Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Microsoft Authenticator Beta 5.9.4 for iOS Released on TestFlight

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Safety Center infecting this computer...

Started by Monkeyb00y , Nov 09 2009 05:45 PM

This topic is locked

32 replies to this topic

#1 Monkeyb00y

Members
75 posts
OFFLINE

Gender:Male
Location:Behind my eyes...
Local time:03:19 AM

Posted 09 November 2009 - 05:45 PM

Greetings, BleepingComputer!
This computer has at least the "Safety Center" fake security program. Plus it's disabled
all of the control panel options. Keeps saying that it can't locate system32.dll.
I was able to run DDS normally but RootRepeal would only work in Safe Mode.
In normal mode, it would cause the computer to reboot.
Before this computer had a pretty bad infection but it got reinfected by something
else.
The logs are below and attached as required.

Thanks in advanced!
Monkeyb00y

Here is the DDS log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Compaq_Owner at 13:44:44.06 on Mon 11/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.191.33 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vigrxplus.com/clicks/clickthrough.html?a=adx
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uWindow Title = Windows Internet Explorer provided by MySpace
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://search.live.com/sphome.aspx
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
TB: {719D74AB-1AF9-43A1-8C62-D8750628D93E} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [reader_s] c:\documents and settings\compaq_owner\reader_s.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HelpCenter4.1] c:\program files\fastaccessdsl\helpcenter43\bin\sprtcmd.exe /P HelpCenter4.1
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRunOnce: [áN@] e14e4000
mRunOnce: [ÑN@] d14e4000
dRun: [A00F17C8D.exe] c:\windows\temp\_A00F17C8D.exe
dRun: [cft] c:\windows\system32\config\systemprofile\application data\cft\cft.exe
dRun: [DigiFast] c:\windows\system32\config\systemprofile\application data\digifast\digifast.exe
dRun: [L9lVqKBeE] c:\windows\system32\config\systemprofile\application data\microsoft\tuvajf.exe
dRun: [pridl] "c:\documents and settings\peeper\application data\pridl\pridl.exe" 61A847B5BBF72811329B385672FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
dRun: [systemprofile] c:\windows\system32\config\systemprofile\systemprofile.exe /i
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: fosopoku.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli royomuya.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\ahrr802a.default\
FF - component: c:\program files\mozilla firefox\components\dfff.dll
FF - component: c:\program files\mozilla firefox\components\WWShow.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-12 130936]
R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-7-17 18944]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 drv;drv;c:\windows\system32\svchost.exe -k drv [2004-9-17 34304]
S3 JL2004A;JL2004A Photo Viewer;c:\windows\system32\drivers\pv_wdm.sys [2007-2-13 63289]
S3 mndisk;mndisk;c:\windows\system32\mndisk.sys [2004-9-17 2304]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-12 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-7-12 1097096]

============== File Associations ===============

txtfile=%windir%\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-11-09 11:46 21,504 a------- c:\windows\system32\hidserv.dll
2009-11-09 11:46 14,592 a------- c:\windows\system32\drivers\kbdhid.sys

==================== Find3M ====================

2009-09-20 16:29 1,020,452 a--sh--- c:\windows\system32\raseloka.exe
2009-09-20 16:29 89,088 a--sh--- c:\windows\system32\hugewejo.dll
2009-09-20 16:29 38,400 a--sh--- c:\windows\system32\muzaloda.dll
2009-09-20 04:32 1,020,452 a--sh--- c:\windows\system32\kirojeke.exe
2009-09-20 04:29 88,576 a--sh--- c:\windows\system32\malufige.dll
2009-09-20 04:29 38,400 a--sh--- c:\windows\system32\kebajupa.dll
2009-09-19 17:31 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-09-19 16:28 1,020,452 a--sh--- c:\windows\system32\gurosewi.exe
2009-09-19 16:28 88,576 a--sh--- c:\windows\system32\wekedahu.dll
2009-09-19 16:28 37,888 a--sh--- c:\windows\system32\kavanaga.dll
2009-09-19 04:28 1,020,452 a--sh--- c:\windows\system32\rumapuhu.exe
2009-09-19 04:28 88,064 a--sh--- c:\windows\system32\vazipuve.dll
2009-09-19 04:28 38,400 a--sh--- c:\windows\system32\zimusure.dll
2009-09-18 16:28 1,020,452 a--sh--- c:\windows\system32\hatasefa.exe
2009-09-18 16:28 88,576 a--sh--- c:\windows\system32\pivumuwe.dll
2009-09-18 16:28 37,888 a--sh--- c:\windows\system32\bedoyoso.dll
2009-09-18 04:28 734,756 a--sh--- c:\windows\system32\nuwevole.exe
2009-09-18 04:28 89,088 a--sh--- c:\windows\system32\bonafefa.dll
2009-09-18 04:28 38,400 a--sh--- c:\windows\system32\dohakopo.dll
2009-09-17 20:24 41,631 a------- c:\windows\system32\certstore.dat
2009-09-17 16:28 734,244 a--sh--- c:\windows\system32\jadorase.exe
2009-09-17 16:28 89,088 a--sh--- c:\windows\system32\galaloko.dll
2009-09-17 16:28 37,888 a--sh--- c:\windows\system32\talewagi.dll
2009-09-17 02:03 88,576 a--sh--- c:\windows\system32\tafayamo.dll
2009-09-17 02:03 38,400 a--sh--- c:\windows\system32\fayohiyo.dll
2009-09-16 14:06 3,748 a------- c:\windows\system32\pocodllet.dat
2009-09-16 14:05 2,709 a------- c:\windows\system32\lowdopo.dat
2009-09-16 14:03 88,064 a--sh--- c:\windows\system32\ribogazu.dll
2009-09-16 14:03 37,376 a--sh--- c:\windows\system32\mutamufe.dll
2009-09-16 00:26 88,576 a--sh--- c:\windows\system32\sojeseko.dll
2009-09-16 00:26 37,888 a--sh--- c:\windows\system32\relebopi.dll
2009-09-15 12:26 88,576 a--sh--- c:\windows\system32\nigatali.dll
2009-09-15 12:26 37,888 a--sh--- c:\windows\system32\kitujefo.dll
2009-09-14 17:51 88,064 a--sh--- c:\windows\system32\nijopido.dll
2009-09-14 17:51 37,376 a--sh--- c:\windows\system32\fatopoze.dll
2009-09-14 04:35 2,065,487 a--sh--- c:\windows\system32\ziviweya.exe
2009-09-14 04:35 37,376 a--sh--- c:\windows\system32\mipibote.dll
2009-09-13 16:34 88,064 a--sh--- c:\windows\system32\saneneje.dll
2009-09-13 16:34 38,400 a--sh--- c:\windows\system32\ludizibi.dll
2009-09-13 04:35 49,664 a--sh--- c:\windows\system32\lusonige.dll
2009-09-13 04:34 88,576 a--sh--- c:\windows\system32\kurutudo.dll
2009-09-13 04:34 37,376 a--sh--- c:\windows\system32\jotofuza.dll
2009-09-13 04:34 37,376 a--sh--- c:\windows\system32\wofokode.exe
2009-09-12 16:33 88,576 a--sh--- c:\windows\system32\kehitulo.dll
2009-09-12 16:33 37,376 a--sh--- c:\windows\system32\difebebu.exe
2009-09-12 16:33 37,376 a--sh--- c:\windows\system32\bodizeya.dll
2009-08-22 07:23 286,208 a------- c:\windows\system32\qtwm.exe
2008-10-02 19:14 54,134 a------- c:\program files\INSTALL.LOG
2009-06-13 04:35 49,664 a--sh--- c:\windows\system32\kuvudidi.dll
2009-06-13 04:35 49,664 a--sh--- c:\windows\system32\royomuya.dll
2009-07-20 14:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072020090721\index.dat

============= FINISH: 13:46:38.93 ===============

**********************************************************************************

ROOTREPEAL Log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/09 15:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xFA67B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFB09A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xFA2A3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\ntbtlog.txt
Status: Size mismatch (API: 2570294, Raw: 2570004)

Path: C:\WINDOWS\system32\kbiwkmiwfomqfq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmklrxrooi.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmopxdppyl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmvpabuymv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmwwjxmxho.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmhhqhbcvwgl.tmp
Status: Invisible to the Windows API!

Path: c:\windows\$ntservicepackuninstall$\ndis.sys
Status: Size mismatch (API: 182656, Raw: 182912)

Path: c:\windows\system32\dllcache\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: c:\windows\system32\drivers\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: C:\WINDOWS\system32\drivers\kbiwkmxmfmwfdi.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Compaq_Owner\Application Data\Macromedia\Flash Player\#SharedObjects\6V6RZ5UC\void.snocap.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Compaq_Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Peeper\Application Data\Macromedia\Flash Player\#SharedObjects\KAPJE2H9\video.google.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Peeper\Application Data\Macromedia\Flash Player\#SharedObjects\KAPJE2H9\void.snocap.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Peeper\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Peeper\Local Settings\Application Data\Microsoft\Silverlight\is\g31sp5bs.qsi\lsxb4knp.vem\1\s
Status: Size mismatch (API: 182656, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmvpabuymv.dll]
Process: svchost.exe (PID: 480) Address: 0x00790000 Size: 53248

==EOF==

Attached Files

Attach1.txt 12.52KB 1 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 pwgib

Malware Response Team
2,956 posts
OFFLINE

Gender:Male
Location:God's Country
Local time:03:19 AM

Posted 16 November 2009 - 08:39 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 Monkeyb00y

Topic Starter

Members
75 posts
OFFLINE

Gender:Male
Location:Behind my eyes...
Local time:03:19 AM

Posted 16 November 2009 - 02:50 PM

Good day, pwgib,

The computer with the infection has been off since the scans by DDS & Root Repeal,
which I included in the first post. There isn't anything that I could do because the
infection is invisible to anything I use on it, Spyware Doctor & AVG 8 (Free).
I was unable to install Avira AntiVir on it because it would not allow it.

