shell\Open\comMAnd - "" = Mediacontrol.exe
O33 - MountPoints2\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\Shell\AutoRun\command - "" = G:\folder.tmp\tmp.exe -- File not found
O33 - MountPoints2\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\Shell\explore\command - "" = G:\folder.tmp\tmp.exe -- File not found
O33 - MountPoints2\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\Shell\open\command - "" = G:\folder.tmp\tmp.exe -- File not found
O33 - MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\Shell\Autoplay\cOmmand - "" = Mediacontrol.exe
O33 - MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\Shell\AutoRun\command - "" = Mediacontrol.exe
O33 - MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\Shell\Explore\commAnd - "" = Mediacontrol.exe
O33 - MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\Shell\Open\comMAnd - "" = Mediacontrol.exe
O33 - MountPoints2\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\Shell - "" = AutoRun
O33 - MountPoints2\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\Shell - "" = AutoRun
O33 - MountPoints2\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: ejtdwvjj - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/10/12 11:44:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/10/09 18:42:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\cculcbqy
[2009/10/07 22:02:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\dvdcss
[2009/10/12 11:45:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/10/09 18:42:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\cculcbqy
[2009/10/12 11:44:54 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/09 10:25:53 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/10/12 12:28:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2009/10/12 12:27:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/10/12 11:44:56 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/12 11:44:54 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files - Modified Within 14 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/10/12 12:38:30 | 00,000,095 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2009/10/12 11:55:20 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/12 11:55:17 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/12 11:44:59 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/12 10:15:26 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/09 15:19:14 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2009/10/09 10:54:01 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\settings.dat
[2009/10/07 17:48:29 | 00,494,813 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\cms_040980.pdf
[2009/10/06 17:26:38 | 02,515,938 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\principles of docking.pdf
[2009/10/06 15:43:00 | 00,114,445 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\snapCGHpracI.pdf
[2009/10/06 12:23:42 | 01,634,072 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\IBSC_DBT-nominee.JPG
[2009/10/06 12:20:45 | 07,357,704 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\IBSC_DBT-nominee.tif
[2009/10/05 12:18:45 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Administrator\Desktop\~$ma bank dets.doc
[2009/10/05 09:59:53 | 00,036,864 | ---- | M] () -- C:\WINDOWS\System32\userinit.exe
[2009/10/03 20:04:49 | 01,048,539 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\fulltext .pdf
[2009/10/03 17:19:58 | 06,508,032 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Progress report April-Sep2009.ppt
[2009/10/03 16:09:12 | 01,312,960 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\snapCGH_1.12.0.zip
[2009/10/03 10:52:51 | 00,589,989 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\miR21 targeting breast cancer_Yi Yang .pdf
[2009/10/01 12:39:41 | 00,307,200 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DBT nominee letter_100109.doc
[2009/09/30 20:49:07 | 00,532,518 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\journal.pmed.1000046.pdf
[2009/09/30 20:47:06 | 00,485,738 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RAPID .pdf
[2009/09/30 20:18:23 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\new DBT nominee.doc
[2009/09/29 21:38:23 | 00,000,749 | -H-- | M] () -- C:\Documents and Settings\All Users\Documents\os049389.bin

