Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool infection...can't run MBAM


  • This topic is locked This topic is locked
32 replies to this topic

#1 cmrisner

cmrisner

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 13 October 2009 - 01:54 AM

Hi everyone,

I was forwarded back to this forum by garmanma from a previous thread (see previous thread below). In a nutshell, I am trying to remove a Security Tool infection from my uncles desktop but I cannot run MBAM and the currently installed anti-virus (The Shield Deluxe) cannot remove it either. I am writing this post from Safe Mode since normal mode is inundated with Security Tool pop-ups and bogus anti-virus scans. The system frequently locks up, especially if I log on as the administrator. I've included the DDS log in this post and attached the Attach.txt file as well as the RootRepeal log file (Ark.txt). I look forward to your help.

Thanks.

Brief Computer Specs.
XP SP3
Pentium 4
1 GB RAM

Previous Thread

Here's the DDS log file:


DDS (Ver_09-10-13.01) - NTFSx86 NETWORK
Run by reginald a jones at 23:19:14.31 on Mon 10/12/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.737 [GMT -7:00]

AV: The Shield Deluxe 2009 Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\reginald a jones\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchAssistant =
uCustomizeSearch =
uURLSearchHooks: N/A: {be89472c-b803-4d1d-9a9a-0a63660e0fe3} - c:\progra~1\copern~1\COPERN~1.DLL
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Copernic Agent: {f2e259e8-0fc8-438c-a6e0-342dd80fa53e} - c:\progra~1\copern~1\COPERN~1.DLL
TB: The Shield Deluxe 2009 Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\pcsecurityshield\bitdefender 2009\IEToolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Copernic Agent Results: {6f480f82-c3a6-4d35-96f7-b297ad49fbe8} - c:\program files\copernic agent\CopernicAgentExt.dll
EB: Copernic Agent: {f2e259e8-0fc8-438c-a6e0-342dd80fa53e} - c:\progra~1\copern~1\COPERN~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [WinShredder] c:\program files\pcsecurityshield\winshredder\ws20.exe
mRun: [BDAgent] "c:\program files\pcsecurityshield\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\pcsecurityshield\bitdefender 2009\IEShow.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [4079250434] c:\documents and settings\reginald a jones\application data\4079250434\4079250434.exe
mRun: [kigasatov] Rundll32.exe "c:\windows\system32\ziyewila.dll",a
mRun: [49406023] c:\documents and settings\all users\application data\49406023\49406023.exe
mRun: [16636729] c:\documents and settings\all users\application data\16636729\16636729.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\regina~1\startm~1\programs\startup\ADOBEM~1.LNK -
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Search Using Copernic Agent - c:\program files\copernic agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156012974968
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\copern~1\COPERN~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avldr - avldr.dll
AppInit_DLLs: c:\windows\system32\zerakede.dll c:\windows\system32\ziyewila.dll,zusidebi.dll c:\windows\system32\boliraka.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: gadikuzur - {35e7bac6-bdc8-40e6-aa03-c05379aa6a91} - c:\windows\system32\zerakede.dll
SSODL: hasakiwov - {3f3edef3-8af3-47fe-9cc5-4823f537be63} - c:\windows\system32\ziyewila.dll
STS: tokatiluy: {35e7bac6-bdc8-40e6-aa03-c05379aa6a91} - c:\windows\system32\zerakede.dll
STS: tokatiluy: {3f3edef3-8af3-47fe-9cc5-4823f537be63} - c:\windows\system32\ziyewila.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli hofalobu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\regina~1\applic~1\mozilla\firefox\profiles\8far29aa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShldDrv.sys [2005-12-29 26752]
S2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2005-12-29 163856]
S2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 yfisrjealdoqhu;yfisrjealdoqhu;\??\c:\windows\system32\drivers\ljkutnfnouwybpv.sys --> c:\windows\system32\drivers\ljkutnfnouwybpv.sys [?]
S3 Arrakis3;PCSecurityShield Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-10-12 23:11 --d----- c:\docume~1\alluse~1\applic~1\16636729
2009-10-12 23:11 --d----- c:\docume~1\alluse~1\applic~1\nominenu
2009-10-11 20:42 2,713 ---sh--- c:\windows\system32\mupapupe.dll
2009-10-11 20:42 2,713 ---sh--- c:\windows\system32\hoyobuva.dll
2009-10-10 17:03 15 a------- c:\documents and settings\reginald a jones\settings.dat
2009-10-10 15:06 --d----- c:\docume~1\alluse~1\applic~1\49406023
2009-10-06 14:03 51,712 ---sh--- c:\windows\system32\zasulege.dll
2009-10-05 00:00 --d----- c:\docume~1\regina~1\applic~1\4079250434

==================== Find3M ====================

2009-10-12 23:12 81,984 a------- c:\windows\system32\bdod.bin
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2008-01-04 19:58 2 a--shrot c:\windows\winstart.bat
2009-07-06 14:02 38,400 a--sh--- c:\windows\system32\fikuyelu.dll
2009-07-10 15:06 27,136 a--sh--- c:\windows\system32\gakemojo.dll
2009-07-11 20:42 1,011,282 a--sh--- c:\windows\system32\gemewoda.exe
2009-07-04 23:59 25,600 a--sh--- c:\windows\system32\hirihipo.dll
2009-07-10 15:07 51,712 a--sh--- c:\windows\system32\hofalobu.dll
2009-07-06 14:02 25,600 a--sh--- c:\windows\system32\mevozeha.dll
2009-07-04 23:59 37,888 a--sh--- c:\windows\system32\modisemi.dll
2009-07-10 15:07 51,712 a--sh--- c:\windows\system32\nereteva.dll
2009-07-10 15:06 38,400 a--sh--- c:\windows\system32\nominenu.dll
2009-07-10 15:06 1,050,659 a--sh--- c:\windows\system32\ridilave.exe
2009-07-05 00:00 1,047,587 a--sh--- c:\windows\system32\visutime.exe
2009-07-10 15:06 51,712 a--sh--- c:\windows\system32\vowowono.dll
2009-07-10 15:07 51,712 a--sh--- c:\windows\system32\zusidebi.dll
2008-09-17 20:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat
2009-02-27 19:36 1,003,552 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-27 19:36 800 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 23:20:03.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:36 AM

Posted 27 October 2009 - 12:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 29 October 2009 - 02:37 PM

Hi,

Thanks for the reply. I have NOT been able to resolve my issue yet, but I am hoping you can help. I am trying to remove a security tool infection from my uncles computer however I cannot run MBAM. I have tried renaming the exe file for MBAM to other names and I also tried changing its extension to .scr or .bat and I still was unable to run it. I can sometimes boot in normal mode but safe mode works pretty consistently however sometimes firefox and IE crash when I type in a web address and I have to reboot as I can't access task manager to shut down the application or its process. I have also tried using the randmbam program as instructed in other posts to try and get MBAM to run but that hasn't worked either.