Thanks for all of your help!
Monkeyb00y

#4 thcbytes

Malware Response Team
14,790 posts
OFFLINE

Gender:Male
Local time:03:19 AM

Posted 16 November 2009 - 06:35 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

You are severely infected!!!!

==========

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
Download Link #1.
Save it to your Desktop.
Double click the RKill desktop icon.
If you are using Vista please right click and run as Admin!
A black screen will briefly flash indicating a successful run.
If this does not occur please delete that application and download Link #2.
Continue process until the tool runs.
If the tool does not run from any of the links tell me about it.

==========

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
Double click on thcbytes.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Exehelper log
* Combofix.txt
* Gmer log

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 thcbytes

Malware Response Team
14,790 posts
OFFLINE

Gender:Male
Local time:03:19 AM

Posted 23 November 2009 - 03:47 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#6 thcbytes

Malware Response Team
14,790 posts
OFFLINE

Gender:Male
Local time:03:19 AM

Posted 02 January 2010 - 09:19 PM

Re-opened per request.

Hello,

Please read my original intro and abide by my requests.

I will need you to provide me with a detailed description of your current problems.

Also please do this...........

We need to create an OTL Report

Please download OTL from one of the following mirrors:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.

Copy and Paste the following code into the Posted Image

textbox. Do not include the word "Code"

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

Push
A report will open. Copy and Paste that report in your next reply.
Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

==========

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

==========

With your next post please provide:

* Detailed desciption of your problems
* OTL.txt
* Extra.txt
* Gmer log

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#7 Monkeyb00y

Topic Starter

Members
75 posts
OFFLINE

Gender:Male
Location:Behind my eyes...
Local time:03:19 AM

Posted 03 January 2010 - 02:44 PM

I apologize for the delayed response, had a few issues getting some of the programs to work as you will read below. The issues are still the same, can't run simple programs like notepad, even with safemode. Safety Center is still on it (Icon is on the desktop).
Also, it tries to jump to my JUMP Drive (1GB) when I move the files from one computer to the other.
Here is the info from the first post as well:
"This computer has at least the "Safety Center" fake security program. Plus it's disabled
all of the control panel options. Keeps saying that it can't locate system32.dll.
I was able to run DDS normally but RootRepeal would only work in Safe Mode.
In normal mode, it would cause the computer to reboot.
Before this computer had a pretty bad infection but it got reinfected by something
else."
Thanks again for the help.
Monkeyb00y

Here are the logs requested from the 2 posts, first & second.

exehelperlog.txt BELOW:

exeHelper by Raktor
Build 20091220
Run at 19:23:43 on 01/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\Program Files\protection system\psystem.exe
Deleting file C:\Program Files\Windows Police Pro\msvcm80.dll
Deleting file C:\Program Files\Windows Police Pro\msvcp80.dll
Deleting file C:\Program Files\Windows Police Pro\msvcr80.dll
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

ComboFix kept saying it was an infected version & that I would need to redownload it. I tried it a few different times but it still wouldn't work.

GMER kept locking up, crashing Windows, even after trying it in SAFE Mode.

-------

OTL.txt BELOW:
OTL logfile created on: 1/3/2010 1:19:59 AM - Run 1
OTL by OldTimer - Version 3.1.20.2 Folder = C:\Documents and Settings\Peeper\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

191.00 Mb Total Physical Memory | 29.00 Mb Available Physical Memory | 15.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1056 2112 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32.60 Gb Total Space | 4.58 Gb Free Space | 14.06% Space Free | Partition Type: NTFS
Drive D: | 4.66 Gb Total Space | 0.92 Gb Free Space | 19.81% Space Free | Partition Type: FAT32
Drive E: | 397.39 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 960.72 Mb Total Space | 959.98 Mb Free Space | 99.92% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-7008FFA13B
Current User Name: Peeper
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 90 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/02 23:02:44 | 00,534,528 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peeper\Desktop\OTL.exe
PRC - [2009/08/03 21:41:02 | 00,040,944 | -H-- | M] () -- C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
PRC - [2009/07/21 17:15:04 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe
PRC - [2009/07/20 14:39:52 | 00,058,368 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\tuvajf.exe
PRC - [2009/07/20 14:39:48 | 00,247,296 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Application Data\digifast\digifast.exe
PRC - [2009/07/20 14:34:10 | 00,033,792 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Application Data\cft\cft.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/08/19 11:13:54 | 00,323,584 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2008/07/26 07:25:36 | 00,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/07/26 07:23:42 | 00,186,904 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe
PRC - [2008/04/13 19:12:19 | 01,053,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/10 10:48:01 | 00,036,903 | ---- | M] () -- C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe

========== Modules (SafeList) ==========

MOD - [2010/01/02 23:02:44 | 00,534,528 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peeper\Desktop\OTL.exe
MOD - [2009/06/13 04:35:17 | 00,049,664 | -HS- | M] () -- C:\WINDOWS\system32\kuvudidi.dll
MOD - [2009/06/13 04:35:17 | 00,049,664 | ---- | M] () -- C:\WINDOWS\system32\fosopoku.dll
MOD - [2008/07/26 07:25:24 | 00,109,080 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll
MOD - [2008/04/13 19:11:56 | 00,019,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\linkinfo.dll
MOD - [2004/08/10 10:48:01 | 00,024,613 | ---- | M] (BackWeb) -- C:\Documents and Settings\Peeper\Local Settings\Temp\IadHide5.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (IDriverT)
SRV - File not found [On_Demand | Stopped] -- -- (aspnet_state)
SRV - [2009/09/10 20:08:00 | 01,097,096 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/07/13 13:02:50 | 00,542,496 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/07/12 05:23:33 | 00,190,448 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/01/07 11:40:56 | 00,348,752 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/08/19 11:13:54 | 00,323,584 | ---- | M] (Motive Communications, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/07/26 07:25:36 | 00,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/07/26 07:23:42 | 00,186,904 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)

========== Driver Services (SafeList) ==========

DRV - [2009/07/17 20:47:30 | 00,018,944 | -H-- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\protect.sys -- (protect)
DRV - [2009/04/03 10:18:26 | 00,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/03/19 15:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/07/26 10:26:22 | 00,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/07/26 10:22:34 | 02,570,520 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - [2008/07/26 07:25:02 | 00,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/04/25 05:38:22 | 00,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\DefragFs.sys -- (DefragFS)
DRV - [2008/04/13 19:11:56 | 00,002,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\mndisk.sys -- (mndisk)
DRV - [2008/04/13 11:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/01/28 15:56:47 | 00,018,304 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2008/01/28 15:56:38 | 00,019,712 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2007/11/26 15:33:52 | 00,835,792 | ---- | M] (Authentium, Inc) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Css-Dvp.sys -- (CSS DVP)
DRV - [2007/02/13 17:36:14 | 00,063,289 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pv_wdm.sys -- (JL2004A)
DRV - [2004/12/16 13:36:30 | 00,042,496 | ---- | M] (VIA Technologies, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fetnd5bv.sys -- (FETND5BV)
DRV - [2004/12/07 20:08:58 | 00,172,672 | ---- | M] (Copyright © VIA/S3 Graphics Co, Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vtmini.sys -- (viagfx)
DRV - [2004/10/01 10:24:02 | 02,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/04 07:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/08/03 21:10:34 | 00,730,653 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/08/03 16:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/07/19 19:33:14 | 00,218,112 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2004/07/17 06:20:34 | 00,012,160 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2004/06/29 19:07:18 | 01,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2003/12/12 08:54:14 | 00,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/12/02 20:23:20 | 00,142,336 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/11/12 03:41:00 | 00,041,984 | ---- | M] (VIA Technologies, Inc. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\fetnd5b.sys -- (FETNDISB)
DRV - [2003/07/18 18:58:20 | 00,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2003/07/02 13:42:00 | 00,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2002/10/04 19:04:10 | 00,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2002/07/30 00:43:50 | 00,023,808 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2001/08/17 13:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://track.moreniche.com/hit.php?w=155970&s=147
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://track.moreniche.com/hit.php?w=155970&s=147
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://track.moreniche.com/hit.php?w=155970&s=147
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000004
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3789
FF - prefs.js..extensions.enabledItems: browserhighlighter@ebay.com:1.0.14907
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/13 14:38:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/13 13:23:42 | 00,000,000 | ---D | M]

[2009/02/09 16:14:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Mozilla\Extensions
[2010/01/03 00:27:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Mozilla\Firefox\Profiles\jz1l2yuv.default\extensions
[2009/06/16 09:38:36 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Peeper\Application Data\Mozilla\Firefox\Profiles\jz1l2yuv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/05/01 00:52:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Mozilla\Firefox\Profiles\jz1l2yuv.default\extensions\moveplayer@movenetworks.com
[2010/01/03 00:17:37 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/03 00:17:34 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
[2009/07/20 14:40:17 | 00,211,968 | ---- | M] () -- C:\Program Files\Mozilla Firefox\components\dfff.dll
[2009/07/13 05:07:08 | 00,089,600 | ---- | M] () -- C:\Program Files\Mozilla Firefox\components\WWShow.dll
[2009/02/17 04:13:28 | 00,221,184 | ---- | M] (CNN) -- C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

