Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Generic & Vundo Removal Help


  • This topic is locked This topic is locked
28 replies to this topic

#1 WildBill4

WildBill4

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 04 April 2010 - 11:30 PM

Hello! I believe my computer has been infected with Vundo and possibly multiple other trojans as well for about the past 3 weeks, and I haven't had any luck trying to remove the virus on my own. My symptoms are:

1. On start up I get 2 error messages for the files "upayiyuk.dll" and "hilemebu.dll" (saying "The specified module could not be found.").
2. On start up I also get a pop up for Windows Security Center, and then XP Defender Pro begins performing a fake scan, telling me I have numerous infections on my computer (these are being controlled by the process ave.exe).
3. Google searches redirect me to advertisements or other websites, and the entire browser seems to crash at random times.
4. When I try to open some programs, such as Firefox, ave.exe loads again and starts performing another fake scan.
5. The computer itself varies at random from running fine to running extremely slow, and will sometimes lock up for 3 or 4 minutes at a time, and it's slow to open new programs or shut down.
6. The computer automatically restarts if I try to boot in Safe Mode.

I installed McAfee VirusScan Enterprise but when I try to perform a system scan the entire program freezes. However, the real-time scan it performs has found plenty of other trojans running (Vundo among them) but failed to clean or delete most of them. I've had Vundo before and was able to kill it the first time, but not being able to run a scan with McAfee or boot in Safe Mode has made this more than I can handle on my own.

Here is my DDS log:

CODE
DDS (Ver_10-03-17.01) - NTFSx86  
Run by Billy at 23:50:26.87 on Sun 04/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1396 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)   {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Documents and Settings\Billy\Local Settings\Application Data\ave.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Autodesk\3DS Max 8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Fgisit] rundll32.exe "c:\windows\upayiyuk.dll",Startup
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [kosekudod] Rundll32.exe "c:\windows\system32\hilemebu.dll",a
StartupFolder: c:\docume~1\billy\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.164.231,93.188.161.72
TCP: {0526BD88-39F4-4BB3-8EAC-B39C1A1CF903} = 93.188.164.231,93.188.161.72
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: lebobofu.dll c:\windows\system32\nisinupo.dll c:\windows\system32\nukiyofi.dll c:\windows\system32\hilemebu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: zavumutah - {b4866378-8491-41dc-81b0-fe31a632962d} - c:\windows\system32\habanuvo.dll
SSODL: sojihofef - {a3ab4004-aa82-48ba-a989-c68927c895a3} - c:\windows\system32\nukiyofi.dll
SSODL: lekipibey - {5ce86582-61be-4e39-906a-dd2bb411c2e6} - c:\windows\system32\hilemebu.dll
STS: tokatiluy: {b4866378-8491-41dc-81b0-fe31a632962d} - c:\windows\system32\habanuvo.dll
STS: jugezatag: {a3ab4004-aa82-48ba-a989-c68927c895a3} - c:\windows\system32\nukiyofi.dll
STS: mujuzedij: {5ce86582-61be-4e39-906a-dd2bb411c2e6} - c:\windows\system32\hilemebu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli imsprt.dll jebojope.dll
IFEO: taskmgr.exe - "c:\program files\process explorer\PROCEXP.EXE"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billy\applic~1\mozilla\firefox\profiles\3m0z23rm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {4C5FA377-44B8-46A5-B329-33B2C547E87F} - c:\documents and settings\billy\local settings\application data\{4C5FA377-44B8-46A5-B329-33B2C547E87F}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-3-29 340592]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-12-16 13696]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2008-9-29 19456]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-9-29 143088]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-9-29 62800]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-3-29 67904]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-29 90360]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-29 42424]
S2 bbcgzieyu;Installer Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 gupdate1cab5dfdcb64e30;Google Update Service (gupdate1cab5dfdcb64e30);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 133104]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe --> c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-29 64432]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-04-03 18:11:16    525824    ----a-w-    c:\program files\dds.scr
2010-04-03 01:24:36    0    d-----w-    c:\program files\Aspyr
2010-04-03 01:22:34    0    d-----w-    c:\windows\system32\appmgmt
2010-04-03 01:16:25    21116611    ----a-w-    c:\program files\GH3_PC_1.3_Patch.exe
2010-04-03 00:29:42    107888    ----a-w-    c:\windows\system32\CmdLineExt.dll
2010-03-30 16:17:18    0    d-----w-    C:\VundoFix Backups
2010-03-29 15:25:16    0    d-----w-    C:\QUARANTINE
2010-03-29 15:15:57    64432    ----a-w-    c:\windows\system32\drivers\mferkdet.sys
2010-03-29 15:15:56    90360    ----a-w-    c:\windows\system32\drivers\mfeavfk.sys
2010-03-29 15:15:56    74648    ----a-w-    c:\windows\system32\drivers\mfeapfk.sys
2010-03-29 15:15:56    42424    ----a-w-    c:\windows\system32\drivers\mfebopk.sys
2010-03-29 15:15:55    62704    ----a-w-    c:\windows\system32\drivers\mfetdik.sys
2010-03-29 15:15:55    340592    ----a-w-    c:\windows\system32\drivers\mfehidk.sys
2010-03-29 15:15:54    67904    ----a-w-    c:\windows\system32\mfevtps.exe
2010-03-29 15:15:25    0    d-----w-    c:\program files\common files\Cisco Systems
2010-03-29 15:15:17    0    d-----w-    c:\program files\McAfee
2010-03-26 18:32:28    2808907    ----a-w-    c:\program files\FeedBack0.97b.zip
2010-03-26 18:29:19    0    d-----w-    c:\program files\FeedBack0.97b
2010-03-22 01:41:27    0    d-----w-    c:\program files\SopCast
2010-03-22 01:40:02    5277219    ----a-w-    c:\program files\SopCast-328.zip