I ran OTL as instructed, here are the log files:

OTL.txt

OTL logfile created on: 10/29/2009 12:25:24 PM - Run 1
OTL by OldTimer - Version 3.0.22.1 Folder = C:\Documents and Settings\reginald a jones\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.09 Mb Total Physical Memory | 763.31 Mb Available Physical Memory | 74.68% Memory free
2.40 Gb Paging File | 2.29 Gb Available in Paging File | 95.18% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.94 Gb Total Space | 22.17 Gb Free Space | 31.25% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LISA
Current User Name: reginald a jones
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/10/29 12:24:54 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\reginald a jones\Desktop\OTL.exe
PRC - [2009/09/15 23:10:48 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE

========== Win32 Services (SafeList) ==========

SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Stopped])
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort [Auto | Stopped])
SRV - [2009/04/01 21:32:28 | 00,413,696 | ---- | M] (PCSecurityShield) -- C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe -- (LIVESRV [Auto | Stopped])
SRV - [2009/04/01 21:32:20 | 01,626,112 | ---- | M] (PCSecurityShield) -- C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe -- (VSSERV [Auto | Stopped])
SRV - [2009/04/01 21:30:40 | 00,323,584 | ---- | M] (PCSecurityShield) -- C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll -- (scan [On_Demand | Stopped])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/17 13:06:56 | 00,118,784 | ---- | M] (BitDefender S.R.L. http://www.bitdefender.com) -- C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe -- (Arrakis3 [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/10/06 19:12:30 | 00,855,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS [On_Demand | Stopped])
SRV - [2005/09/06 14:35:50 | 00,172,032 | ---- | M] (Panda Software) -- C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe -- (PAVSRV [Auto | Stopped])
SRV - [2005/07/25 10:02:22 | 00,032,768 | ---- | M] (Panda Software) -- C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe -- (PavPrSrv [Auto | Stopped])
SRV - [2005/05/14 00:20:28 | 00,327,680 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPodService [On_Demand | Stopped])
SRV - [2004/08/25 11:26:56 | 00,389,120 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Stopped])
SRV - [2004/06/29 09:22:56 | 00,073,852 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe -- (IAANTMon [Auto | Stopped])
SRV - [2000/06/26 05:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Stopped])
SRV - [1999/12/13 07:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTsvcCDA.exe -- (Creative Service for CDROM Access [Auto | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/04/01 21:32:24 | 00,242,184 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\WINDOWS\System32\drivers\bdfsfltr.sys -- (bdfsfltr [On_Demand | Stopped])
DRV - [2009/04/01 21:31:47 | 00,008,832 | ---- | M] (BitDefender S.R.L.) -- C:\Program Files\PCSecurityShield\BitDefender 2009\bdselfpr.sys -- (BDSelfPr [On_Demand | Stopped])
DRV - [2009/04/01 21:30:41 | 00,137,224 | ---- | M] (BitDefender LLC) -- C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys -- (bdftdif [System | Running])
DRV - [2008/09/18 12:09:12 | 00,111,112 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\WINDOWS\System32\drivers\bdfm.sys -- (bdfm [On_Demand | Stopped])
DRV - [2008/09/02 14:32:06 | 00,013,056 | ---- | M] () -- c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys -- (Profos [On_Demand | Stopped])
DRV - [2008/04/13 11:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Boot | Running])
DRV - [2008/04/13 11:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Boot | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/07/10 08:00:42 | 00,036,736 | ---- | M] () -- c:\program files\common files\bitdefender\bitdefender threat scanner\trufos.sys -- (Trufos [On_Demand | Stopped])
DRV - [2007/02/27 13:39:26 | 00,032,256 | ---- | M] () -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Stopped])
DRV - [2006/10/10 14:53:48 | 00,005,632 | ---- | M] () -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Stopped])
DRV - [2006/02/16 18:51:08 | 00,004,096 | R--- | M] (SuperAdBlocker, Inc.) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2005/08/29 15:23:30 | 00,026,752 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\drivers\ShldDrv.sys -- (ShldDrv [System | Stopped])
DRV - [2005/03/07 11:52:48 | 00,014,408 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2004/10/26 06:59:50 | 00,028,352 | ---- | M] (MusicMatch, Inc.) -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k [On_Demand | Running])
DRV - [2004/08/25 11:28:46 | 00,787,456 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Stopped])
DRV - [2004/08/13 00:56:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\drvnddm.sys -- (drvnddm [Auto | Stopped])
DRV - [2004/08/12 23:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Stopped])
DRV - [2004/08/12 23:05:00 | 00,098,714 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnudf.sys -- (tfsnudf [Auto | Stopped])
DRV - [2004/08/12 23:05:00 | 00,086,202 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnifs.sys -- (tfsnifs [Auto | Stopped])
DRV - [2004/08/12 23:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsncofs.sys -- (tfsncofs [Auto | Stopped])
DRV - [2004/08/12 23:05:00 | 00,025,723 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnboio.sys -- (tfsnboio [Auto | Stopped])
DRV - [2004/08/12 23:05:00 | 00,014,715 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnopio.sys -- (tfsnopio [Auto | Stopped])
DRV - [2004/08/12 23:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnpool.sys -- (tfsnpool [Auto | Stopped])
DRV - [2004/08/12 23:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsndrct.sys -- (tfsndrct [Auto | Stopped])
DRV - [2004/08/12 23:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsndres.sys -- (tfsndres [Auto | Stopped])
DRV - [2004/08/04 03:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/08/04 01:21:00 | 00,087,136 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
DRV - [2004/08/03 20:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2004/08/02 00:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/07/14 09:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
DRV - [2004/07/14 09:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\ssrtln.sys -- (ssrtln [System | Running])
DRV - [2004/06/29 09:17:16 | 00,477,952 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2004/06/15 20:52:40 | 00,061,157 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\IntelC53.sys -- (IntelC53 [On_Demand | Stopped])
DRV - [2004/05/29 15:41:54 | 00,186,112 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\b57xp32.sys -- (b57w2k [On_Demand | Running])
DRV - [2004/04/09 10:41:30 | 00,612,352 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Stopped])
DRV - [2004/03/05 20:15:34 | 00,647,929 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\IntelC52.sys -- (IntelC52 [On_Demand | Stopped])
DRV - [2004/03/05 20:14:42 | 01,233,525 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\IntelC51.sys -- (IntelC51 [On_Demand | Stopped])
DRV - [2004/03/05 20:13:38 | 00,037,048 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\mohfilt.sys -- (mohfilt [On_Demand | Stopped])
DRV - [2004/01/08 09:54:32 | 00,163,856 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\DRIVERS\PavProc.sys -- (PavProc [Auto | Stopped])
DRV - [2003/03/27 08:58:56 | 00,287,920 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctdvda2k.sys -- (ctdvda2k [On_Demand | Stopped])
DRV - [2003/03/26 13:33:58 | 00,498,688 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Stopped])
DRV - [2003/03/26 13:32:32 | 00,189,504 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Stopped])
DRV - [2003/03/26 13:32:02 | 00,141,536 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\hap16v2k.sys -- (hap16v2k [On_Demand | Stopped])
DRV - [2003/03/26 13:31:40 | 00,823,616 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Stopped])
DRV - [2003/03/06 07:10:34 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\PfModNT.sys -- (PfModNT [Auto | Stopped])
DRV - [2003/02/20 14:24:46 | 00,116,000 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\emupia2k.sys -- (emupia [On_Demand | Stopped])
DRV - [2003/02/20 14:24:34 | 00,135,248 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Stopped])
DRV - [2003/02/20 14:24:18 | 00,006,144 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Stopped])
DRV - [2003/02/20 14:22:38 | 00,135,040 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Stopped])
DRV - [2002/11/08 11:45:06 | 00,017,217 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\System32\DRIVERS\omci.sys -- (omci [System | Running])
DRV - [2002/04/01 11:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\System32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Stopped])
DRV - [2001/08/17 12:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Boot | Running])
DRV - [2001/08/17 12:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Boot | Running])
DRV - [2001/08/17 12:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Boot | Running])
DRV - [2001/08/17 12:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Boot | Running])
DRV - [2001/08/17 12:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Boot | Running])
DRV - [2001/08/17 11:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])
DRV - [2001/08/17 11:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Boot | Running])
DRV - [2001/08/17 11:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Boot | Running])
DRV - [2001/08/17 11:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Boot | Running])
DRV - [2001/08/17 11:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Boot | Running])
DRV - [2001/08/17 11:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Boot | Running])
DRV - [2001/08/17 11:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Boot | Running])
DRV - [2001/08/17 11:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Boot | Running])
DRV - [2001/08/17 11:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Boot | Running])
DRV - [2001/08/17 11:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2001/08/17 11:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Boot | Running])
DRV - [2001/08/17 10:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])