O1 HOSTS File: (26 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 jL.chura.pl
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {e3405779-0f64-4fe7-924f-5c0c3090375f} - C:\WINDOWS\System32\kuvudidi.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [kegemihulu] C:\WINDOWS\System32\royomuya.dll ()
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKU\.DEFAULT..\Run: [cft] C:\WINDOWS\system32\config\systemprofile\Application Data\cft\cft.exe ()
O4 - HKU\.DEFAULT..\Run: [DigiFast] C:\WINDOWS\system32\config\systemprofile\Application Data\digifast\digifast.exe ()
O4 - HKU\.DEFAULT..\Run: [Download] C:\Program Files\HelpCenterDecomJob\ssGet.exe ()
O4 - HKU\.DEFAULT..\Run: [L9lVqKBeE] C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\tuvajf.exe ()
O4 - HKU\.DEFAULT..\Run: [pridl] C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe ()
O4 - HKU\.DEFAULT..\Run: [systemprofile] C:\WINDOWS\System32\config\systemprofile\systemprofile.exe ()
O4 - HKU\S-1-5-18..\Run: [cft] C:\WINDOWS\system32\config\systemprofile\Application Data\cft\cft.exe ()
O4 - HKU\S-1-5-18..\Run: [DigiFast] C:\WINDOWS\system32\config\systemprofile\Application Data\digifast\digifast.exe ()
O4 - HKU\S-1-5-18..\Run: [Download] C:\Program Files\HelpCenterDecomJob\ssGet.exe ()
O4 - HKU\S-1-5-18..\Run: [L9lVqKBeE] C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\tuvajf.exe ()
O4 - HKU\S-1-5-18..\Run: [pridl] C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe ()
O4 - HKU\S-1-5-18..\Run: [systemprofile] C:\WINDOWS\System32\config\systemprofile\systemprofile.exe ()
O4 - HKLM..\RunOnce: [áN@] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnce: [ÑN@] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EditLevel = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EditLevel = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1847359679-148087881-2726939249-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (fosopoku.dll) - C:\WINDOWS\System32\fosopoku.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 08:39:16 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 15:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 07:01:14 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2003/09/26 10:47:00 | 00,000,057 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{7fd05896-c1e5-11db-a506-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{7fd05896-c1e5-11db-a506-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7fd05898-c1e5-11db-a506-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{7fd05898-c1e5-11db-a506-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7fd05898-c1e5-11db-a506-806d6172696f}\Shell\AutoRun\command - "" = E:\BANDLINK\BLAUNCH.EXE -- [2004/03/05 07:44:08 | 00,176,128 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk /r \??\C:) - File not found
O34 - HKLM BootExecute: (PDBoot.exe) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/01/03 00:16:50 | 00,534,528 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Peeper\Desktop\OTL.exe
[2010/01/02 19:32:51 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/09 14:31:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[146 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/01/03 01:21:57 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\boguyepe
[2010/01/03 00:13:16 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/03 00:13:11 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/03 00:13:09 | 20,085,5552 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/02 23:04:36 | 00,000,597 | ---- | M] () -- C:\Documents and Settings\Peeper\Desktop\OTL-Code.html
[2010/01/02 23:02:44 | 00,534,528 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peeper\Desktop\OTL.exe
[2010/01/02 20:12:36 | 00,316,416 | ---- | M] () -- C:\Documents and Settings\Peeper\Desktop\nn5pj5cb.exe
[2010/01/02 19:40:48 | 00,262,144 | -H-- | M] () -- C:\Documents and Settings\Peeper\NTUSER.DAT
[2010/01/02 18:22:45 | 00,000,042 | -HS- | M] () -- C:\Documents and Settings\Peeper\ntuser.ini
[2010/01/02 18:22:44 | 01,381,776 | -H-- | M] () -- C:\Documents and Settings\Peeper\Local Settings\Application Data\IconCache.db
[2010/01/02 18:22:42 | 00,000,512 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/02 18:22:42 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/02 18:22:42 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/02 17:22:44 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/09 14:31:42 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/11/09 14:31:42 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/11/09 13:33:40 | 00,441,626 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/09 13:33:40 | 00,381,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/09 13:33:40 | 00,053,436 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[146 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/03 00:16:53 | 00,000,597 | ---- | C] () -- C:\Documents and Settings\Peeper\Desktop\OTL-Code.html
[2010/01/02 19:31:20 | 00,316,416 | ---- | C] () -- C:\Documents and Settings\Peeper\Desktop\nn5pj5cb.exe
[2010/01/02 18:23:41 | 20,085,5552 | -HS- | C] () -- C:\hiberfil.sys
[2009/09/18 08:17:53 | 00,117,760 | ---- | C] () -- C:\WINDOWS\System32\capesnp.dll
[2009/07/27 23:25:08 | 00,066,560 | ---- | C] () -- C:\WINDOWS\System32\drivers\rxerxtaprmdmdeqx.sys
[2009/07/17 20:47:30 | 00,018,944 | -H-- | C] () -- C:\WINDOWS\System32\drivers\protect.sys
[2009/07/15 02:10:32 | 00,049,475 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/06/20 16:29:31 | 00,089,088 | -HS- | C] () -- C:\WINDOWS\System32\hugewejo.dll
[2009/06/20 16:29:31 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\muzaloda.dll
[2009/06/20 04:29:22 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\malufige.dll
[2009/06/20 04:29:22 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\kebajupa.dll
[2009/06/19 16:28:54 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\wekedahu.dll
[2009/06/19 16:28:54 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\kavanaga.dll
[2009/06/19 04:28:46 | 00,088,064 | -HS- | C] () -- C:\WINDOWS\System32\vazipuve.dll
[2009/06/19 04:28:46 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\zimusure.dll
[2009/06/18 16:28:47 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\pivumuwe.dll
[2009/06/18 16:28:47 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\bedoyoso.dll
[2009/06/18 04:28:38 | 00,089,088 | -HS- | C] () -- C:\WINDOWS\System32\bonafefa.dll
[2009/06/18 04:28:38 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\dohakopo.dll
[2009/06/17 16:28:23 | 00,089,088 | -HS- | C] () -- C:\WINDOWS\System32\galaloko.dll
[2009/06/17 16:28:23 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\talewagi.dll
[2009/06/17 02:03:15 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\tafayamo.dll
[2009/06/17 02:03:15 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\fayohiyo.dll
[2009/06/16 14:03:06 | 00,088,064 | -HS- | C] () -- C:\WINDOWS\System32\ribogazu.dll
[2009/06/16 14:03:06 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\mutamufe.dll
[2009/06/16 00:26:27 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\sojeseko.dll
[2009/06/16 00:26:27 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\relebopi.dll
[2009/06/15 12:26:26 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\nigatali.dll
[2009/06/15 12:26:26 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\kitujefo.dll
[2009/06/14 17:51:19 | 00,088,064 | -HS- | C] () -- C:\WINDOWS\System32\nijopido.dll
[2009/06/14 17:51:19 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\fatopoze.dll
[2009/06/14 04:35:10 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\mipibote.dll
[2009/06/13 16:34:38 | 00,088,064 | -HS- | C] () -- C:\WINDOWS\System32\saneneje.dll
[2009/06/13 16:34:38 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\ludizibi.dll
[2009/06/13 04:35:17 | 00,049,664 | -HS- | C] () -- C:\WINDOWS\System32\royomuya.dll
[2009/06/13 04:35:17 | 00,049,664 | -HS- | C] () -- C:\WINDOWS\System32\kuvudidi.dll
[2009/06/13 04:35:17 | 00,049,664 | ---- | C] () -- C:\WINDOWS\System32\fosopoku.dll
[2009/06/13 04:34:33 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\kurutudo.dll
[2009/06/13 04:34:33 | 00,049,664 | -HS- | C] () -- C:\WINDOWS\System32\lusonige.dll
[2009/06/13 04:34:33 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\jotofuza.dll
[2009/06/12 16:33:55 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\kehitulo.dll
[2009/06/12 16:33:55 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\bodizeya.dll
[2009/04/28 23:56:02 | 04,918,917 | ---- | C] () -- C:\WINDOWS\System32\wiadllcra.dll
[2009/04/28 23:56:02 | 04,833,518 | ---- | C] () -- C:\WINDOWS\System32\exeripand.dll
[2009/04/28 23:56:02 | 03,927,986 | ---- | C] () -- C:\WINDOWS\System32\loapiaras.dll
[2009/04/28 23:56:02 | 02,128,841 | ---- | C] () -- C:\WINDOWS\System32\giripjeand.dll
[2009/04/28 23:56:02 | 01,648,344 | ---- | C] () -- C:\WINDOWS\System32\lopevapi.dll
[2009/04/28 23:56:02 | 01,480,318 | ---- | C] () -- C:\WINDOWS\System32\pocodllet.dll
[2009/04/28 23:56:02 | 01,298,528 | ---- | C] () -- C:\WINDOWS\System32\bcranig.dll
[2009/04/28 23:56:02 | 01,260,491 | ---- | C] () -- C:\WINDOWS\System32\32jeexje.dll
[2009/04/28 23:56:02 | 00,913,439 | ---- | C] () -- C:\WINDOWS\System32\lowdopo.dll
[2009/04/10 14:29:24 | 00,066,482 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/10/02 13:41:32 | 00,054,134 | ---- | C] () -- C:\Program Files\INSTALL.LOG
[2008/07/26 07:25:02 | 00,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2007/11/05 19:53:17 | 00,009,728 | ---- | C] () -- C:\Documents and Settings\Peeper\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/16 11:25:50 | 00,001,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\JL2004A_PhotoViewer_Tools.sys
[2007/03/19 23:04:46 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Peeper\Local Settings\Application Data\fusioncache.dat
[2007/02/28 13:51:26 | 00,000,396 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/02/25 23:18:04 | 00,000,393 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/02/25 23:10:44 | 00,001,963 | ---- | C] () -- C:\WINDOWS\yahtzee.ini
[2007/02/25 23:09:07 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2007/02/25 23:07:52 | 00,000,889 | ---- | C] () -- C:\WINDOWS\disney.ini
[2006/09/26 12:41:23 | 00,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2006/09/26 12:41:23 | 00,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2006/06/29 12:38:16 | 00,000,070 | ---- | C] () -- C:\WINDOWS\8200978A.ini
[2005/10/24 10:54:24 | 00,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/09/30 13:58:48 | 00,007,262 | ---- | C] () -- C:\WINDOWS\hpdj3840.ini
[2005/09/30 13:57:57 | 00,000,414 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2004/09/17 17:37:42 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/09/17 16:36:16 | 00,002,304 | ---- | C] () -- C:\WINDOWS\System32\mndisk.sys
[2004/08/11 09:19:36 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/10 10:56:42 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2004/08/10 10:55:59 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2004/08/10 10:55:59 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/08/10 10:49:42 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/08/10 10:42:09 | 00,025,960 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/08/10 10:41:29 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2004/08/10 10:25:46 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/10 09:52:17 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 08:57:41 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/08/10 08:57:41 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/08/10 08:57:14 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/08/10 08:44:56 | 00,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 08:19:50 | 00,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