==================== Find3M  ====================

2010-02-25 05:59:06    2020136    ----a-w-    c:\program files\SkypeSetup.exe
2010-02-15 18:14:32    806    ----a-w-    c:\windows\system32\drivers\SYMEVENT.INF
2010-02-15 18:14:32    60808    ----a-w-    c:\windows\system32\S32EVNT1.DLL
2010-02-15 18:14:32    124464    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-15 18:14:32    10635    ----a-w-    c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-15 18:14:25    36272    ----a-r-    c:\windows\system32\drivers\SymIM.sys
2010-02-01 03:23:31    14892016    ----a-w-    c:\program files\ManyCam.exe
2009-12-23 01:42:28    1839496    ----a-w-    c:\program files\HousecallLauncher.exe
2009-12-21 03:30:36    18030130    ----a-w-    c:\program files\vlc-1.0.3-win32.exe
2009-12-17 12:57:04    32768    --sha-w-    c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009121720091218\index.dat

============= FINISH: 23:53:47.10 ===============


I'd be happy to post a Hijack This log as well if that would be helpful too. Thanks in advance if you can help me get this all worked out!

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:24 PM

Posted 08 April 2010 - 12:06 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 08 April 2010 - 01:19 PM

Thanks! I see you're all busy and I'm in no hurry, so no worries. smile.gif

Here's the OTL.txt file:

OTL logfile created on: 4/8/2010 1:56:51 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Billy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 91.26 Gb Free Space | 30.61% Space Free | Partition Type: NTFS
Drive D: | 562.83 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BILLYZONE
Current User Name: Billy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/08 13:56:01 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Billy\Desktop\OTL.exe
PRC - [2010/04/02 00:26:25 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/20 00:00:30 | 001,217,872 | ---- | M] (Valve Corporation) -- C:\Program Files\Valve\Steam\steam.exe
PRC - [2009/12/20 22:36:28 | 000,072,704 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
PRC - [2009/01/09 12:31:16 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/09/29 08:07:00 | 000,143,088 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2008/09/29 08:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2008/09/29 08:07:00 | 000,067,904 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2008/09/29 08:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2008/09/29 08:07:00 | 000,026,672 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2008/09/29 08:07:00 | 000,019,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/14 04:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2008/03/14 04:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2008/03/14 04:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2008/03/14 04:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2005/09/21 15:13:44 | 000,065,536 | ---- | M] () -- C:\Program Files\Autodesk\3DS Max 8\mentalray\satellite\raysat_3dsmax8server.exe


========== Modules (SafeList) ==========

MOD - [2010/04/08 13:56:01 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Billy\Desktop\OTL.exe
MOD - [2010/01/08 12:18:50 | 000,096,768 | -HS- | M] () -- C:\WINDOWS\system32\kujonuva.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (McProxy)
SRV - File not found [Auto | Stopped] -- -- (mcmscsvc)
SRV - File not found [On_Demand | Stopped] -- -- (gusvc)
SRV - [2009/12/20 22:36:28 | 000,072,704 | ---- | M] (Autodesk) [Auto | Running] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2009/01/09 12:31:16 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/09/29 08:07:00 | 000,143,088 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2008/09/29 08:07:00 | 000,067,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2008/09/29 08:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2008/09/29 08:07:00 | 000,019,456 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2008/03/14 04:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2005/09/21 15:13:44 | 000,065,536 | ---- | M] () [Auto | Running] -- C:\Program Files\Autodesk\3DS Max 8\mentalray\satellite\raysat_3dsmax8server.exe -- (mi-raysat_3dsmax8)


========== Driver Services (SafeList) ==========

DRV - [2010/04/05 19:10:18 | 000,052,480 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2010/02/15 14:14:32 | 000,124,464 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/02/15 14:14:25 | 000,036,272 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2010/02/15 14:14:25 | 000,036,272 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/11/20 22:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/09/29 08:07:00 | 000,340,592 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/09/29 08:07:00 | 000,090,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/09/29 08:07:00 | 000,074,648 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2008/09/29 08:07:00 | 000,064,432 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2008/09/29 08:07:00 | 000,062,704 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2008/09/29 08:07:00 | 000,042,424 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/01/14 06:06:32 | 000,021,632 | ---- | M] (ManyCam LLC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ManyCam.sys -- (ManyCam)
DRV - [2007/10/23 06:51:04 | 000,103,296 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/04/10 20:04:40 | 004,397,568 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/07/01 23:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/01 14:15:20 | 000,509,440 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xnacc.sys -- (xnacc)
DRV - [2005/03/16 02:23:54 | 000,013,696 | R--- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BIOS.sys -- (BIOS)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-484763869-796845957-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-484763869-796845957-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100211.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {4C5FA377-44B8-46A5-B329-33B2C547E87F}:1.9.1

FF - HKLM\software\mozilla\Firefox\extensions\\{4C5FA377-44B8-46A5-B329-33B2C547E87F}: C:\Documents and Settings\Billy\Local Settings\Application Data\{4C5FA377-44B8-46A5-B329-33B2C547E87F} [2010/01/12 01:06:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: E:\Program Files\Mozilla Firefox\components
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: E:\Program Files\Mozilla Firefox\plugins
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 00:26:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 00:26:28 | 000,000,000 | ---D | M]