========== Modules (SafeList) ==========

MOD - [2009/10/29 12:24:54 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\reginald a jones\Desktop\OTL.exe
MOD - [2009/07/10 15:07:22 | 00,051,712 | -HS- | M] () -- C:\WINDOWS\System32\zusidebi.dll
MOD - [2008/04/13 17:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\..\URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\..\URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
IE - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\..\URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
IE - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\..\URLSearchHook: {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
IE - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\S-1-5-21-2151673172-542210679-3067518927-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://finance.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3

FF - HKLM\software\mozilla\Firefox\Extensions\\FFToolbar@bitdefender.com: C:\Program Files\PCSecurityShield\BitDefender 2009\FFToolbar\ [2009/02/27 19:45:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 23:17:26 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/07/06 21:32:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/15 23:14:41 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/15 23:11:00 | 00,000,000 | ---D | M]

[2009/08/27 14:17:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\reginald a jones\Application Data\mozilla\Extensions
[2009/08/27 14:17:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\reginald a jones\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/07/06 21:34:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\reginald a jones\Application Data\mozilla\Extensions\mozswing@mozswing.org
[2009/10/12 23:28:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\reginald a jones\Application Data\mozilla\Firefox\Profiles\8far29aa.default\extensions
[2009/09/02 16:42:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\reginald a jones\Application Data\mozilla\Firefox\Profiles\8far29aa.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/10 15:24:46 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/15 23:11:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/06 21:33:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/08/18 13:38:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/09/15 23:10:48 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/15 23:10:48 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/01 21:31:58 | 00,049,664 | ---- | M] () -- C:\Program Files\mozilla firefox\components\FFComm.dll
[2006/10/16 17:34:08 | 00,110,592 | ---- | M] () -- C:\Program Files\mozilla firefox\components\GoogleDesktopMozilla.dll
[2009/02/18 23:07:48 | 00,024,672 | ---- | M] (Ask.com) -- C:\Program Files\mozilla firefox\plugins\NPAskSBr.dll
[2009/07/25 05:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/09/15 23:10:51 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2004/12/14 03:19:18 | 00,057,344 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2005/05/22 09:39:21 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2005/05/22 09:39:21 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2005/05/22 09:39:21 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2005/05/22 09:39:21 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2005/05/22 09:39:21 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2005/05/22 09:39:21 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2005/05/22 09:39:21 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2005/05/22 09:39:21 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin8.dll
[2009/07/30 00:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/30 00:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/30 00:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 00:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/30 00:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/30 00:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/30 00:24:20 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (23 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Ask Search Assistant BHO) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Value error. File not found
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (The Shield Deluxe 2009 Toolbar) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\PCSecurityShield\BitDefender 2009\IEToolbar.dll (Bitdefender)
O3 - HKLM\..\Toolbar: (Copernic Agent) - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Value error. File not found
O3 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\..\Toolbar\WebBrowser: (Copernic Agent) - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O4 - HKLM..\Run: [16636729] C:\Documents and Settings\All Users\Application Data\16636729\16636729.exe ()
O4 - HKLM..\Run: [4079250434] C:\Documents and Settings\reginald a jones\Application Data\4079250434\4079250434.exe ()
O4 - HKLM..\Run: [49406023] C:\Documents and Settings\All Users\Application Data\49406023\49406023.exe ()
O4 - HKLM..\Run: [BDAgent] C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe (PCSecurityShield)
O4 - HKLM..\Run: [BitDefender Antiphishing Helper] C:\Program Files\PCSecurityShield\BitDefender 2009\IEShow.exe (The Shield Deluxe 2009 )
O4 - HKLM..\Run: [kigasatov] C:\WINDOWS\System32\ziyewila.DLL File not found
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinShredder] C:\Program Files\PCSecurityShield\WinShredder\ws20.exe (PC Security Shield)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe File not found
O4 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\reginald a jones\Start Menu\Programs\Startup\Adobe Media Player.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O7 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O7 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O7 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2151673172-542210679-3067518927-1006\..Trusted Domains: 24 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/0/5...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc.cab (Office Update Installation Engine)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1156012974968 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\copernicagent {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O18 - Protocol\Handler\copernicagentcache {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Value error. File not found
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\windows\system32\zerakede.dll) - C:\WINDOWS\System32\zerakede.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\ziyewila.dll) - C:\WINDOWS\System32\ziyewila.dll File not found
O20 - AppInit_DLLs: (zusidebi.dll) - C:\WINDOWS\System32\zusidebi.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\boliraka.dll) - C:\WINDOWS\System32\boliraka.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avldr: DllName - avldr.dll - C:\WINDOWS\System32\avldr.dll (Panda Software)
O21 - SSODL: gadikuzur - {35e7bac6-bdc8-40e6-aa03-c05379aa6a91} - C:\WINDOWS\System32\zerakede.dll File not found
O21 - SSODL: hasakiwov - {3f3edef3-8af3-47fe-9cc5-4823f537be63} - C:\WINDOWS\System32\ziyewila.dll File not found
O22 - SharedTaskScheduler: {35e7bac6-bdc8-40e6-aa03-c05379aa6a91} - tokatiluy - C:\WINDOWS\System32\zerakede.dll File not found
O22 - SharedTaskScheduler: {3f3edef3-8af3-47fe-9cc5-4823f537be63} - tokatiluy - C:\WINDOWS\System32\ziyewila.dll File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (OWS\S) - File not found
O30 - LSA: Security Packages - (\ATI) - File not found
O30 - LSA: Security Packages - (Control) - C:\WINDOWS\System32\Control.exe (Microsoft Corporation)
O30 - LSA: Security Packages - (Panel\ecurity) - File not found
O30 - LSA: Security Packages - (Pack) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 11:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c0f944d9-5917-11de-9d0d-00111146a1e1}\Shell - "" = AutoRun
O33 - MountPoints2\{c0f944d9-5917-11de-9d0d-00111146a1e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c0f944d9-5917-11de-9d0d-00111146a1e1}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (Partizan) - C:\WINDOWS\System32\Partizan.exe (Greatis Software)
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/10/12 23:11:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\16636729
[2009/10/10 15:06:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\49406023
[2009/10/12 23:11:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nominenu
[2009/10/05 00:00:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\reginald a jones\Application Data\4079250434
[2009/10/29 12:24:54 | 00,521,728 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\reginald a jones\Desktop\OTL.exe