========== LOP Check ==========

========== Purity Check ==========

========== Custom Scans ==========

< %ALLUSERSPROFILE%\Application Data\*. >
[2009/11/09 12:48:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\19937964
[2004/08/10 10:09:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/12/26 22:26:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/12/26 22:28:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/07/11 19:17:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AT&T
[2006/09/26 14:32:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Geek Squad
[2009/06/15 14:15:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/07/12 05:24:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google Updater
[2009/05/14 00:15:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/05/07 02:36:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Logishrd
[2009/04/10 14:37:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Logitech
[2009/05/14 00:22:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/30 20:39:13 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2008/10/02 10:41:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2009/02/04 02:16:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2009/03/06 19:46:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/02/09 16:31:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/07/12 20:49:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2008/07/08 20:36:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2004/08/10 08:47:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/08/09 19:21:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype
[2009/02/09 16:34:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/11/09 13:36:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/08/02 10:26:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/07/13 16:56:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2009/04/06 14:58:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/06/15 10:00:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2009/02/04 12:56:14 | 00,075,112 | ---- | M] (GEAR Software, Inc.) -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DifXInstall32.exe
[2009/07/16 21:30:13 | 00,075,040 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
[2006/09/26 11:39:03 | 05,512,975 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Geek Squad\MRI\Definition Cache\ewido-signatures4-full-current.exe
[2005/01/21 21:32:16 | 00,079,504 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem3253_symnet$20consumer_5.2.1_english\setup.exe
[2005/04/05 10:17:26 | 00,079,504 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem3263_symnet$20consumer_5.4.4_english\setup.exe

< %APPDATA%\*. >
[2008/10/04 09:25:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Adobe
[2007/10/31 22:39:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\AdobeUM
[2009/06/15 15:07:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Apple Computer
[2009/05/15 02:02:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\ArcSoft
[2009/07/11 19:17:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\AT&T
[2009/03/15 16:24:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Google
[2009/08/15 21:40:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\gtk-2.0
[2007/10/13 16:40:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Help
[2004/08/10 08:39:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Identities
[2007/12/16 19:31:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Leadertech
[2008/10/04 09:25:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Macromedia
[2009/05/14 00:23:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Malwarebytes
[2009/06/30 20:46:25 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Peeper\Application Data\Microsoft
[2009/07/14 19:21:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Motive
[2009/05/01 00:53:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Move Networks
[2009/02/09 16:14:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Mozilla
[2009/07/12 20:49:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\PC Tools
[2009/07/21 17:15:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\pridl
[2007/12/17 16:17:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Real
[2004/08/10 11:16:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\SampleView
[2009/03/07 04:09:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Serif
[2009/09/13 15:34:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Skype
[2009/09/13 15:32:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\skypePM
[2004/08/10 09:09:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Sun
[2004/08/11 08:55:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Symantec
[2009/07/14 19:25:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\WinPatrol
[2009/02/05 14:55:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peeper\Application Data\Yahoo!

< %APPDATA%\*.exe /s >
[2009/09/05 09:09:08 | 01,924,440 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Peeper\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
[2009/07/21 17:15:04 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe

< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 16:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/03 16:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/03 16:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 16:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >

---------------------

Extras.txt BELOW:
OTL Extras logfile created on: 1/3/2010 1:19:59 AM - Run 1
OTL by OldTimer - Version 3.1.20.2 Folder = C:\Documents and Settings\Peeper\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

191.00 Mb Total Physical Memory | 29.00 Mb Available Physical Memory | 15.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1056 2112 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32.60 Gb Total Space | 4.58 Gb Free Space | 14.06% Space Free | Partition Type: NTFS
Drive D: | 4.66 Gb Total Space | 0.92 Gb Free Space | 19.81% Space Free | Partition Type: FAT32
Drive E: | 397.39 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 960.72 Mb Total Space | 959.98 Mb Free Space | 99.92% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-7008FFA13B
Current User Name: Peeper
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 90 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe File not found
.cpl [@ = cplfile] -- Reg Error: Value error. File not found
.hta [@ = htafile] -- Reg Error: Value error. File not found
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- Reg Error: Value error. File not found
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe File not found
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe File not found
.reg [@ = regfile] -- regedit.exe "%1"
.vbe [@ = VBEFile] -- Reg Error: Value error. File not found
.vbs [@ = VBSFile] -- WScript.exe "%1" %*
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe File not found
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe File not found

[HKEY_USERS\S-1-5-21-1847359679-148087881-2726939249-1010\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 File not found
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
comfile [open] -- "%1" %*
cplfile [cplopen] -- Reg Error: Value error.
exefile [open] -- "%1" %*
htafile [open] -- Reg Error: Value error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 File not found
inffile [open] -- Reg Error: Value error.
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
inifile [open] -- C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1 File not found
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* File not found
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* File not found
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 File not found
regfile [open] -- regedit.exe "%1"
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 File not found
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 File not found
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" File not found
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
vbefile [open] -- Reg Error: Value error.
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
vbsfile [open] -- WScript.exe "%1" %*
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* File not found
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* File not found
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"8085:TCP" = 8085:TCP:*:Enabled:drv

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe" = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe:*:Enabled:BackWeb for Presario -- ()
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- File not found
"C:\Program Files\att-nap\McciBrowser.exe" = C:\Program Files\att-nap\McciBrowser.exe:*:Enabled:motivebrowser.exe -- (Motive Communications, Inc.)
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo
"{1A103D70-5C9B-4E1A-B306-5106C68F9914}" = Microsoft Plus! Dancer LE
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AF8FCCD-F51A-4014-9002-F195E1CBC876}" = Logitech QuickCam
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{4532168B-140A-48D1-91F3-4F52EEE3DBA3}" = ArcSoft Collage Creator
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5DFDEAAA-E050-482E-A5B6-138CAE53F7BF}" = Radialpoint Security Services
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A6A9D7C4-1E5B-42FD-98F5-E067A942AEE1}" = AQUAZONE "Virtual Aquarium Collection"
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D0122362-6333-4DE4-93F6-A5A2F3CC101A}" = Compaq Organize
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skypeâ„¢ 4.1
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"BackWeb-6750491 Uninstaller" = Compaq Connections
"BellsouthHelpCenter4.0b_is1" = FastAccess® DSL Help Center 4.3
"Clickables Online" = Clickables Online
"Desktop XP Screensaver Manager_is1" = Desktop XP Screensaver Manager 1.2 Powered by AdVantage
"Help and Support Additions" = Help and Support Additions
"Hoyle Casino '98" = Hoyle Casino '98
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"lvdrivers_11.80" = Logitech QuickCam Driver Package
"MerlinReportAgent" = ATT High Speed Internet Service Report Agent
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.14)" = Mozilla Firefox (3.0.14)
"Network Play System (Patching)" = Network Play System (Patching)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA GART Driver" = NVIDIA GART Driver
"Photo Viewer_is1" = Uninstall Photo Viewer
"PS2" = PS2
"Python 2.2 combined Win32 extensions" = Python 2.2 combined Win32 extensions
"Python 2.2.1" = Python 2.2.1
"RealPlayer 6.0" = RealPlayer
"S3" = VIA/S3G Display Driver
"SafetyCenter" = SafetyCenter
"Sierra Utilities" = Sierra Utilities
"Spyware Doctor" = Spyware Doctor 6.0
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"VTDisplay" = S3 S3Display
"VTGamma2" = S3 S3Gamma2
"VTInfo2" = S3 S3Info2
"VTOverlay" = S3 S3Overlay
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.6
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahtzeev1" = Yahtzee

