Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I want to get rid of the infection on my computer, need help please


  • This topic is locked This topic is locked
24 replies to this topic

#1 fuzzyfishy

fuzzyfishy

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 07 January 2010 - 04:51 PM

I am quite sure I have some virus, trojan, infection, rootkit, etc. thing on my computer. I am also pretty sure I got it from downloading bitComet (biggest mistake ever!) a few months ago (if that matters). I have since deleted bitComet from the computer, and used various scans, etc. to remove respawned viruses, trojans, etc. but the original infection never gets removed. Yesterday, yet again, a respawned virus popped on my computer. I restarted the computer and tried to run Microsoft Security Essentials (the only anti-malware I had installed on the computer at the time) to get rid of the trojan thing, but MSE would not open (I am guessing that was due to something the infection did). Trying to get MSE to run, I uninstalled it, downloaded it again and attempted to reinstall it. Unfortunately now I cannot get MSE to install.
Some other indications of the infection, virus, trojan, etc. on my computer are:
Just like this person, a bunch of webistes are showing up in my history (including those two specifically, networkreferences.cn and webphenomenon.cn) but I never clicked on any of those sites, and every so often audio plays in the background even though I have no player running (usually they are commercials).

I really want to get rid of the original infection on my computer (not just the respawned stuff that shows up periodically). I am great at following directions, the more detailed the better. So please, I'll take all the help or advice I can get.

Thank you :thumbsup:

BC AdBot (Login to Remove)

 


#2 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 09 January 2010 - 05:47 PM

Another sign of the infection on my computer is that in the past couple of days a lot of sites I try going to will not load, and after a minute or so the entire window/browser closes (both Firefox and IE). Usually I am trying to go to microsoft.com or yahoo.com, but it is happeneing more and more often today. It took me quite a few tries to just get onto this page. :thumbsup:

I forgot to mention that I have Windows XP Media Center Edition Version 2002 Service Pack 3.

I would really appreciate if someone will lead me through on how to get rid of this virus. It seems to be getting worse and worse.

Please, I would love any help. Thank you :flowers:

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:49 PM

Posted 09 January 2010 - 09:15 PM

Hello and welocome. Let's try to get an MBAM and SAS log.

First run RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.



Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 14 January 2010 - 04:34 PM

Hi,

Thank you so much for replying to me. :D
I am very, very sorry I took so long to reply. It seems like every time I turn the computer on now some strange new thing is happening, and it is very depressing for me.
Now when I click on internet explorer, it opens up and redirects automatically from www.google.com to htXXp://desktop-antivirus.microsoft.com/block.php?r=59.6, so I can't seem to use IE now. So now I am using Firefox.

I downloaded and used Rkill. I then downloaded and installed MBAM, but when I clicked on it to quick scan the program scanned for a few seconds and suddenly closed. I think the virus caused it to close, because that has happened with other programs lately (they close unexpectedly).
I tried clicking on the MBAM icon after it closed, but each time I do, a thing pops up that reads:
Missing Shortcut
Windows is searching for mbam.exe. To locate the file yourself, click Browse.

I hope this is fixable. What should I do now?

Again, I apologize for the long delay in replying, and I will check this page as often as I can now. I really, really, really want this infection out of my computer.

Thank you for your time, help, and expertise. :thumbsup:


Disabled link~~boopme

Edited by boopme, 14 January 2010 - 09:53 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:49 PM

Posted 14 January 2010 - 09:57 PM

Ok ,now that both are installed .. Reboot , As soon as the desktop is there run Rkill then immediately run MBAM. Yes we are trying to beat the malware from loading and stopping us.
If still no luck try from safe mode.

Is this XP?
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 15 January 2010 - 01:11 AM

Yes, this is Windows XP Media Center Edition Version 2002 Service Pack 3.

Ok, I clicked on Rkill immediately after restarting the computer, and the black DOS box appeared with the text

Terminating known malware processes.
Please be patient.

and it was on screen for about 30 seconds, and then the screen cleared for about a second of everything (the black DOS box, all the desktop icons and taskbar, etc.) except my wallpaper, but everything came right back after about a second except the DOS box.

Then I immediately clicked on MBAM, but the 'Missing Shortcut' thing still came up and MBAM would not open.
I tried this a few times, to be sure, but it was the same result.