[2009/10/16 22:14:07 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\reginald a jones\Desktop\mbam-setup.exe
[2009/10/10 15:22:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\reginald a jones\My Documents\Downloads
[1979/12/31 22:00:00 | 00,151,552 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/10/29 12:24:54 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\reginald a jones\Desktop\OTL.exe
[2009/10/29 12:22:51 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\galadoyu
[2009/10/29 12:22:27 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/10/29 12:21:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/10/20 14:57:29 | 03,712,656 | -H-- | M] () -- C:\Documents and Settings\reginald a jones\Local Settings\Application Data\IconCache.db
[2009/10/20 14:33:02 | 00,030,036 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000004-00000000-00000002-00001102-00000004-10031102}.rfx
[2009/10/20 14:33:02 | 00,030,036 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000004-00000000-00000002-00001102-00000004-10031102}.rfx
[2009/10/20 14:33:02 | 00,029,760 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000004-00000000-00000002-00001102-00000004-10031102}.rfx
[2009/10/20 14:33:02 | 00,029,760 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000004-00000000-00000002-00001102-00000004-10031102}.rfx
[2009/10/20 14:33:02 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/10/20 14:33:02 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/10/20 14:33:02 | 00,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-10031102}.dat
[2009/10/20 14:33:02 | 00,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000004-00000000-00000002-00001102-00000004-10031102}.dat
[2009/10/20 14:32:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/16 22:12:12 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\reginald a jones\Desktop\mbam-setup.exe
[2009/10/16 22:08:02 | 00,222,714 | ---- | M] () -- C:\Documents and Settings\reginald a jones\Desktop\randmbam.exe
[2009/10/12 23:12:18 | 00,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin
[2009/10/11 20:42:47 | 00,002,713 | -HS- | M] () -- C:\WINDOWS\System32\mupapupe.dll
[2009/10/11 20:42:47 | 00,002,713 | -HS- | M] () -- C:\WINDOWS\System32\hoyobuva.dll
[2009/10/11 19:57:55 | 00,000,715 | ---- | M] () -- C:\Documents and Settings\reginald a jones\Desktop\Shortcut to Downloads.lnk
[2009/10/10 15:11:29 | 00,001,025 | ---- | M] () -- C:\WINDOWS\System32\BDUpdateV1.xml
[2009/10/10 15:07:23 | 00,000,885 | ---- | M] () -- C:\Documents and Settings\reginald a jones\Desktop\Security Tool.lnk
[2009/10/06 14:33:08 | 00,000,121 | ---- | M] () -- C:\WINDOWS\bdagent.INI
[2009/10/06 14:03:27 | 00,051,712 | -HS- | M] () -- C:\WINDOWS\System32\zasulege.dll
[2009/10/05 01:18:33 | 00,000,713 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/04 22:39:50 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/10/04 14:32:39 | 00,022,528 | ---- | M] () -- C:\Documents and Settings\reginald a jones\My Documents\Substitute Lesson Plan for the day.doc
[2009/10/04 14:02:27 | 00,002,473 | ---- | M] () -- C:\Documents and Settings\reginald a jones\Desktop\Microsoft Word.lnk
[2009/09/29 22:15:10 | 00,044,032 | ---- | M] () -- C:\Documents and Settings\reginald a jones\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files - No Company Name ==========
[2009/10/16 22:09:58 | 00,222,714 | ---- | C] () -- C:\Documents and Settings\reginald a jones\Desktop\randmbam.exe
[2009/10/11 20:42:47 | 00,002,713 | -HS- | C] () -- C:\WINDOWS\System32\mupapupe.dll
[2009/10/11 20:42:47 | 00,002,713 | -HS- | C] () -- C:\WINDOWS\System32\hoyobuva.dll
[2009/10/11 19:57:55 | 00,000,715 | ---- | C] () -- C:\Documents and Settings\reginald a jones\Desktop\Shortcut to Downloads.lnk
[2009/10/06 14:03:27 | 00,051,712 | -HS- | C] () -- C:\WINDOWS\System32\zasulege.dll
[2009/10/05 01:21:08 | 00,000,885 | ---- | C] () -- C:\Documents and Settings\reginald a jones\Desktop\Security Tool.lnk
[2009/10/04 14:32:39 | 00,022,528 | ---- | C] () -- C:\Documents and Settings\reginald a jones\My Documents\Substitute Lesson Plan for the day.doc
[2009/07/10 15:07:22 | 00,051,712 | -HS- | C] () -- C:\WINDOWS\System32\zusidebi.dll
[2009/07/10 15:07:22 | 00,051,712 | -HS- | C] () -- C:\WINDOWS\System32\nereteva.dll
[2009/07/10 15:07:22 | 00,051,712 | -HS- | C] () -- C:\WINDOWS\System32\hofalobu.dll
[2009/07/10 15:06:41 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\nominenu.dll
[2009/07/10 15:06:40 | 00,027,136 | -HS- | C] () -- C:\WINDOWS\System32\gakemojo.dll
[2009/07/10 15:06:39 | 00,051,712 | -HS- | C] () -- C:\WINDOWS\System32\vowowono.dll
[2009/07/06 14:02:48 | 00,025,600 | -HS- | C] () -- C:\WINDOWS\System32\mevozeha.dll
[2009/07/06 14:02:46 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\fikuyelu.dll
[2009/07/04 23:59:58 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\modisemi.dll
[2009/07/04 23:59:47 | 00,025,600 | -HS- | C] () -- C:\WINDOWS\System32\hirihipo.dll
[2009/02/27 21:20:03 | 00,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2008/10/09 16:31:54 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\txmlutil.dll
[2007/04/01 14:53:58 | 00,000,107 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/04/01 14:53:38 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2007/04/01 14:53:38 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2007/01/31 14:50:32 | 00,913,408 | ---- | C] () -- C:\WINDOWS\System32\xreglib.dll
[2006/10/26 21:05:55 | 00,684,032 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2006/10/26 21:05:55 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2006/10/16 21:09:32 | 03,712,656 | -H-- | C] () -- C:\Documents and Settings\reginald a jones\Local Settings\Application Data\IconCache.db
[2006/05/27 20:45:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Unsetup.INI
[2006/03/03 02:13:25 | 00,245,760 | ---- | C] () -- C:\WINDOWS\System32\vrupcfg.dll
[2006/03/03 02:13:25 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\vrcomp.dll
[2006/03/03 02:13:24 | 00,299,008 | ---- | C] () -- C:\WINDOWS\VrEncDec.dll
[2006/03/03 02:13:24 | 00,299,008 | ---- | C] () -- C:\WINDOWS\System32\VrEncDec.dll
[2006/03/03 02:13:24 | 00,157,184 | ---- | C] () -- C:\WINDOWS\System32\Vrazrar.dll
[2006/03/03 02:13:24 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\VMSLog.dll
[2006/03/03 02:13:24 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\VrCAB.dll
[2006/03/03 02:13:24 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\Vrazace.dll
[2006/03/03 02:13:23 | 00,425,984 | ---- | C] () -- C:\WINDOWS\System32\VrExpJpn.dll
[2005/12/29 16:40:23 | 00,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2005/12/29 16:40:23 | 00,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2005/03/14 17:03:27 | 00,000,048 | ---- | C] () -- C:\WINDOWS\PerWin.ini
[2004/11/02 00:08:28 | 00,044,032 | ---- | C] () -- C:\Documents and Settings\reginald a jones\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/11/01 23:42:19 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/11/01 23:20:54 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/10/28 16:57:41 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\reginald a jones\Application Data\DESKTOP.INI
[2004/10/28 16:57:40 | 00,040,080 | ---- | C] () -- C:\Documents and Settings\reginald a jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2004/10/26 15:39:05 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/10/26 07:04:41 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/10/26 07:02:43 | 00,000,511 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/10/26 06:52:07 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2004/10/26 06:51:50 | 00,066,807 | ---- | C] () -- C:\WINDOWS\System32\Aud2_Del.ini
[2004/10/26 06:51:50 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2004/10/26 06:51:49 | 00,005,515 | ---- | C] () -- C:\WINDOWS\System32\ENSDEF.INI
[2004/10/26 06:51:49 | 00,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2004/10/26 06:51:29 | 00,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2004/10/26 06:29:38 | 00,000,517 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/09/15 20:03:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 11:13:12 | 00,000,780 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/10 11:04:08 | 00,001,000 | ---- | C] () -- C:\WINDOWS\WIN.INI
[2004/08/10 10:57:52 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/10 10:57:42 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
[2004/08/04 03:00:00 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[1979/12/31 22:00:00 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >



Extras.txt

OTL Extras logfile created on: 10/29/2009 12:25:24 PM - Run 1
OTL by OldTimer - Version 3.0.22.1 Folder = C:\Documents and Settings\reginald a jones\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.09 Mb Total Physical Memory | 763.31 Mb Available Physical Memory | 74.68% Memory free
2.40 Gb Paging File | 2.29 Gb Available in Paging File | 95.18% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.94 Gb Total Space | 22.17 Gb Free Space | 31.25% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LISA
Current User Name: reginald a jones
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"1304:UDP" = 1304:UDP:*:Enabled:Windows Media Format SDK (firefox.exe)
"1310:UDP" = 1310:UDP:*:Enabled:Windows Media Format SDK (firefox.exe)
"1328:UDP" = 1328:UDP:*:Enabled:Windows Media Format SDK (firefox.exe)
"1494:UDP" = 1494:UDP:*:Enabled:Windows Media Format SDK (wmplayer.exe)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes -- (Apple Computer, Inc.)
"C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" = C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe:*:Enabled:The Shield Deluxe 2008 -- File not found
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\Program Files\QuickTime\qttask.exe" = C:\Program Files\QuickTime\qttask.exe:*:Enabled:qttask -- (Apple Computer, Inc.)
"C:\Program Files\PCSecurityShield\BitDefender 2009\seccenter.exe" = C:\Program Files\PCSecurityShield\BitDefender 2009\seccenter.exe:*:Enabled:seccenter -- ()
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:msmsgs -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Small Business
"{0552A36D-0D7E-4FF5-8FDB-6629ABA7C779}" = iTunes
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{36495C59-089C-49D1-BD15-9E5BD86DC9A1}" = ItsDeductible Express
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{45EBDA59-D33B-433A-956E-B2F236468B56}" = MUSICMATCH® Jukebox
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5FF4A578-4588-4ACF-8317-7191FC45F3E1}" = TaxCut California 2007
"{61100673-2546-42E1-BF92-467B5CB2AC6D}" = DeductionPro 2008
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6549AA0C-6D93-4E76-9A13-6A6A0AA4FD6D}" = TaxCut California 2008
"{663E217E-FC26-4249-9E8E-F190CD63E737}" = TaxCut Premium + State 2007
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.3
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Application Accelerator
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{98177940-C048-4831-A279-F3888B1E2C7F}" = InstallMgr
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A5F83C06-8FF0-46EE-B539-E5CB436ED9B7}" = WinShredder
"{A8AC89BA-D8CB-4372-9743-1C54D23286B0}" = MSN Toolbar
"{AC76BA86-0000-7EC8-7489-000000000702}" = Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
"{AC76BA86-0000-7EC8-7489-000000000703}" = Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B6EF6DCE-078E-4952-A7FA-352A9C349EB0}" = MSN Toolbar
"{B7148D71-0A8F-4501-96B4-4E1CC67F874E}" = Microsoft Default Manager
"{B82919F6-31AA-43B3-B566-5DE35D69069A}" = TurboTax ItsDeductible 2004
"{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}" = TaxCut Premium + State + Efile 2008
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4B8C119-00F2-4C9D-A669-9AE3EA4A1641}" = The Shield Deluxe 2009
"{E82BF103-904F-49C0-B77F-6EC110B71E87}" = Sound Blaster Audigy 2
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AskSBar Uninstall" = Ask Toolbar
"ATI Display Driver" = ATI Display Driver
"Copernic Agent Basic" = Copernic Agent Basic
"DeductionPro 2006" = DeductionPro 2006
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{0552A36D-0D7E-4FF5-8FDB-6629ABA7C779}" = iTunes
"InstallShield_{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"LimeWire" = LimeWire 5.1.4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Pdf995" = Pdf995
"QuickTime" = QuickTime
"SpywareBlaster_is1" = SpywareBlaster 4.1
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TaxCut Premium 2006" = TaxCut Premium 2006
"The Shield" = The Shield 2006 Professional
"TurboTax Deluxe 2004" = TurboTax Deluxe 2004
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"WinASO Disk Cleaner_is1" = WinASO Disk Cleaner 2.0
"WinASO Registry Optimizer 3.0.9_is1" = WinASO Registry Optimizer 3.0.9
"WinASO Registry Optimizer 4.2_is1" = WinASO Registry Optimizer 4.2
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2151673172-542210679-3067518927-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/7/2009 9:37:00 PM | Computer Name = LISA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
js3250.dll, version 4.0.0.0, fault address 0x00002cd8.