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"digifast" = DigiFast

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"digifast" = DigiFast

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/18/2009 3:02:52 PM | Computer Name = YOUR-7008FFA13B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 9/18/2009 3:20:46 PM | Computer Name = YOUR-7008FFA13B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 9/18/2009 3:28:26 PM | Computer Name = YOUR-7008FFA13B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 9/18/2009 5:12:45 PM | Computer Name = YOUR-7008FFA13B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 9/19/2009 6:31:53 PM | Computer Name = YOUR-7008FFA13B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 9/19/2009 6:39:23 PM | Computer Name = YOUR-7008FFA13B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 11/9/2009 12:45:00 PM | Computer Name = YOUR-7008FFA13B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 11/9/2009 1:43:32 PM | Computer Name = YOUR-7008FFA13B | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16850, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

Error - 11/9/2009 1:46:32 PM | Computer Name = YOUR-7008FFA13B | Source = Application Error | ID = 1004
Description = Faulting application iexplore.exe, version 7.0.6000.16850, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

Error - 11/9/2009 2:02:16 PM | Computer Name = YOUR-7008FFA13B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

[ System Events ]
Error - 1/2/2010 7:57:02 PM | Computer Name = YOUR-7008FFA13B | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 1/2/2010 8:41:03 PM | Computer Name = YOUR-7008FFA13B | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 e1a98000, parameter2 00000002, parameter3
00000000, parameter4 f91ea151.

Error - 1/2/2010 8:41:23 PM | Computer Name = YOUR-7008FFA13B | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%126

Error - 1/2/2010 8:41:23 PM | Computer Name = YOUR-7008FFA13B | Source = Service Control Manager | ID = 7023
Description = The drv service terminated with the following error: %%126

Error - 1/2/2010 8:41:23 PM | Computer Name = YOUR-7008FFA13B | Source = Service Control Manager | ID = 7000
Description = The Security Services Driver (x86) service failed to start due to
the following error: %%2

Error - 1/2/2010 8:41:23 PM | Computer Name = YOUR-7008FFA13B | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 1/3/2010 1:14:54 AM | Computer Name = YOUR-7008FFA13B | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%126

Error - 1/3/2010 1:14:54 AM | Computer Name = YOUR-7008FFA13B | Source = Service Control Manager | ID = 7023
Description = The drv service terminated with the following error: %%126

Error - 1/3/2010 1:14:54 AM | Computer Name = YOUR-7008FFA13B | Source = Service Control Manager | ID = 7000
Description = The Security Services Driver (x86) service failed to start due to
the following error: %%2

Error - 1/3/2010 1:14:54 AM | Computer Name = YOUR-7008FFA13B | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

< End of report >

Edited by Monkeyb00y, 03 January 2010 - 02:54 PM.

#8 thcbytes

Malware Response Team
14,790 posts
OFFLINE

Gender:Male
Local time:03:19 AM

Posted 03 January 2010 - 04:03 PM

Before we proceed any further....

As I clearly outlined earlier. I need you to do exactly as I instruct please. I did not ask you to try and run Combofix. Due to your delay in response I needed to get a snapshot of the current state of your computer before we proceeded with fixing anything. I asked you to run OTL and GMER! If you run into troubles with my instructions then please stop and tell me about. I will base my fixes on the current state of your computer. If you are doing things without me knowing it might cause more harm than good. You might make your computer unbootable...permanently.

Now...

I know it is your computer and your trying to be helpful. I appreciate that. But for the reason outlined above if you would like my help please indicate that you will abide by my requests. Then we can proceed.

Thanks,

~ t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#9 thcbytes

Malware Response Team
14,790 posts
OFFLINE

Gender:Male
Local time:03:19 AM

Posted 03 January 2010 - 06:01 PM

I re-read my most recent post after you requested to re-open your thread. I think I might not have been clear. I can see where you might have thought that I wanted you to run the original steps I suggested then run the OTL and GMER scans. If that was your interpretation then my apologies.

Let me review your most recent logs then I will tell you what to do next.

Kind regards,
~ t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#10 thcbytes

Malware Response Team
14,790 posts
OFFLINE

Gender:Male
Local time:03:19 AM

Posted 03 January 2010 - 06:36 PM

Try this please....
You are severely infected! You have been infected since July '09!!! This not going to be easy.

Re-run RKill

==========

Run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox. Do not include the word "Code"

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - [2009/08/03 21:41:02 | 00,040,944 | -H-- | M] () -- C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
PRC - [2009/07/21 17:15:04 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe
PRC - [2009/07/20 14:39:52 | 00,058,368 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\tuvajf.exe
PRC - [2009/07/20 14:39:48 | 00,247,296 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Application Data\digifast\digifast.exe
PRC - [2009/07/20 14:34:10 | 00,033,792 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Application Data\cft\cft.exe
MOD - [2009/06/13 04:35:17 | 00,049,664 | -HS- | M] () -- C:\WINDOWS\system32\kuvudidi.dll
MOD - [2009/06/13 04:35:17 | 00,049,664 | ---- | M] () -- C:\WINDOWS\system32\fosopoku.dll
SRV - File not found [On_Demand | Stopped] -- -- (IDriverT)
SRV - File not found [On_Demand | Stopped] -- -- (aspnet_state)
DRV - [2009/07/17 20:47:30 | 00,018,944 | -H-- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\protect.sys -- (protect)
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://track.moreniche.com/hit.php?w=155970&s=147
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://track.moreniche.com/hit.php?w=155970&s=147
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
O1 - Hosts: 127.0.0.1 jL.chura.pl
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {e3405779-0f64-4fe7-924f-5c0c3090375f} - C:\WINDOWS\System32\kuvudidi.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [kegemihulu] C:\WINDOWS\System32\royomuya.dll ()
O4 - HKU\.DEFAULT..\Run: [cft] C:\WINDOWS\system32\config\systemprofile\Application Data\cft\cft.exe ()
O4 - HKU\.DEFAULT..\Run: [DigiFast] C:\WINDOWS\system32\config\systemprofile\Application Data\digifast\digifast.exe ()
O4 - HKU\.DEFAULT..\Run: [Download] C:\Program Files\HelpCenterDecomJob\ssGet.exe ()
O4 - HKU\.DEFAULT..\Run: [L9lVqKBeE] C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\tuvajf.exe ()
O4 - HKU\.DEFAULT..\Run: [pridl] C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe ()
O4 - HKU\.DEFAULT..\Run: [systemprofile] C:\WINDOWS\System32\config\systemprofile\systemprofile.exe ()
O4 - HKU\S-1-5-18..\Run: [cft] C:\WINDOWS\system32\config\systemprofile\Application Data\cft\cft.exe ()
O4 - HKU\S-1-5-18..\Run: [DigiFast] C:\WINDOWS\system32\config\systemprofile\Application Data\digifast\digifast.exe ()
O4 - HKU\S-1-5-18..\Run: [Download] C:\Program Files\HelpCenterDecomJob\ssGet.exe ()
O4 - HKU\S-1-5-18..\Run: [L9lVqKBeE] C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\tuvajf.exe ()
O4 - HKU\S-1-5-18..\Run: [pridl] C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe ()
O4 - HKU\S-1-5-18..\Run: [systemprofile] C:\WINDOWS\System32\config\systemprofile\systemprofile.exe ()
O4 - HKLM..\RunOnce: [áN@] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnce: [ÑN@] Reg Error: Invalid data type. File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O20 - AppInit_DLLs: (fosopoku.dll) - C:\WINDOWS\System32\fosopoku.dll ()
O33 - MountPoints2\{7fd05896-c1e5-11db-a506-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{7fd05896-c1e5-11db-a506-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7fd05898-c1e5-11db-a506-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{7fd05898-c1e5-11db-a506-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7fd05898-c1e5-11db-a506-806d6172696f}\Shell\AutoRun\command - "" = E:\BANDLINK\BLAUNCH.EXE -- [2004/03/05 07:44:08 | 00,176,128 | R--- | M] ()
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[146 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2010/01/03 01:21:57 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\boguyepe
[2009/09/18 08:17:53 | 00,117,760 | ---- | C] () -- C:\WINDOWS\System32\capesnp.dll
[2009/07/27 23:25:08 | 00,066,560 | ---- | C] () -- C:\WINDOWS\System32\drivers\rxerxtaprmdmdeqx.sys
[2009/07/17 20:47:30 | 00,018,944 | -H-- | C] () -- C:\WINDOWS\System32\drivers\protect.sys
[2009/07/15 02:10:32 | 00,049,475 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/06/20 16:29:31 | 00,089,088 | -HS- | C] () -- C:\WINDOWS\System32\hugewejo.dll
[2009/06/20 16:29:31 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\muzaloda.dll
[2009/06/20 04:29:22 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\malufige.dll
[2009/06/20 04:29:22 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\kebajupa.dll
[2009/06/19 16:28:54 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\wekedahu.dll
[2009/06/19 16:28:54 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\kavanaga.dll
[2009/06/19 04:28:46 | 00,088,064 | -HS- | C] () -- C:\WINDOWS\System32\vazipuve.dll
[2009/06/19 04:28:46 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\zimusure.dll
[2009/06/18 16:28:47 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\pivumuwe.dll
[2009/06/18 16:28:47 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\bedoyoso.dll
[2009/06/18 04:28:38 | 00,089,088 | -HS- | C] () -- C:\WINDOWS\System32\bonafefa.dll
[2009/06/18 04:28:38 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\dohakopo.dll
[2009/06/17 16:28:23 | 00,089,088 | -HS- | C] () -- C:\WINDOWS\System32\galaloko.dll
[2009/06/17 16:28:23 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\talewagi.dll
[2009/06/17 02:03:15 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\tafayamo.dll
[2009/06/17 02:03:15 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\fayohiyo.dll
[2009/06/16 14:03:06 | 00,088,064 | -HS- | C] () -- C:\WINDOWS\System32\ribogazu.dll
[2009/06/16 14:03:06 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\mutamufe.dll
[2009/06/16 00:26:27 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\sojeseko.dll
[2009/06/16 00:26:27 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\relebopi.dll
[2009/06/15 12:26:26 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\nigatali.dll
[2009/06/15 12:26:26 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\kitujefo.dll
[2009/06/14 17:51:19 | 00,088,064 | -HS- | C] () -- C:\WINDOWS\System32\nijopido.dll
[2009/06/14 17:51:19 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\fatopoze.dll
[2009/06/14 04:35:10 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\mipibote.dll
[2009/06/13 16:34:38 | 00,088,064 | -HS- | C] () -- C:\WINDOWS\System32\saneneje.dll
[2009/06/13 16:34:38 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\ludizibi.dll
[2009/06/13 04:35:17 | 00,049,664 | -HS- | C] () -- C:\WINDOWS\System32\royomuya.dll
[2009/06/13 04:35:17 | 00,049,664 | -HS- | C] () -- C:\WINDOWS\System32\kuvudidi.dll
[2009/06/13 04:35:17 | 00,049,664 | ---- | C] () -- C:\WINDOWS\System32\fosopoku.dll
[2009/06/13 04:34:33 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\kurutudo.dll
[2009/06/13 04:34:33 | 00,049,664 | -HS- | C] () -- C:\WINDOWS\System32\lusonige.dll
[2009/06/13 04:34:33 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\jotofuza.dll
[2009/06/12 16:33:55 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\kehitulo.dll
[2009/06/12 16:33:55 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\bodizeya.dll
[2009/04/28 23:56:02 | 04,918,917 | ---- | C] () -- C:\WINDOWS\System32\wiadllcra.dll
[2009/04/28 23:56:02 | 04,833,518 | ---- | C] () -- C:\WINDOWS\System32\exeripand.dll
[2009/04/28 23:56:02 | 03,927,986 | ---- | C] () -- C:\WINDOWS\System32\loapiaras.dll
[2009/04/28 23:56:02 | 02,128,841 | ---- | C] () -- C:\WINDOWS\System32\giripjeand.dll
[2009/04/28 23:56:02 | 01,648,344 | ---- | C] () -- C:\WINDOWS\System32\lopevapi.dll
[2009/04/28 23:56:02 | 01,480,318 | ---- | C] () -- C:\WINDOWS\System32\pocodllet.dll
[2009/04/28 23:56:02 | 01,298,528 | ---- | C] () -- C:\WINDOWS\System32\bcranig.dll
[2009/04/28 23:56:02 | 01,260,491 | ---- | C] () -- C:\WINDOWS\System32\32jeexje.dll
[2009/04/28 23:56:02 | 00,913,439 | ---- | C] () -- C:\WINDOWS\System32\lowdopo.dll
[2009/07/21 17:15:04 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://track.moreniche.com/hit.php?w=155970&s=147