(Does that mean Rkill did work and another reason caused MBAM to not run, or did Rkill not work/complete because of the malware? I was just curious.)

I wish it had worked. :thumbsup:


More bad news; I tried using safe mode, but this is what happened:
After pressing F8 a few times and getting the option screen, I selected Safe Mode and pressed enter, and then selected 'Windows XP Media Center Edition' and pressed enter, then the screen filled with rows of this text:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\System32\Driver...

(each row of text ends differently, and it is only on my screen for a split second, so I tried to copy it as best I could, but some of it might not be exactly right). This screen lasts for less than a second, and then the computer seems to reboot automatically.
Then the screen reads:

We apologize for the inconvenience but Windows did not start successfully.

(it says some other stuff, but I did not write it all down, but I can if you want me too)
and the screen gives these options to choose from:
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Start Windows Normally
Last Known Good Configuration
I then selected 'Safe Mode', but the exact same thing happens over again, to where it takes me back to that same screen ('We apologize for the inconvenience...'). After multiple tries, I finally had to select 'Start Windows Normally' so that I could get out of the cycle.

Have you come across that before?

I wish I could have good news for once. :flowers:

#7 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 16 January 2010 - 03:11 AM

MBAM finally opened and scanned my computer. :thumbsup:
I got IE to work by changing the LAN settings proxy serever thing. Then I was able to run Windows Live OneCare safety scanner, which found and removed a few things. I typed those down in case it would help any (but since I couldn't copy and paste from the results window, there might be a typo somewhere)
  • Trojan:Win32/Vundo.gen!G
  • c:\windows\system32\hosopovo.dll
  • Trojan:Win32/Alureon.DA
  • Trojan:Win32/Vundo.FA
  • Trojan:Win32/Vundo.MD
  • Trojan:Win32/Vundo.gen!G
  • VirTool:WinNT/Emold.C
  • Worm:Win32/Vundo.B
  • Trojan:Win32/FakeSpypro
After that (and possibly a restart; it's so late I can't quite remember), I clicked on Rkill and MBAM, but the same thing happened as last time (in my previous post). Then I tried reinstalling MBAM. After it installed, it opened up and scanned my computer!
The computer restarted, and I wanted to make sure MBAM would continue to work so I opened it and scanned the computer again, so here are both logs:

Malwarebytes' Anti-Malware 1.44
Database version: 3574
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/16/2010 1:59:32 AM
mbam-log-2010-01-16 (01-59-32).txt

Scan type: Quick Scan
Objects scanned: 123655
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\yuzohiku.dll (Trojan.Vundo.H) -> Delete on reboot.
\\?\globalroot\systemroot\system32\H8SRTberxlyavhk.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9e372e72-9259-42b4-b22e-ce3551908442} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yetijeser (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{9e372e72-9259-42b4-b22e-ce3551908442} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\jupimisun (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeadmjnt (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\yuzohiku.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\yuzohiku.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fefiweta.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hetuyevo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hosopovo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\topupabe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yijazowi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yuzohiku.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zawomebe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
\\?\globalroot\systemroot\system32\H8SRTberxlyavhk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\WORo.dll (Rootkit.MBR) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.44
Database version: 3574
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/16/2010 2:09:35 AM
mbam-log-2010-01-16 (02-09-35).txt

Scan type: Quick Scan
Objects scanned: 123148
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\H8SRTjgdqeaoyoy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTuocnpsoqmn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTxjtweduaoi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\H8SRTowpjenbaru.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\H8SRT22dd.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h8srtkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRToctqituwpv.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.



I am about to fall asleep, so I will try the next steps tomorrow. Will that be a problem?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:49 PM

Posted 16 January 2010 - 10:51 AM

No not at all.. You have a few nasty infections that will require some time and work.
Yes do ATF and SAS.
Also run GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 16 January 2010 - 07:14 PM

I could not run the computer in safe mode. The same thing happened as before:

I tried using safe mode, but this is what happened:
After pressing F8 a few times and getting the option screen, I selected Safe Mode and pressed enter, and then selected 'Windows XP Media Center Edition' and pressed enter, then the screen filled with rows of this text:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\System32\Driver...

(each row of text ends differently, and it is only on my screen for a split second, so I tried to copy it as best I could, but some of it might not be exactly right). This screen lasts for less than a second, and then the computer seems to reboot automatically.
Then the screen reads:

We apologize for the inconvenience but Windows did not start successfully.