Error - 6/22/2009 4:37:43 PM | Computer Name = LISA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
firefox.exe, version 1.0.2.0, fault address 0x001956fa.

Error - 6/22/2009 4:37:46 PM | Computer Name = LISA | Source = Application Error | ID = 1001
Description = Fault bucket 183257516.

Error - 7/3/2009 3:39:54 PM | Computer Name = LISA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
npswf32.dll, version 9.0.16.0, fault address 0x000f5e97.

Error - 7/3/2009 3:40:05 PM | Computer Name = LISA | Source = Application Error | ID = 1001
Description = Fault bucket 1350061704.

Error - 7/3/2009 3:45:41 PM | Computer Name = LISA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
unknown, version 0.0.0.0, fault address 0x04c48bd9.

Error - 7/22/2009 12:21:07 AM | Computer Name = LISA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00010a1b.

Error - 8/18/2009 4:39:01 PM | Computer Name = LISA | Source = MsiInstaller | ID = 10005
Description = Product: Java™ 6 Update 15 -- Internal Error 2318. C:\Program Files\Java\jre6\lib\meta-index

Error - 8/21/2009 6:28:48 PM | Computer Name = LISA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
firefox.exe, version 1.0.2.0, fault address 0x001956fa.

Error - 8/21/2009 6:40:54 PM | Computer Name = LISA | Source = Application Error | ID = 1001
Description = Fault bucket 183257516.

[ System Events ]
Error - 10/17/2009 1:10:56 AM | Computer Name = LISA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/17/2009 1:13:49 AM | Computer Name = LISA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/17/2009 1:14:57 AM | Computer Name = LISA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm SASDIFSV SASKUTIL ShldDrv

Error - 10/17/2009 1:15:02 AM | Computer Name = LISA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/20/2009 5:34:38 PM | Computer Name = LISA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/20/2009 5:34:48 PM | Computer Name = LISA | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 10/20/2009 5:35:19 PM | Computer Name = LISA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm SASDIFSV SASKUTIL ShldDrv

Error - 10/20/2009 5:57:30 PM | Computer Name = LISA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/29/2009 3:22:38 PM | Computer Name = LISA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/29/2009 3:23:44 PM | Computer Name = LISA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm SASDIFSV SASKUTIL ShldDrv


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:36 AM

Posted 29 October 2009 - 04:44 PM

Hi,

I notice that 2 antivirusprograms are running:
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Panda or BitDefender.

We're going to run Malwarebytes again, please uninstall Malwarebytes if it is currently installed before trying the following:

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Afterwards please download and try to run Malwarebytes once more:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Let me know how this works out.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 29 October 2009 - 05:38 PM

I tried removing Panda and Bitdefender, however I could not find them in the add/remove programs list or the programs menu. I believe these may have been previously removed but I cannot be sure since this is not my computer. Also, I know that the current anti-virus program is the Shield Deluxe 2009. Should I remove this program?

I tried the steps you indicated in your post. I removed the previous installation of MBAM via the add/remove programs list. I received a message at the end of the installation indicating that not all files were removed, and that some files needed to be removed manually.

Next I downloaded RKill and ran it. When it completed windows prompted me as to whether I wanted to continue using safe mode, I answered yes and then proceeded to download a new copy of MBAM using the link you provided.

I installed the new copy and when MBAM tried to run it failed and gave me the same error message I have been receiving every time I have tried running MBAM.

The error message reads:
Unable to execute file:
C:\ followed by the path for mbam.exe

Create process failed; code 2
The system cannot find the specified file

This message repeats twice.

Upon receiving this message, I uninstalled MBAM again, this time using the uninstall icon from the start->all programs->malwarebytes antimalware menu.

I then tried running RKill again. I again downloaded MBAM and tried the installation process again but I got the same error message after the program first tried to run.

I noticed that the shortcuts for mbam.exe can't find the executable file.

What should I try now?

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:36 AM

Posted 29 October 2009 - 05:48 PM

Hi,

ok, this is obviously some nasty infection. The infection will target and delete mbam.exe it seems. Please run the following tool:

Download and run Win32kDiag:and post the logfile in your next reply.

Please also download exehelper and try again to run MBAM.
First run exehelper:

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Then try to install and run Malwarebytes again. If you're successfull please post the log from Malwarebytes.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 29 October 2009 - 06:04 PM

Okay...I tried all the steps you indicated in your last post. (Below are the log files you requested). When I ran exehelper there were no indications of errors deleting any files in the command prompt window. Afterward, I uninstalled and re-installed MBAM and tried running it. The program made it to the screen where it prompts you if you want to do a quick or full scan. I was about to select a quick scan but before I could do anything the program was killed and everything seems to have reverted back to as it was in my previous post (i.e., MBAM won't run and the shortcuts can't find mbam.exe). Well there is one difference, the pop-ups seem to be increasing in frequency. See log files below:

Win32kDiag.txt:

Running from: C:\Documents and Settings\reginald a jones\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\reginald a jones\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

exehelperlog.txt:

exeHelper by Raktor
Build 20091021
Run at 15:53:16 on 10/29/09
Now searching...
Checking for numerical processes...
Deleting file C:\Documents and Settings\All Users\Application Data\49406023\49406023.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49406023
Deleting file C:\Documents and Settings\All Users\Application Data\83341726\83341726.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83341726
Checking for bad processes...
Checking for bad files...
Deleting file C:\Documents and Settings\reginald a jones\Desktop\Security Tool.lnk
Deleting file C:\Documents and Settings\reginald a jones\Start Menu\Programs\Security Tool.lnk
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--





Finished!