:Files
C:\Documents and Settings\Peeper\Application Data\pridl

:Reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=-
"UpdatesDisableNotify"=-

:Commands
[CREATERESTOREPOINT]
[resethosts]
[emptytemp]
[Reboot]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click .
A report will open. Copy and Paste that report in your next reply.

==========

Download and Run FixPolicies

Please download FixPolicies from here and save it to your desktop.

Double-click FixPolicies.exe.
Click the Install button to start the extraction.
The program will create a new folder called FixPolicies on your desktop by default.
Double-click the FixPolicies folder.
In the folder please double-click on Fix_Policies.cmd. If you are using Vista, please right-click and select Run as Administrator
A black DOS Command Prompt window shall appear and then close. This is normal.

==========

With your next post please provide:

* OTL fix log
* How is it running?

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#11 Monkeyb00y

Topic Starter

Members
75 posts
OFFLINE

Gender:Male
Location:Behind my eyes...
Local time:03:19 AM

Posted 03 January 2010 - 11:02 PM

Thanks again, T, for the help.
I want to apologize for misunderstanding the first post after reopening.
I should have confirmed before moving forward with any programs.
Anyway, I have done what you have asked in the most recent post.
Everything ran fine & the log is below.
The computer still won't allow me to access control panel. It states that
'c:\WINDOWS\system32\rundll32.exe' is missing so it can't open Control
Panel.
Also, NOTEPAD will not open because it's locked by the administrator,
along with some other programs like AVG or Avira AntiVir installation programs.
And CTRL+ALT+DEL will not work, or CTRL+SHIFT+ESC.

A good thing though, the virus trying to jump onto my JUMP DRIVE (1GB)
wasn't there this time.