(it says some other stuff, but I did not write it all down, but I can if you want me too)
and the screen gives these options to choose from:
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Start Windows Normally
Last Known Good Configuration
I then selected 'Safe Mode', but the exact same thing happens over again, to where it takes me back to that same screen ('We apologize for the inconvenience...'). After multiple tries, I finally had to select 'Start Windows Normally' so that I could get out of the cycle.

So in normal mode I ran ATF and SAS and GMER.

Here is the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/16/2010 at 01:05 PM

Application Version : 4.33.1000

Core Rules Database Version : 4484
Trace Rules Database Version: 2302

Scan type : Complete Scan
Total Scan Time : 01:29:48

Memory items scanned : 485
Memory threats detected : 0
Registry items scanned : 6324
Registry threats detected : 38
File items scanned : 173321
File threats detected : 22

Trojan.Agent/Gen
HKLM\SOFTWARE\AvScan
HKLM\SOFTWARE\AvScan#knkd
HKLM\SOFTWARE\AvScan#aazalirt
HKLM\SOFTWARE\AvScan#skaaanret
HKLM\SOFTWARE\AvScan#jungertab
HKLM\SOFTWARE\AvScan#zibaglertz
HKLM\SOFTWARE\AvScan#iddqdops
HKLM\SOFTWARE\AvScan#ronitfst
HKLM\SOFTWARE\AvScan#tobmygers
HKLM\SOFTWARE\AvScan#jikglond
HKLM\SOFTWARE\AvScan#tobykke
HKLM\SOFTWARE\AvScan#klopnidret
HKLM\SOFTWARE\AvScan#jiklagka
HKLM\SOFTWARE\AvScan#salrtybek
HKLM\SOFTWARE\AvScan#seeukluba
HKLM\SOFTWARE\AvScan#jrjakdsd
HKLM\SOFTWARE\AvScan#krkdkdkee
HKLM\SOFTWARE\AvScan#dkewiizkjdks
HKLM\SOFTWARE\AvScan#dkekkrkska
HKLM\SOFTWARE\AvScan#rkaskssd
HKLM\SOFTWARE\AvScan#kuruhccdsdd
HKLM\SOFTWARE\AvScan#krujmmwlrra
HKLM\SOFTWARE\AvScan#kkwknrbsggeg
HKLM\SOFTWARE\AvScan#ktknamwerr
HKLM\SOFTWARE\AvScan#iqmcnoeqz
HKLM\SOFTWARE\AvScan#ienotas
HKLM\SOFTWARE\AvScan#krkmahejdk
HKLM\SOFTWARE\AvScan#otpeppggq
HKLM\SOFTWARE\AvScan#krtawefg
HKLM\SOFTWARE\AvScan#oranerkka
HKLM\SOFTWARE\AvScan#kitiiwhaas
HKLM\SOFTWARE\AvScan#otowjdseww
HKLM\SOFTWARE\AvScan#otnnbektre
HKLM\SOFTWARE\AvScan#oropbbsee
HKLM\SOFTWARE\AvScan#irprokwks
HKLM\SOFTWARE\AvScan#ooorjaas
HKLM\SOFTWARE\AvScan#id
HKLM\SOFTWARE\AvScan#ready

Trojan.Agent/Gen-FakeSpy[Broad-1]
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\LRLELP\PDOJSYSGUARD.EXE

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.addynamix[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.pointroll[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@collective-media[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@imrworldwide[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@imrworldwide[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@pointroll[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@questionmarket[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@symptomfind[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@viacom.adbureau[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.symptomfind[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[2].txt


Here is the GMER.log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-16 18:54:13
Windows 5.1.2600 Service Pack 3
Running: bp9v5f5o.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxyafod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAAA3C0B0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\ab261.jpg 27347 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\Banner0727.jpg 28774 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\brittney.jpg 2426 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\cheesy.gif 574 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\female.gif 141 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\fhccomingsoon.jpg 24599 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\google_service.js 3663 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\grin.gif 352 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\hand8.jpg 3399 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\help.gif 1085 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\home.gif 1071 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\ip.gif 1019 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\login.gif 1127 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\Logo_25wht.gif 1607 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\male.gif 143 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\olian19.png 22211 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\print.gif 1193 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\register.gif 391 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\search.gif 1089 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\search2.gif 1089 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\sendtopic.gif 1401 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\star.gif 900 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\tongue.gif 586 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\undecided.gif 594 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\veryhotthread.gif 1287 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\wall35.jpg 9850 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\wink.gif 586 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\www_sm.gif 971 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\xx.gif 962 bytes

---- EOF - GMER 1.0.15 ----


I left Windows Firewall on while GMER scanned. Please tell me if that was wrong and I should redo GMER.