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:36 AM

Posted 29 October 2009 - 06:10 PM

EDIT: ignore me, will post back with mor instructions soon.
regards _temp_

Edited by _temp_, 29 October 2009 - 06:11 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:36 AM

Posted 30 October 2009 - 06:13 AM

Hi,

please boot into normal mode and run rkill once again.
If you can not run rkill in normal mode please download this version: link and save it to C:\
Then go to start->run and type C:\rkill.com to execute the downloaded file.

After running rkill (without rebooting) download and run Combofix:
Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 30 October 2009 - 01:06 PM

I tried running RKill in normal mode. I cannot run RKill in normal mode...in fact I can't do anything in normal mode except watch Security Tool run its fake AV scan. I can't even open task manager. When the fake scan is completed I can't even access anything on the Desktop.

#11 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 30 October 2009 - 03:24 PM

I got lucky...I restarted in normal mode and for some strange reason the anti-virus software (Shield Deluxe 2009) actually caught at least part of the malware and blocked it before the malware could complete disable the anti-virus program. I have booted this machine up probably 20 times since I started working on it and that never happened. Anyway, this provided me with an opportunity to try and run rkill again so I did and it worked. I then went to combofix, got recovery console and let combofix try to remove the malware. Everything went smoothly except combofix took around an hour to run. Below is the log.

ComboFix 09-10-28.08 - reginald a jones 10/30/2009 12:59.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.666 [GMT -7:00]
Running from: c:\documents and settings\reginald a jones\Desktop\ComboFix.exe
AV: The Shield Deluxe 2009 Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\darlyn jones\Desktop\Security Tool.lnk
c:\documents and settings\darlyn jones\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\reginald a jones\Desktop\Security Tool.lnk
c:\documents and settings\reginald a jones\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\fikuyelu.dll
c:\windows\system32\gakemojo.dll
c:\windows\system32\gemewoda.exe
c:\windows\system32\heridoga.dll
c:\windows\system32\hirihipo.dll
c:\windows\system32\hoyobuva.dll
c:\windows\system32\kiwayoro.exe
c:\windows\system32\kulufegi.dll
c:\windows\system32\latuwusa.dll
c:\windows\system32\mevozeha.dll
c:\windows\system32\modisemi.dll
c:\windows\system32\mupapupe.dll
c:\windows\system32\nominenu.dll
c:\windows\system32\open.ico
c:\windows\system32\ridilave.exe
c:\windows\system32\tohuzeno.dll
c:\windows\system32\visutime.exe
c:\windows\system32\vowowono.dll
c:\windows\system32\yaguwune.dll
c:\windows\system32\zasulege.dll
c:\windows\wiaserviv.log

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-30 20:06 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-30 20:06 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-30 19:36 . 2009-10-30 19:36 262656 ----a-w- C:\rkill.com
2009-10-29 22:56 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 22:56 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 22:16 . 2009-10-29 22:16 -------- d--h--w- c:\windows\PIF
2009-10-29 20:23 . 2009-10-29 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\83341726
2009-10-13 06:13 . 2009-10-13 06:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-13 06:13 . 2009-10-13 06:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-13 06:11 . 2009-10-30 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\16636729
2009-10-13 06:11 . 2009-10-13 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\nominenu
2009-10-11 00:03 . 2009-10-11 00:21 15 ----a-w- c:\documents and settings\reginald a jones\settings.dat
2009-10-10 22:06 . 2009-10-29 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\49406023
2009-10-05 07:00 . 2009-10-30 19:39 -------- d-----w- c:\documents and settings\reginald a jones\Application Data\4079250434

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 20:09 . 2004-10-26 13:56 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-10031102}.dat
2009-10-30 20:09 . 2004-10-26 13:56 288 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-10031102}.dat
2009-10-29 22:56 . 2009-03-09 01:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 06:12 . 2009-04-03 05:03 81984 ----a-w- c:\windows\system32\bdod.bin
2009-08-07 02:24 . 2004-08-04 10:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-08-04 10:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-10-28 23:47 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-08-04 10:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-04 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-08-04 10:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2006-08-21 23:43 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2005-05-26 11:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2004-08-04 10:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-04-02 04:31 . 2008-10-31 01:34 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2006-10-17 00:34 . 2006-10-17 00:34 110592 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-01-05 02:58 . 2008-01-05 02:58 2 --shatr- c:\windows\winstart.bat
2009-07-29 20:22 . 2009-07-29 20:22 51712 --sha-w- c:\windows\SYSTEM32\seduvumo.dll
2009-07-29 20:23 . 2009-07-29 20:23 51712 --sha-w- c:\windows\SYSTEM32\ziyojozi.dll
2009-02-28 02:36 . 2009-02-27 14:53 1003552 --sha-w- c:\windows\SYSTEM32\DRIVERS\fidbox.dat
2009-02-28 02:36 . 2009-02-27 14:53 800 --sha-w- c:\windows\SYSTEM32\DRIVERS\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2009-02-19 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2009-02-19 06:07 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a84a0358-5df4-442d-ba02-357d84a49ef7}]
2009-07-29 20:23 51712 --sha-w- c:\windows\SYSTEM32\ziyojozi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinShredder"="c:\program files\PCSecurityShield\WinShredder\ws20.exe" [2006-02-24 2101248]
"BDAgent"="c:\program files\PCSecurityShield\BitDefender 2009\bdagent.exe" [2009-04-02 778240]
"BitDefender Antiphishing Helper"="c:\program files\PCSecurityShield\BitDefender 2009\IEShow.exe" [2009-04-02 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-22 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 21:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2005-09-27 20:13 45056 ----a-w- c:\windows\SYSTEM32\avldr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinShredder

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\Program Files\\PCSecurityShield\\BitDefender 2009\\seccenter.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1304:UDP"= 1304:UDP:Windows Media Format SDK (firefox.exe)
"1310:UDP"= 1310:UDP:Windows Media Format SDK (firefox.exe)
"1328:UDP"= 1328:UDP:Windows Media Format SDK (firefox.exe)
"1494:UDP"= 1494:UDP:Windows Media Format SDK (wmplayer.exe)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 2:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 1:39 PM 32256]
R1 ShldDrv;Panda File Shield Driver;c:\windows\SYSTEM32\DRIVERS\ShldDrv.sys [12/29/2005 2:36 PM 26752]
R2 PavProc;Panda Process Protection Driver;c:\windows\SYSTEM32\DRIVERS\PavProc.sys [12/29/2005 2:36 PM 163856]
R3 bdfm;BDFM;c:\windows\SYSTEM32\DRIVERS\bdfm.sys [9/18/2008 12:09 PM 111112]
S2 yfisrjealdoqhu;yfisrjealdoqhu;\??\c:\windows\system32\drivers\ljkutnfnouwybpv.sys --> c:\windows\system32\drivers\ljkutnfnouwybpv.sys [?]
S3 Arrakis3;PCSecurityShield Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 1:06 PM 118784]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 6:51 PM 4096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2004-10-28 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
FF - ProfilePath - c:\documents and settings\reginald a jones\Application Data\Mozilla\Firefox\Profiles\8far29aa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-4079250434 - c:\documents and settings\reginald a jones\Application Data\4079250434\4079250434.exe
HKLM-Run-16636729 - c:\documents and settings\All Users\Application Data\16636729\16636729.exe
HKLM-Run-kigasatov - c:\windows\system32\latuwusa.dll
HKLM-Run-yavotuyowa - tohuzeno.dll
SharedTaskScheduler-{35e7bac6-bdc8-40e6-aa03-c05379aa6a91} - c:\windows\system32\zerakede.dll
SharedTaskScheduler-{3f3edef3-8af3-47fe-9cc5-4823f537be63} - c:\windows\system32\ziyewila.dll
SharedTaskScheduler-{125d1918-848a-412f-9202-33c369405e52} - c:\windows\system32\latuwusa.dll
SSODL-gadikuzur-{35e7bac6-bdc8-40e6-aa03-c05379aa6a91} - c:\windows\system32\zerakede.dll
SSODL-hasakiwov-{3f3edef3-8af3-47fe-9cc5-4823f537be63} - c:\windows\system32\ziyewila.dll
SSODL-letatijoy-{125d1918-848a-412f-9202-33c369405e52} - c:\windows\system32\latuwusa.dll
SafeBoot-svcWRSSSDK



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 13:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\avldr.dll

- - - - - - - > 'explorer.exe'(1644)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Panda Software\PavShld\pavprsrv.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\SestusSys.exe
.
**************************************************************************
.
Completion time: 2009-10-30 13:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 20:18
ComboFix2.txt 2008-01-05 04:11

Pre-Run: 22,573,092,864 bytes free
Post-Run: 22,819,901,440 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DB25D9F73B64905A853167584E91CAE0

#12 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 30 October 2009 - 05:08 PM

I was able to successfully run a MBAM quick scan in normal mode, below is a copy of the log file.

Malwarebytes' Anti-Malware 1.41
Database version: 3063
Windows 5.1.2600 Service Pack 3

10/30/2009 3:06:57 PM
mbam-log-2009-10-30 (15-06-57).txt

Scan type: Quick Scan
Objects scanned: 114563
Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\16636729 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\49406023 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\83341726 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\reginald a jones\Application Data\4079250434 (Rogue.SecurityTool) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\16636729\16636729.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\49406023\49406023.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\reginald a jones\Application Data\4079250434\4079250434.bat (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\reginald a jones\Application Data\4079250434\4079250434.cfg (Rogue.SecurityTool) -> Quarantined and deleted successfully.

#13 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 30 October 2009 - 07:07 PM

I ran a full scan on MBAM. The scan found 7 more infections (see log below). The computer is still running very slow and applications take a very long time to open. There also seems to be some suspicious processes running, but since I can't be sure I'll just leave them alone for now until you have a chance to look everything over. I am going to run another MBAM scan after I restart and then download superantispyware and run a scan with that.

Malwarebytes' Anti-Malware 1.41
Database version: 3063
Windows 5.1.2600 Service Pack 3

10/30/2009 5:00:18 PM
mbam-log-2009-10-30 (17-00-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 197054
Time elapsed: 46 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gemewoda.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kiwayoro.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP237\A0173929.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0175979.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0175983.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0176090.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0176091.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#14 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 30 October 2009 - 08:34 PM

MBAM full scan came back clean. Superantispyware found one more on quick scan, going to run a full scan next. The system still runs very slow and applications take a while to start.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/30/2009 at 06:18 PM

Application Version : 4.29.1004

Core Rules Database Version : 4216
Trace Rules Database Version: 2122

Scan type : Quick Scan
Total Scan Time : 00:13:42

Memory items scanned : 364
Memory threats detected : 0
Registry items scanned : 574
Registry threats detected : 0
File items scanned : 9661
File threats detected : 64

Trojan.Agent/Gen
C:\Program Files\SYS

Adware.Tracking Cookie
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@sojern.122.2o7[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@tacoda[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@pro-market[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@revsci[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@adfarm1.adition[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@at.atwola[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@adserver.adtechus[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@bs.serving-sys[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@advertising[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@247realmedia[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@www.cpctrack[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@msnportal.112.2o7[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@ad.associatedcontent[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@cpctrack[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@collective-media[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@microsoftmachinetranslation.112.2o7[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@dr.findlinks[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@a1.interclick[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@adopt.euroclick[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@track.platinum-giveaways[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@ads.associatedcontent[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@server.iad.liveperson[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@server.iad.liveperson[3].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@cbsdigitalmedia.112.2o7[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@specificclick[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@atdmt[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@tracking.gajmp[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@invitemedia[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@content.yieldmanager[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@onrampadvertising[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@www.googleadservices[3].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@interclick[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@dmtracker[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@www.googleadservices[4].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@www.googleadservices[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@www.googleadservices[5].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@pentonmedia.122.2o7[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@ice.112.2o7[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@sales.liveperson[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@ads.pointroll[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@purityproducts.112.2o7[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@chicagosuntimes.122.2o7[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@edge.ru4[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@iacas.adbureau[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@adbureau[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@insightexpressai[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@revenue[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@kontera[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@traveladvertising[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@overture[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@2o7[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@cdn4.specificclick[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@specificmedia[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@tribalfusion[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@trvlnet.adbureau[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@ad.yieldmanager[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@yadro[2].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@realmedia[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@serving-sys[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@adbrite[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@media6degrees[1].txt
C:\Documents and Settings\darlyn jones\Cookies\darlyn_jones@www.googleadservices[2].txt

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:36 AM

Posted 31 October 2009 - 08:42 AM

Hi,

please do not run tools on your own.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\ljkutnfnouwybpv.sys
c:\windows\winstart.bat
C:\windows\SYSTEM32\seduvumo.dll
C:\windows\SYSTEM32\ziyojozi.dll

Folder::
c:\documents and settings\All Users\Application Data\83341726
c:\documents and settings\All Users\Application Data\16636729
c:\documents and settings\All Users\Application Data\nominenu
c:\documents and settings\All Users\Application Data\49406023
c:\documents and settings\reginald a jones\Application Data\4079250434


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a84a0358-5df4-442d-ba02-357d84a49ef7}]

Driver::
yfisrjealdoqhu


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users