========== Files - No Company Name ==========
[2009/10/12 11:44:59 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/09 10:54:01 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\settings.dat
[2009/10/07 17:48:29 | 00,494,813 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\cms_040980.pdf
[2009/10/06 17:26:37 | 02,515,938 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\principles of docking.pdf
[2009/10/06 15:43:00 | 00,114,445 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\snapCGHpracI.pdf
[2009/10/06 12:23:42 | 01,634,072 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\IBSC_DBT-nominee.JPG
[2009/10/06 12:20:44 | 07,357,704 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\IBSC_DBT-nominee.tif
[2009/10/05 12:18:45 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Administrator\Desktop\~$ma bank dets.doc
[2009/10/03 20:04:48 | 01,048,539 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\fulltext .pdf
[2009/10/03 17:19:57 | 06,508,032 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Progress report April-Sep2009.ppt
[2009/10/03 15:54:17 | 01,312,960 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\snapCGH_1.12.0.zip
[2009/10/03 10:52:51 | 00,589,989 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\miR21 targeting breast cancer_Yi Yang .pdf
[2009/10/01 12:18:38 | 00,307,200 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\DBT nominee letter_100109.doc
[2009/09/30 20:49:07 | 00,532,518 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\journal.pmed.1000046.pdf
[2009/09/30 20:47:06 | 00,485,738 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RAPID .pdf
[2009/09/30 19:53:57 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\new DBT nominee.doc
[2009/09/30 16:53:35 | 00,004,234 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\8F61501E-0A18-47F9-A5F5-AF07520CAD35.txt
[2009/09/29 12:05:26 | 00,000,434 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2009/08/06 15:36:46 | 00,237,568 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.dll
[2009/06/16 12:50:37 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/04/17 07:54:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2009/04/17 07:12:52 | 00,000,000 | RHS- | C] () -- C:\WINDOWS\System32\setting.ini
[2009/04/12 22:51:05 | 00,000,096 | RHS- | C] () -- C:\WINDOWS\System32\setup.ini
[2009/04/03 00:16:53 | 00,000,736 | ---- | C] () -- C:\WINDOWS\SamsungMaster.INI
[2009/04/03 00:16:36 | 00,010,752 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/30 21:47:14 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2009/03/30 21:47:13 | 01,056,768 | ---- | C] () -- C:\WINDOWS\System32\gsl.DLL
[2009/03/30 21:47:13 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\gslcblas.DLL
[2009/03/23 21:57:40 | 00,000,060 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/03/23 21:57:39 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2009/03/22 02:48:27 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2009/03/21 23:06:17 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2009/03/21 23:01:47 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/03/21 21:40:21 | 05,357,574 | -H-- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/03/21 21:36:56 | 00,042,168 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/21 21:36:10 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini
[2009/03/21 18:08:21 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/21 18:08:21 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/03/21 01:27:18 | 00,000,095 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2009/03/21 01:27:16 | 00,088,064 | ---- | C] () -- C:\WINDOWS\System32\AudioExCtl.dll
[2004/08/04 00:56:44 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/07/17 11:36:38 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 11:30:00 | 00,147,968 | ---- | C] () -- C:\WINDOWS\System32\kufpoaov.dll
[2001/08/23 11:30:00 | 00,147,968 | ---- | C] () -- C:\WINDOWS\System32\enhrwwub.dll
[2001/08/23 11:30:00 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\xatanmc.dll
[2001/08/23 11:30:00 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\trgmuix.dll
[2001/08/23 11:30:00 | 00,000,594 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 11:30:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

========== LOP Check ==========

[2009/10/12 11:45:01 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Administrator\Application Data
[2009/10/09 18:42:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\cculcbqy
[2009/10/07 22:04:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\dvdcss
[2009/06/16 12:50:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\pdf995
[2009/10/12 11:44:54 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/06/18 14:27:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/03/22 02:48:27 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Default User\Application Data
[2009/10/03 20:37:53 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Lakshmi\Application Data
[2009/10/03 20:37:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lakshmi\Application Data\cculcbqy
[2009/03/21 21:35:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data
[2009/10/09 17:42:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data
[2009/10/09 17:42:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\cculcbqy
[2009/06/01 09:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2009/10/09 15:19:14 | 00,000,434 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2001/08/23 11:30:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/10/12 11:55:20 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2004/08/04 00:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll
[1 C:\WINDOWS\system32\*.tmp files]

< %systemroot%\system32\scecli.dll >
[2004/08/04 00:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll
[1 C:\WINDOWS\system32\*.tmp files]

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
< End of report >

Please let me know how to fix the problem.

Thanks a lot!!!