[2010/02/03 15:32:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy\Application Data\Mozilla\Extensions
[2010/02/03 15:32:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/04/08 12:33:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\extensions
[2009/12/16 23:56:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/16 23:56:23 | 000,000,000 | ---D | M] (Aquatint Black Gloss) -- C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}
[2010/03/27 14:56:44 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/04/08 12:33:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/17 20:31:54 | 000,063,488 | ---- | M] (Nullsoft) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {45b191b0-bc08-4180-9b7f-42a50c3f6e3e} - File not found
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll File not found
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
O3 - HKU\S-1-5-21-484763869-796845957-725345543-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Fgisit] C:\WINDOWS\upayiyuk.DLL File not found
O4 - HKLM..\Run: [jepihopami] File not found
O4 - HKLM..\Run: [kosekudod] C:\WINDOWS\System32\kujonuva.DLL ()
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\S-1-5-21-484763869-796845957-725345543-1003..\Run: [Steam] c:\program files\valve\steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\Billy\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-484763869-796845957-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 65.182.32.35 65.182.32.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.231,93.188.161.72
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (lebobofu.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\nisinupo.dll) - C:\WINDOWS\System32\nisinupo.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\nukiyofi.dll) - C:\WINDOWS\System32\nukiyofi.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\hilemebu.dll) - C:\WINDOWS\System32\hilemebu.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\dolivowa.dll) - C:\WINDOWS\System32\dolivowa.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\kujonuva.dll) - C:\WINDOWS\system32\kujonuva.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O21 - SSODL: lekipibey - {5ce86582-61be-4e39-906a-dd2bb411c2e6} - C:\WINDOWS\System32\hilemebu.dll File not found
O21 - SSODL: mufasudom - {13e83c55-c6a1-42ee-91b8-c4d823325aed} - C:\WINDOWS\System32\dolivowa.dll File not found
O21 - SSODL: nelijekap - {3cdadaa8-295f-4b83-8766-81a774179f67} - C:\WINDOWS\system32\kujonuva.dll ()
O21 - SSODL: sojihofef - {a3ab4004-aa82-48ba-a989-c68927c895a3} - C:\WINDOWS\System32\nukiyofi.dll File not found
O21 - SSODL: zavumutah - {b4866378-8491-41dc-81b0-fe31a632962d} - C:\WINDOWS\System32\habanuvo.dll File not found
O22 - SharedTaskScheduler: {13e83c55-c6a1-42ee-91b8-c4d823325aed} - kupuhivus - C:\WINDOWS\System32\dolivowa.dll File not found
O22 - SharedTaskScheduler: {3cdadaa8-295f-4b83-8766-81a774179f67} - mujuzedij - C:\WINDOWS\system32\kujonuva.dll ()
O22 - SharedTaskScheduler: {5ce86582-61be-4e39-906a-dd2bb411c2e6} - mujuzedij - C:\WINDOWS\System32\hilemebu.dll File not found
O22 - SharedTaskScheduler: {a3ab4004-aa82-48ba-a989-c68927c895a3} - jugezatag - C:\WINDOWS\System32\nukiyofi.dll File not found
O22 - SharedTaskScheduler: {b4866378-8491-41dc-81b0-fe31a632962d} - tokatiluy - C:\WINDOWS\System32\habanuvo.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Billy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Billy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O27 - HKLM IFEO\MpCmdRun.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MSASCui.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MsMpEng.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\msseces.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\taskmgr.exe: Debugger - "C:\PROGRAM FILES\PROCESS EXPLORER\PROCEXP.EXE" (Sysinternals - www.sysinternals.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/16 22:47:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/10/28 01:44:05 | 000,000,175 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{853026ba-f007-11de-89ff-00e04d747828}\Shell - "" = AutoRun
O33 - MountPoints2\{853026ba-f007-11de-89ff-00e04d747828}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{853026ba-f007-11de-89ff-00e04d747828}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{c350b446-02db-11df-8a1f-00e04d747828}\Shell - "" = AutoRun
O33 - MountPoints2\{c350b446-02db-11df-8a1f-00e04d747828}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c350b446-02db-11df-8a1f-00e04d747828}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{c350b447-02db-11df-8a1f-00e04d747828}\Shell - "" = AutoRun
O33 - MountPoints2\{c350b447-02db-11df-8a1f-00e04d747828}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-484763869-796845957-725345543-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (206158430208)