Hope this help.
Thanks,
Monkeyb00y

OTL Fix Log BELOW:
All processes killed
========== OTL ==========
Process explorer.exe killed successfully!
No active process named systemprofile.exe was found!
No active process named pridl.exe was found!
No active process named tuvajf.exe was found!
No active process named digifast.exe was found!
No active process named cft.exe was found!
Service IDriverT stopped successfully!
Service IDriverT deleted successfully!
Service aspnet_state stopped successfully!
Service aspnet_state deleted successfully!
Service protect stopped successfully!
Service protect deleted successfully!
C:\WINDOWS\system32\drivers\protect.sys moved successfully.
Unable to set value : HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E!
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Unable to set value : HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E!
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
127.0.0.1 jL.chura.pl removed from HOSTS file successfully
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3405779-0f64-4fe7-924f-5c0c3090375f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e3405779-0f64-4fe7-924f-5c0c3090375f}\ deleted successfully.
C:\WINDOWS\system32\kuvudidi.dll moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\kegemihulu not found.
C:\WINDOWS\system32\royomuya.dll moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\cft deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\cft\cft.exe moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\DigiFast deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\digifast\digifast.exe moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Download deleted successfully.
C:\Program Files\HelpCenterDecomJob\SSGet.exe moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\L9lVqKBeE deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\tuvajf.exe moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\pridl deleted successfully.
C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\systemprofile deleted successfully.
C:\WINDOWS\system32\config\systemprofile\systemprofile.exe moved successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\cft not found.
File C:\WINDOWS\system32\config\systemprofile\Application Data\cft\cft.exe not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\DigiFast not found.
File C:\WINDOWS\system32\config\systemprofile\Application Data\digifast\digifast.exe not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Download not found.
File C:\Program Files\HelpCenterDecomJob\ssGet.exe not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\L9lVqKBeE not found.
File C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\tuvajf.exe not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\pridl not found.
File C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\systemprofile not found.
File C:\WINDOWS\System32\config\systemprofile\systemprofile.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\áN@ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ÑN@ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:fosopoku.dll deleted successfully.
C:\WINDOWS\system32\fosopoku.dll moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7fd05896-c1e5-11db-a506-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7fd05896-c1e5-11db-a506-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7fd05896-c1e5-11db-a506-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7fd05896-c1e5-11db-a506-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7fd05898-c1e5-11db-a506-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7fd05898-c1e5-11db-a506-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7fd05898-c1e5-11db-a506-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7fd05898-c1e5-11db-a506-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7fd05898-c1e5-11db-a506-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7fd05898-c1e5-11db-a506-806d6172696f}\ not found.
File move failed. E:\BANDLINK\BLAUNCH.EXE scheduled to be moved on reboot.
C:\WINDOWS\002551_.tmp deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\System32\10.tmp deleted successfully.
C:\WINDOWS\System32\10D.tmp deleted successfully.
C:\WINDOWS\System32\10F.tmp deleted successfully.
C:\WINDOWS\System32\11.tmp deleted successfully.
C:\WINDOWS\System32\111.tmp deleted successfully.
C:\WINDOWS\System32\114.tmp deleted successfully.
C:\WINDOWS\System32\11C.tmp deleted successfully.
C:\WINDOWS\System32\11E.tmp deleted successfully.
C:\WINDOWS\System32\12.tmp deleted successfully.
C:\WINDOWS\System32\120.tmp deleted successfully.
C:\WINDOWS\System32\13.tmp deleted successfully.
C:\WINDOWS\System32\14.tmp deleted successfully.
C:\WINDOWS\System32\15.tmp deleted successfully.
C:\WINDOWS\System32\16.tmp deleted successfully.
C:\WINDOWS\System32\17.tmp deleted successfully.
C:\WINDOWS\System32\18.tmp deleted successfully.
C:\WINDOWS\System32\19.tmp deleted successfully.
C:\WINDOWS\System32\1A.tmp deleted successfully.
C:\WINDOWS\System32\1B.tmp deleted successfully.
C:\WINDOWS\System32\1C.tmp deleted successfully.
C:\WINDOWS\System32\1D.tmp deleted successfully.
C:\WINDOWS\System32\1E.tmp deleted successfully.
C:\WINDOWS\System32\1F.tmp deleted successfully.
C:\WINDOWS\System32\2.tmp deleted successfully.
C:\WINDOWS\System32\20.tmp deleted successfully.
C:\WINDOWS\System32\21.tmp deleted successfully.
C:\WINDOWS\System32\22.tmp deleted successfully.
C:\WINDOWS\System32\23.tmp deleted successfully.
C:\WINDOWS\System32\24.tmp deleted successfully.
C:\WINDOWS\System32\25.tmp deleted successfully.
C:\WINDOWS\System32\26.tmp deleted successfully.
C:\WINDOWS\System32\27.tmp deleted successfully.
C:\WINDOWS\System32\28.tmp deleted successfully.
C:\WINDOWS\System32\29.tmp deleted successfully.
C:\WINDOWS\System32\2A.tmp deleted successfully.
C:\WINDOWS\System32\2B.tmp deleted successfully.
C:\WINDOWS\System32\2C.tmp deleted successfully.
C:\WINDOWS\System32\2D.tmp deleted successfully.
C:\WINDOWS\System32\2E.tmp deleted successfully.
C:\WINDOWS\System32\2F.tmp deleted successfully.
C:\WINDOWS\System32\3.tmp deleted successfully.
C:\WINDOWS\System32\30.tmp deleted successfully.
C:\WINDOWS\System32\31.tmp deleted successfully.
C:\WINDOWS\System32\32.tmp deleted successfully.
C:\WINDOWS\System32\33.tmp deleted successfully.
C:\WINDOWS\System32\34.tmp deleted successfully.
C:\WINDOWS\System32\35.tmp deleted successfully.
C:\WINDOWS\System32\36.tmp deleted successfully.
C:\WINDOWS\System32\37.tmp deleted successfully.
C:\WINDOWS\System32\38.tmp deleted successfully.
C:\WINDOWS\System32\39.tmp deleted successfully.
C:\WINDOWS\System32\3A.tmp deleted successfully.
C:\WINDOWS\System32\3B.tmp deleted successfully.
C:\WINDOWS\System32\3C.tmp deleted successfully.
C:\WINDOWS\System32\3D.tmp deleted successfully.
C:\WINDOWS\System32\3E.tmp deleted successfully.
C:\WINDOWS\System32\3F.tmp deleted successfully.
C:\WINDOWS\System32\4.tmp deleted successfully.
C:\WINDOWS\System32\40.tmp deleted successfully.
C:\WINDOWS\System32\41.tmp deleted successfully.
C:\WINDOWS\System32\42.tmp deleted successfully.
C:\WINDOWS\System32\43.tmp deleted successfully.
C:\WINDOWS\System32\44.tmp deleted successfully.
C:\WINDOWS\System32\45.tmp deleted successfully.
C:\WINDOWS\System32\46.tmp deleted successfully.
C:\WINDOWS\System32\47.tmp deleted successfully.
C:\WINDOWS\System32\48.tmp deleted successfully.
C:\WINDOWS\System32\49.tmp deleted successfully.
C:\WINDOWS\System32\4A.tmp deleted successfully.
C:\WINDOWS\System32\4B.tmp deleted successfully.
C:\WINDOWS\System32\4C.tmp deleted successfully.
C:\WINDOWS\System32\4D.tmp deleted successfully.
C:\WINDOWS\System32\4E.tmp deleted successfully.
C:\WINDOWS\System32\4F.tmp deleted successfully.
C:\WINDOWS\System32\5.tmp deleted successfully.
C:\WINDOWS\System32\50.tmp deleted successfully.
C:\WINDOWS\System32\51.tmp deleted successfully.
C:\WINDOWS\System32\52.tmp deleted successfully.
C:\WINDOWS\System32\53.tmp deleted successfully.
C:\WINDOWS\System32\54.tmp deleted successfully.
C:\WINDOWS\System32\55.tmp deleted successfully.
C:\WINDOWS\System32\56.tmp deleted successfully.
C:\WINDOWS\System32\57.tmp deleted successfully.
C:\WINDOWS\System32\58.tmp deleted successfully.
C:\WINDOWS\System32\59.tmp deleted successfully.
C:\WINDOWS\System32\5A.tmp deleted successfully.
C:\WINDOWS\System32\5B.tmp deleted successfully.
C:\WINDOWS\System32\5C.tmp deleted successfully.
C:\WINDOWS\System32\5D.tmp deleted successfully.
C:\WINDOWS\System32\5E.tmp deleted successfully.
C:\WINDOWS\System32\5F.tmp deleted successfully.
C:\WINDOWS\System32\6.tmp deleted successfully.
C:\WINDOWS\System32\60.tmp deleted successfully.
C:\WINDOWS\System32\61.tmp deleted successfully.
C:\WINDOWS\System32\62.tmp deleted successfully.
C:\WINDOWS\System32\63.tmp deleted successfully.
C:\WINDOWS\System32\64.tmp deleted successfully.
C:\WINDOWS\System32\65.tmp deleted successfully.
C:\WINDOWS\System32\66.tmp deleted successfully.
C:\WINDOWS\System32\67.tmp deleted successfully.
C:\WINDOWS\System32\68.tmp deleted successfully.
C:\WINDOWS\System32\69.tmp deleted successfully.
C:\WINDOWS\System32\6A.tmp deleted successfully.
C:\WINDOWS\System32\6B.tmp deleted successfully.
C:\WINDOWS\System32\6C.tmp deleted successfully.
C:\WINDOWS\System32\6D.tmp deleted successfully.
C:\WINDOWS\System32\6E.tmp deleted successfully.
C:\WINDOWS\System32\6F.tmp deleted successfully.
C:\WINDOWS\System32\7.tmp deleted successfully.
C:\WINDOWS\System32\70.tmp deleted successfully.
C:\WINDOWS\System32\71.tmp deleted successfully.
C:\WINDOWS\System32\72.tmp deleted successfully.
C:\WINDOWS\System32\73.tmp deleted successfully.
C:\WINDOWS\System32\74.tmp deleted successfully.
C:\WINDOWS\System32\75.tmp deleted successfully.
C:\WINDOWS\System32\76.tmp deleted successfully.
C:\WINDOWS\System32\77.tmp deleted successfully.
C:\WINDOWS\System32\78.tmp deleted successfully.
C:\WINDOWS\System32\79.tmp deleted successfully.
C:\WINDOWS\System32\7A.tmp deleted successfully.
C:\WINDOWS\System32\7B.tmp deleted successfully.
C:\WINDOWS\System32\7C.tmp deleted successfully.
C:\WINDOWS\System32\7D.tmp deleted successfully.
C:\WINDOWS\System32\8.tmp deleted successfully.
C:\WINDOWS\System32\81.tmp deleted successfully.
C:\WINDOWS\System32\9.tmp deleted successfully.
C:\WINDOWS\System32\A.tmp deleted successfully.
C:\WINDOWS\System32\B.tmp deleted successfully.
C:\WINDOWS\System32\B0.tmp deleted successfully.
C:\WINDOWS\System32\C.tmp deleted successfully.
C:\WINDOWS\System32\C4.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\D.tmp deleted successfully.
C:\WINDOWS\System32\D4.tmp deleted successfully.
C:\WINDOWS\System32\D8.tmp deleted successfully.
C:\WINDOWS\System32\DA.tmp deleted successfully.
C:\WINDOWS\System32\DC.tmp deleted successfully.
C:\WINDOWS\System32\DE.tmp deleted successfully.
C:\WINDOWS\System32\E.tmp deleted successfully.
C:\WINDOWS\System32\E9.tmp deleted successfully.
C:\WINDOWS\System32\F.tmp deleted successfully.
C:\WINDOWS\System32\F1.tmp deleted successfully.
C:\WINDOWS\System32\SET1DA.tmp deleted successfully.
C:\WINDOWS\System32\SET1DE.tmp deleted successfully.
C:\WINDOWS\System32\SET1E6.tmp deleted successfully.
C:\WINDOWS\System32\_r_a_p_.tmp deleted successfully.
C:\WINDOWS\system32\boguyepe moved successfully.
C:\WINDOWS\system32\capesnp.dll moved successfully.
C:\WINDOWS\system32\drivers\rxerxtaprmdmdeqx.sys moved successfully.
File C:\WINDOWS\System32\drivers\protect.sys not found.
C:\WINDOWS\system32\MRT.INI moved successfully.
C:\WINDOWS\system32\hugewejo.dll moved successfully.
C:\WINDOWS\system32\muzaloda.dll moved successfully.
C:\WINDOWS\system32\malufige.dll moved successfully.
C:\WINDOWS\system32\kebajupa.dll moved successfully.
C:\WINDOWS\system32\wekedahu.dll moved successfully.
C:\WINDOWS\system32\kavanaga.dll moved successfully.
C:\WINDOWS\system32\vazipuve.dll moved successfully.
C:\WINDOWS\system32\zimusure.dll moved successfully.
C:\WINDOWS\system32\pivumuwe.dll moved successfully.
C:\WINDOWS\system32\bedoyoso.dll moved successfully.
C:\WINDOWS\system32\bonafefa.dll moved successfully.
C:\WINDOWS\system32\dohakopo.dll moved successfully.
C:\WINDOWS\system32\galaloko.dll moved successfully.
C:\WINDOWS\system32\talewagi.dll moved successfully.
C:\WINDOWS\system32\tafayamo.dll moved successfully.
C:\WINDOWS\system32\fayohiyo.dll moved successfully.
C:\WINDOWS\system32\ribogazu.dll moved successfully.
C:\WINDOWS\system32\mutamufe.dll moved successfully.
C:\WINDOWS\system32\sojeseko.dll moved successfully.
C:\WINDOWS\system32\relebopi.dll moved successfully.
C:\WINDOWS\system32\nigatali.dll moved successfully.
C:\WINDOWS\system32\kitujefo.dll moved successfully.
C:\WINDOWS\system32\nijopido.dll moved successfully.
C:\WINDOWS\system32\fatopoze.dll moved successfully.
C:\WINDOWS\system32\mipibote.dll moved successfully.
C:\WINDOWS\system32\saneneje.dll moved successfully.
C:\WINDOWS\system32\ludizibi.dll moved successfully.
File C:\WINDOWS\System32\royomuya.dll not found.
File C:\WINDOWS\System32\kuvudidi.dll not found.
File C:\WINDOWS\System32\fosopoku.dll not found.
C:\WINDOWS\system32\kurutudo.dll moved successfully.
C:\WINDOWS\system32\lusonige.dll moved successfully.
C:\WINDOWS\system32\jotofuza.dll moved successfully.
C:\WINDOWS\system32\kehitulo.dll moved successfully.
C:\WINDOWS\system32\bodizeya.dll moved successfully.
C:\WINDOWS\system32\wiadllcra.dll moved successfully.
C:\WINDOWS\system32\exeripand.dll moved successfully.
C:\WINDOWS\system32\loapiaras.dll moved successfully.
C:\WINDOWS\system32\giripjeand.dll moved successfully.
C:\WINDOWS\system32\lopevapi.dll moved successfully.
C:\WINDOWS\system32\pocodllet.dll moved successfully.
C:\WINDOWS\system32\bcranig.dll moved successfully.
C:\WINDOWS\system32\32jeexje.dll moved successfully.
C:\WINDOWS\system32\lowdopo.dll moved successfully.
File C:\Documents and Settings\Peeper\Application Data\pridl\pridl.exe not found.
Unable to set value : HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E!
========== FILES ==========
C:\Documents and Settings\Peeper\Application Data\pridl folder moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\\"SecurityProviders"|"msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify deleted successfully.
========== COMMANDS ==========
Error starting restore point: 31
Error closing restore point: The sequence number is invalid.
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 1999120 bytes
->Temporary Internet Files folder emptied: 105868140 bytes
->FireFox cache emptied: 31207807 bytes