Thank you so much for all the help you're giving me. It is very appreciated! So what's next?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:49 PM

Posted 17 January 2010 - 12:22 AM

OK, this was a good choice to at least run and get some things off here.
Is safe mode still out? As I would like to run these again in safe.

SUPERAntiSypware has a built in "Repairs" feature to fix policy restrictions and certain Windows settings which are sometimes targeted by malware infection. To use this feature, launch SUPERAntiSypware.
  • Click the Repairs tab.
  • Click on (highlight) "Repair broken SafeBoot key" and then click the Repair button.
  • You may be asked to reboot your computer for the changes to take effect.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 17 January 2010 - 10:53 AM

I did the SAS repair thing and then I was able to get into Safe Mode. :thumbsup:

I wasn't quite sure which scan thing to do next so I decided to do MBAM first.

Just so you know, and so you can tell me if it will cause a problem: I got a little confused and checked MBAM for updates in "safe mode with networking" so I hope that didn't mess up the update process, and it is now updated to version 3582.

Then I restarted the computer in normal mode, opened MBAM and ran the quick scan (in normal mode). (I didn't run Rkill before I ran MBAM. Should I have?) Here is the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3582
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/17/2010 10:29:26 AM
mbam-log-2010-01-17 (10-29-26).txt

Scan type: Quick Scan
Objects scanned: 123951
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Now I will run ATF and SAS and GMER in Safe Mode. Should I restart in between the SAS and GMER scans?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:49 PM

Posted 17 January 2010 - 12:19 PM

If SAS finds Malware and you remove it then Yes a reboot is always a good thing.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 17 January 2010 - 03:31 PM

Here is the SAS log (scanned in Safe Mode, and I did ATF right before I opened SAS):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/17/2010 at 03:20 PM

Application Version : 4.33.1000

Core Rules Database Version : 4484
Trace Rules Database Version: 2302

Scan type : Complete Scan
Total Scan Time : 03:42:59

Memory items scanned : 230
Memory threats detected : 0
Registry items scanned : 6356
Registry threats detected : 0
File items scanned : 173330
File threats detected : 0

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:49 PM

Posted 17 January 2010 - 04:06 PM

Looking good, how's it running?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 17 January 2010 - 08:40 PM

Here is GMER log (scanned in Safe Mode):

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 20:17:53
Windows 5.1.2600 Service Pack 3
Running: bp9v5f5o.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxyafod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs F6F42400

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\ab261.jpg 27347 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\Banner0727.jpg 28774 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\brittney.jpg 2426 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\cheesy.gif 574 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\female.gif 141 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\fhccomingsoon.jpg 24599 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\google_service.js 3663 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\grin.gif 352 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\hand8.jpg 3399 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\help.gif 1085 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\home.gif 1071 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\ip.gif 1019 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\login.gif 1127 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\Logo_25wht.gif 1607 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\male.gif 143 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\olian19.png 22211 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\print.gif 1193 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\register.gif 391 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\search.gif 1089 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\search2.gif 1089 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\sendtopic.gif 1401 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\star.gif 900 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\tongue.gif 586 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\undecided.gif 594 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\veryhotthread.gif 1287 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\wall35.jpg 9850 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\wink.gif 586 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\www_sm.gif 971 bytes
File C:\Documents and Settings\HP_Administrator\My Documents\desktop stuff\chrolli\Webpages and Pics, etc\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebegh5hr5thtrt_files\The GAYS Of DAYTIME- The Message Board - Wild Speculation - Verbotene Liebehj515j1yt_files\xx.gif 962 bytes

---- EOF - GMER 1.0.15 ----


To be honest, I haven't done much on the computer besides scanning it lately, but there haven't been any fake security warning pop-ups in the past couple days, so that's a positive. :thumbsup:
So what do you think? Do I have a rootkit on my computer?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users