Lacchu

Attached Files



#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:40 PM

Posted 12 October 2009 - 06:59 AM

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    SRV - File not found -- Service key not found. -- (ejtdwvjj [Unknown | Stopped])
    O2 - BHO: () - {8F61501E-0A18-47F9-A5F5-AF07520CAD35} - C:\WINDOWS\System32\trgmuix.dll ()
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dlc.sun.com/jdk/j2re-1_4_2_07-windows-i586-p.exe (Java Plug-in 1.4.2_07)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Value error.)
    O16 - DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_07)
    O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-8729673389-7251395024-878860705-1597\hdav.exe) - C:\RECYCLER\S-1-5-21-8729673389-7251395024-878860705-1597\hdav.exe ()
    O20 - Winlogon\Notify\aeindhmv: DllName - trgmuix.dll - C:\WINDOWS\System32\trgmuix.dll ()
    O33 - MountPoints2\{270d3960-1613-11de-9b94-000bdb021a4a}\Shell\AutoRun\command - "" = G:\DRIVE\file.exe -- [2009/05/18 15:17:58 | 00,214,979 | RHS- | M] ()
    O33 - MountPoints2\{270d3960-1613-11de-9b94-000bdb021a4a}\Shell\open\command - "" = G:\DRIVE\file.exe -- [2009/05/18 15:17:58 | 00,214,979 | RHS- | M] ()
    O33 - MountPoints2\{317041f0-1fb2-11de-9b9f-000bdb021a4a}\Shell\AutoRun\command - "" = G:\RECYCL\autrun.exe -- [2009/09/03 13:42:46 | 00,120,832 | RHS- | M] ()
    O33 - MountPoints2\{317041f0-1fb2-11de-9b9f-000bdb021a4a}\Shell\open\command - "" = G:\RECYCL\autrun.exe -- [2009/09/03 13:42:46 | 00,120,832 | RHS- | M] ()
    O33 - MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\Shell\Autoplay\cOmmand - "" = Mediacontrol.exe
    O33 - MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\Shell\AutoRun\command - "" = Mediacontrol.exe
    O33 - MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\Shell\Explore\commAnd - "" = Mediacontrol.exe
    O33 - MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\Shell\Open\comMAnd - "" = Mediacontrol.exe
    O33 - MountPoints2\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\Shell\AutoRun\command - "" = G:\folder.tmp\tmp.exe -- File not found
    O33 - MountPoints2\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\Shell\explore\command - "" = G:\folder.tmp\tmp.exe -- File not found
    O33 - MountPoints2\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\Shell\open\command - "" = G:\folder.tmp\tmp.exe -- File not found
    O33 - MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\Shell\Autoplay\cOmmand - "" = Mediacontrol.exe
    O33 - MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\Shell\AutoRun\command - "" = Mediacontrol.exe
    O33 - MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\Shell\Explore\commAnd - "" = Mediacontrol.exe
    O33 - MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\Shell\Open\comMAnd - "" = Mediacontrol.exe
    O33 - MountPoints2\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\Shell - "" = AutoRun
    O33 - MountPoints2\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
    O33 - MountPoints2\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\Shell - "" = AutoRun
    O33 - MountPoints2\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
    
    :Files
    C:\WINDOWS\tasks\At*.job
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.


=====================


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 lacchu

lacchu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 13 October 2009 - 04:15 AM

Hello Mr. Sam,

I did not get any report after running OTL. When I ran OTL.exe, I got a message "The application or DLL is not a valid Windows message. Please check this against your installation diskette" and also got a message "Access violation..."

After the scans you had asked me to perform, I am able to see three new folders (Recycler, System volume information and MSOCache) in all the Drives C, D and F. Also, the hidden word documents (document name starts with $) has shown up. For instance: ~$ite up - Amritha_012908.doc

Is there anything serious happening with these scans. Now I am afraid about all these. Can you explain me whats happening in all these scans? Can I delete these hidden files?

In local disk C, there was a folder created for OTL and I got log report saved there. Please find it below:


All processes killed
========== OTL ==========
Service\Driver ejtdwvjj not found.
Service\Driver ejtdwvjj not found.
File Service key not found. not found.
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8F61501E-0A18-47F9-A5F5-AF07520CAD35}\ scheduled to be deleted on reboot.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F61501E-0A18-47F9-A5F5-AF07520CAD35}\ .
LoadLibrary failed for C:\WINDOWS\System32\trgmuix.dll
C:\WINDOWS\System32\trgmuix.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\trgmuix.dll scheduled to be moved on reboot.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\TaskMan:C:\RECYCLER\S-1-5-21-8729673389-7251395024-878860705-1597\hdav.exe scheduled to be deleted on reboot.
File C:\RECYCLER\S-1-5-21-8729673389-7251395024-878860705-1597\hdav.exe not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\aeindhmv\ scheduled to be deleted on reboot.
LoadLibrary failed for C:\WINDOWS\System32\trgmuix.dll
C:\WINDOWS\System32\trgmuix.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\trgmuix.dll scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{270d3960-1613-11de-9b94-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{270d3960-1613-11de-9b94-000bdb021a4a}\ not found.
File G:\DRIVE\file.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{270d3960-1613-11de-9b94-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{270d3960-1613-11de-9b94-000bdb021a4a}\ not found.
File G:\DRIVE\file.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{317041f0-1fb2-11de-9b9f-000bdb021a4a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317041f0-1fb2-11de-9b9f-000bdb021a4a}\ not found.
File G:\RECYCL\autrun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{317041f0-1fb2-11de-9b9f-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317041f0-1fb2-11de-9b9f-000bdb021a4a}\ not found.
File G:\RECYCL\autrun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\ not found.
File Mediacontrol.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\ not found.
File Mediacontrol.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\ not found.
File Mediacontrol.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3cebcaf2-1d46-11de-9b99-000bdb021a4a}\ not found.
File Mediacontrol.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\ not found.
File G:\folder.tmp\tmp.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\ not found.
File G:\folder.tmp\tmp.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46ffa7f0-662b-11de-9bde-000bdb021a4a}\ not found.
File G:\folder.tmp\tmp.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\ not found.
File Mediacontrol.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\ not found.
File Mediacontrol.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\ not found.
File Mediacontrol.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e0ee970-85a9-11de-9c05-000bdb021a4a}\ not found.
File Mediacontrol.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6cff4f10-97bb-11de-9c1d-000bdb021a4a}\ not found.
File G:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6cff4f13-97bb-11de-9c1d-000bdb021a4a}\ not found.
File G:\AutoRun.exe not found.
========== FILES ==========
File\Folder C:\WINDOWS\tasks\At*.job not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\561.exe scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\in5.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\nsrbgxod.bak scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\rundll32.dll scheduled to be deleted on reboot.
->Temp folder emptied: 205955 bytes
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ISKU4E67\adjjkma[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FPQ9ABCM\mollmz[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 322962 bytes
->Java cache emptied: 0 bytes
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bjqeugip.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bjqeugip.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bjqeugip.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bjqeugip.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bjqeugip.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
->FireFox cache emptied: 16711291 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Lakshmi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 16.47 mb