User: All Users

User: Compaq_Owner
->Temp folder emptied: 68736373 bytes
->Temporary Internet Files folder emptied: 45481373 bytes
->Java cache emptied: 138293 bytes
->FireFox cache emptied: 12325897 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 303995322 bytes

User: NetworkService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 89352937 bytes

User: Peeper
->Temp folder emptied: 446217792 bytes
->Temporary Internet Files folder emptied: 762096643 bytes
->Java cache emptied: 10439 bytes
->FireFox cache emptied: 55299386 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 19349366 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 201188 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,852.00 mb

OTL by OldTimer - Version 3.1.20.2 log created on 01032010_203948

Files\Folders moved on Reboot...
File move failed. E:\BANDLINK\BLAUNCH.EXE scheduled to be moved on reboot.
File\Folder C:\Documents and Settings\Peeper\Local Settings\Temp\Temporary Internet Files\Content.IE5\U24CBZO3\;kt=K;ko=p;kpid=6;afc=1;kga=-1;k1=rock;u=BKj_tK36Gf0%7C6;kgg=-1;kcr=us;shortform=1;khd=0;dc_dedup=1;kpu=universalmusicgroup;pos=pre;dc_seed=217345184;tile=1;ord=654555541[1].htm not found!
File\Folder C:\Documents and Settings\Peeper\Local Settings\Temp\Temporary Internet Files\Content.IE5\U24CBZO3\music_alternativepunkmetal;sz=300x250;klg=en;kt=K;kga=-1;kr=F;kw=bloodhound+gang;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=2017815374556790[1].5 not found!
File\Folder C:\Documents and Settings\Peeper\Local Settings\Temp\Temporary Internet Files\Content.IE5\LT520KOZ\activity;src=1543506;met=1;v=1;pid=19150788;aid=217345184;ko=1;cid=33380029;rid=33397907;rv=1;&timestamp=1253497137250;eid1=12;ecn1=1;etm1=4;eid2=11;ecn2=1;etm2=0;[1].gif not found!
File\Folder C:\Documents and Settings\Peeper\Local Settings\Temp\Temporary Internet Files\Content.IE5\LT520KOZ\b=1;kr=F;kt=K;ko=p;kpid=6;afc=1;kga=-1;k1=rock;u=BKj_tK36Gf0%7C6;kgg=-1;kcr=us;shortform=1;khd=0;dc_dedup=1;kpu=universalmusicgroup;dc_seed=217345184;tile=1;ord=548930217[1].asx not found!
File\Folder C:\Documents and Settings\Peeper\Local Settings\Temp\Temporary Internet Files\Content.IE5\LT520KOZ\videogames;sz=300x250;klg=en;kt=K;kga=-1;kr=F;kw=gta4+swingset+of+death+location;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=7920008367336888[1] not found!
File\Folder C:\Documents and Settings\Peeper\Local Settings\Temp\Temporary Internet Files\Content.IE5\GNWXERWJ\activity;src=1543506;met=1;v=1;pid=19150788;aid=217345184;ko=1;cid=33380029;rid=33397907;rv=1;&timestamp=1253497149687;eid1=13;ecn1=1;etm1=0;eid3=12;ecn3=0;etm3=4;[1].gif not found!
File\Folder C:\Documents and Settings\Peeper\Local Settings\Temp\Temporary Internet Files\Content.IE5\GNWXERWJ\videogames;sz=300x250;klg=en;kt=K;kga=-1;kr=F;kw=gta4+swingset+of+death+location;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=852183532148316[1].7 not found!
File\Folder C:\Documents and Settings\Peeper\Local Settings\Temp\Temporary Internet Files\Content.IE5\GNWXERWJ\_tK36Gf0;ctb=1;kr=F;kt=K;ko=p;kpid=6;afc=1;kga=-1;k1=rock;u=BKj_tK36Gf0%7C6;kgg=-1;kcr=us;shortform=1;khd=0;dc_dedup=1;kpu=universalmusicgroup;pos=pre;tile=1;ord=66739178[1].asx not found!
File\Folder C:\Documents and Settings\Peeper\Local Settings\Temp\Temporary Internet Files\Content.IE5\BZCHD60J\videogames;sz=300x250;klg=en;kt=K;kga=-1;kr=F;kw=gta4+swingset+of+death+location;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=7773241547589715[1] not found!
File move failed. C:\WINDOWS\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Edited by Monkeyb00y, 03 January 2010 - 11:03 PM.

#12 thcbytes

Malware Response Team
14,790 posts
OFFLINE

Gender:Male
Local time:03:19 AM

Posted 04 January 2010 - 10:21 AM

Good job.

We need to immunize that flash drive. Hopefully you have not transferred the infection by way of the flash drive to another computer.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

==========

Re-run RKill

==========

Right click and delete any copies of Combofix you might have.

==========

Do this assuming you have a functional internet connection. If you do not then stop and tell me about it.

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
Double click on thcbytes.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#13 Monkeyb00y

Topic Starter

Members
75 posts
OFFLINE

Gender:Male
Location:Behind my eyes...
Local time:03:19 AM

Posted 04 January 2010 - 08:24 PM

T,

Rkill will run, but ComboFix will not work on the computer. The screenshot I've attached pops up after I try to install it on normal & safe mode.
PLUS Link 1 that you have, which is NOT the bleepingcomputer.com link, doesn't work. I've tried it on the computer after
connecting it to the internet to download directly but it won't work. I try to transfer it over via the jump drive (that is
now disinfected, thanks by the way

) but it does not work either. Same pop-up. Hopefully we can get it to work.

Thanks again,
-Monkeyb00y

Attached Files

screenshot.bmp 214.89KB 6 downloads

Edited by Monkeyb00y, 04 January 2010 - 08:24 PM.

#14 thcbytes

Malware Response Team
14,790 posts
OFFLINE

Gender:Male
Local time:03:19 AM

Posted 04 January 2010 - 10:02 PM

Yikes!

Thanks for the screenshot. Hopefully a false alarm. I really hope it is not Virut! Much more info to follow if that is what your infected with!

Let's upload some system files and see.

Do this please.......

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Windows\Explorer.exe
C:\Windows\system32\userinit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal

==========

Next....

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

==========

With your next post please provide:

* Upload results
* DrWeb log

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#15 Monkeyb00y

Topic Starter

Members
75 posts
OFFLINE

Gender:Male
Location:Behind my eyes...
Local time:03:19 AM

Posted 05 January 2010 - 01:28 AM

T,
I was able to "Show all hidden files."
But Jotti or VirusTotal links will not work. I've tried on Firefox & IE 8 but still not able to load them. I think they are being blocked by the virus.

Let me know if I need to proceed with a different option or keep moving to DrWeb.
Thanks again,
Monkeyb00y