========== Files/Folders - Created Within 30 Days ==========

[2010/04/08 13:56:00 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Billy\Desktop\OTL.exe
[2010/04/05 18:41:54 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2010/04/02 21:24:36 | 000,000,000 | ---D | C] -- C:\Program Files\Aspyr
[2010/04/02 21:22:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/04/02 21:16:25 | 021,116,611 | ---- | C] (Aspyr Media, Inc) -- C:\Program Files\GH3_PC_1.3_Patch.exe
[2010/04/02 20:30:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy\My Documents\Aspyr
[2010/04/02 20:30:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy\Local Settings\Application Data\Aspyr
[2010/04/02 20:29:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Billy\Application Data\SecuROM
[2010/04/02 20:29:42 | 000,107,888 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/04/02 01:00:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy\My Documents\Astronomy
[2010/03/30 12:17:18 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/03/30 12:16:58 | 000,119,808 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Billy\Desktop\VundoFix.exe
[2010/03/29 11:25:16 | 000,000,000 | ---D | C] -- C:\QUARANTINE
[2010/03/29 11:15:57 | 000,064,432 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/03/29 11:15:56 | 000,090,360 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/03/29 11:15:56 | 000,074,648 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2010/03/29 11:15:56 | 000,042,424 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/03/29 11:15:55 | 000,340,592 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2010/03/29 11:15:55 | 000,062,704 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdik.sys
[2010/03/29 11:15:54 | 000,067,904 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2010/03/29 11:15:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Cisco Systems
[2010/03/29 11:15:17 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/03/26 14:29:19 | 000,000,000 | ---D | C] -- C:\Program Files\FeedBack0.97b
[2010/03/21 21:41:27 | 000,000,000 | ---D | C] -- C:\Program Files\SopCast
[2010/02/26 15:15:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/25 02:15:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/02/25 02:01:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/02/25 01:59:05 | 002,020,136 | ---- | C] (Skype Technologies S.A.) -- C:\Program Files\SkypeSetup.exe
[2010/02/12 20:08:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/02/12 20:08:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/22 21:42:22 | 001,839,496 | ---- | C] (Trend Micro) -- C:\Program Files\HousecallLauncher.exe
[2009/12/17 09:04:10 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/16 22:47:38 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[44 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/08 14:00:00 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\yqrbdfle.job
[2010/04/08 13:56:01 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Billy\Desktop\OTL.exe
[2010/04/08 13:27:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/08 13:27:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/08 13:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\tgkmhcnb.job
[2010/04/08 12:57:36 | 000,001,712 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Day of Defeat Source.lnk
[2010/04/08 12:57:31 | 000,001,712 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Counter-Strike Source.lnk
[2010/04/08 12:18:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/08 12:14:59 | 000,272,291 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/04/08 12:14:56 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/08 12:14:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/08 01:12:05 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\Billy\NTUSER.DAT
[2010/04/08 01:11:17 | 004,807,996 | -H-- | M] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\IconCache.db
[2010/04/07 22:47:46 | 001,032,516 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\ufc-pallahares.gif
[2010/04/07 01:48:31 | 000,224,768 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Personality_ppt.ppt
[2010/04/07 01:22:30 | 000,048,128 | ---- | M] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/06 00:22:28 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\xp_exe_fix.zip
[2010/04/05 21:36:53 | 000,000,803 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Shortcut to Leeme.html.lnk
[2010/04/05 19:10:18 | 000,052,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i8042prt.sys
[2010/04/05 19:10:18 | 000,052,480 | ---- | M] () -- C:\WINDOWS\System32\drivers\i8042prt.sys