OTL by OldTimer - Version 3.0.20.0 log created on 10132009_130818

-----------------------------------------------------------------------------------------------------------------------------------------

I have also scanned the system with ESET antivirus scanner. Please find the report below:


C:\Documents and Settings\Administrator\Local Settings\Temp\ihx6l0mq.exe Win32/TrojanDownloader.Small.NTQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Local Settings\Temp\kms346c.exe Win32/TrojanDownloader.Small.NTQ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Administrator\Local Settings\Temp\l0qhxznuy1.exe Win32/TrojanDownloader.Small.NTQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Local Settings\Temp\v7u18a0.exe Win32/TrojanDownloader.Small.NTQ trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\p92qhnnl7a.dll Win32/TrojanDownloader.Small.NFD trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\system32\setup.ini Win32/Sohanad.NCB worm cleaned by deleting - quarantined
C:\WINDOWS\system32\userinit.exe probably a variant of Win32/Injector.ACC trojan unable to clean
C:\WINDOWS\system32\uuq0dzp66.dll Win32/TrojanDownloader.Small.NFD trojan cleaned by deleting - quarantined


Let me know how to fix the problem.

Attached Files



#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:40 PM

Posted 13 October 2009 - 07:53 AM

No! Do not delete any hidden files. They are hidden to protect them from accidentally being deleted and are vital to your system. This is normal and we'll restore everything once we're done.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32


Please post the contents of the log from DrWeb in your next reply.


Let me know how your computer is behaving after you complete this scan.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 lacchu

lacchu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 13 October 2009 - 09:03 AM

Hello Mr. Sam,

My system has auto shut down and rebooted yesterday twice and today once. But the problem I faced with redirecting to spam sites from google result page is not yet solved.

I will update you about the new anti-virus software scan results tomorrow. Its taking time to install the demo version of the software.

Thanks for your help.

Lacchu


#8 lacchu

lacchu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 13 October 2009 - 09:12 AM

Hello Mr. Sam,

I am unable to upload this file here. This type of file is not permitted to upload here.

Edited by lacchu, 13 October 2009 - 09:14 AM.


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:40 PM

Posted 13 October 2009 - 07:16 PM

Don't upload it. Copy the contents of the log and paste it directly into your reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 lacchu

lacchu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 14 October 2009 - 12:17 AM

Hello Sam,

Today my laptop is behaving very odd.. Internet connection is very slow. The system has auto rebooted once. Also I am unable to access the control panel. There is an antivirus software by name security tool that auto scans the computer and often sends message to remove the threats. I hope its a paid software. I don't remember downloading any such software. Last night I was downloading demo verison Dr.Web. Was this security tool software autodownloaded from that site? I do not have any idea about that.
I am unable to open any documents. I am unable to paste dr.web scan report. Help me recover my system please!!!!!!!

Lacchu


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:40 PM

Posted 14 October 2009 - 07:41 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 lacchu

lacchu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 14 October 2009 - 09:15 AM

Hello Mr. Sam

I am unable to install / uninstall any program. I think my system is totally corrupted. I think I should reinstall OS again.

Lacchu

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:40 PM

Posted 14 October 2009 - 05:20 PM

In that case, you can do a repair installation.
http://michaelstevenstech.com/XPrepairinstall.htm
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users