[2010/04/05 15:22:40 | 000,010,424 | -HS- | M] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\Wv7V1mEL4UH
[2010/04/05 15:22:40 | 000,010,424 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\Wv7V1mEL4UH
[2010/04/05 15:15:33 | 000,182,784 | -HS- | M] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\1633618601.dll
[2010/04/04 22:52:01 | 003,531,211 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\ufc-tavares-smith.gif
[2010/04/03 21:21:10 | 000,002,355 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GHTCP.lnk
[2010/04/03 14:11:17 | 000,525,824 | ---- | M] () -- C:\Program Files\dds.scr
[2010/04/03 00:58:38 | 002,428,763 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\reload.zip
[2010/04/02 21:55:41 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Play Guitar Hero III.lnk
[2010/04/02 21:16:26 | 021,116,611 | ---- | M] (Aspyr Media, Inc) -- C:\Program Files\GH3_PC_1.3_Patch.exe
[2010/04/02 20:29:42 | 000,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/04/02 00:28:46 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Billy\ntuser.ini
[2010/04/01 13:01:33 | 000,134,665 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\fpsb-top_new_skin_lol.jpg
[2010/03/31 21:27:56 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/03/30 13:43:21 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\crusades.doc
[2010/03/30 12:17:01 | 000,119,808 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Billy\Desktop\VundoFix.exe
[2010/03/29 19:41:45 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Cvorexexiv.dat
[2010/03/29 01:27:09 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Lvuhoz.bin
[2010/03/28 23:37:20 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/28 21:51:12 | 004,696,240 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\rmsnm0.jpg.gif
[2010/03/27 02:09:12 | 003,062,830 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\tacotown.gif
[2010/03/26 14:40:21 | 000,000,725 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Shortcut to FeedBack.exe.lnk
[2010/03/26 14:32:52 | 002,808,907 | ---- | M] () -- C:\Program Files\FeedBack0.97b.zip
[2010/03/21 23:35:30 | 003,108,842 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\pottery.gif
[2010/03/21 21:41:27 | 000,000,666 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\SopCast.lnk
[2010/03/21 21:40:11 | 005,277,219 | ---- | M] () -- C:\Program Files\SopCast-328.zip
[2010/03/20 17:49:08 | 000,384,300 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\brainscan.gif
[2010/03/19 19:20:48 | 000,144,076 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\angel.jpg
[2010/03/19 19:03:45 | 000,032,033 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\killer-robot.jpg
[2010/03/18 15:45:12 | 000,580,995 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\quote.jpg
[2010/03/17 22:48:48 | 005,877,661 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Movie_00021.wmv
[2010/03/17 22:25:55 | 007,843,252 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Movie_00012.wmv
[2010/03/17 22:23:36 | 001,502,715 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Movie2.wmv
[2010/03/16 20:27:45 | 003,749,317 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\ufc-overeem.gif
[2010/03/14 13:24:19 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 13:24:19 | 000,435,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 13:24:19 | 000,068,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/13 22:59:40 | 000,014,110 | -HS- | M] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\MYhtd
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[44 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/08 12:57:36 | 000,001,712 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Day of Defeat Source.lnk
[2010/04/08 12:57:31 | 000,001,712 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Counter-Strike Source.lnk
[2010/04/07 23:26:04 | 000,000,294 | ---- | C] () -- C:\WINDOWS\tasks\yqrbdfle.job
[2010/04/07 22:47:45 | 001,032,516 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\ufc-pallahares.gif
[2010/04/07 01:48:31 | 000,224,768 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Personality_ppt.ppt
[2010/04/06 00:22:27 | 000,000,745 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\xp_exe_fix.zip
[2010/04/05 21:36:53 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Shortcut to Leeme.html.lnk
[2010/04/05 00:26:52 | 000,014,549 | ---- | C] () -- C:\Program Files\Attach.txt
[2010/04/05 00:26:46 | 000,016,145 | ---- | C] () -- C:\Program Files\DDS.txt
[2010/04/04 22:51:58 | 003,531,211 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\ufc-tavares-smith.gif
[2010/04/03 14:11:16 | 000,525,824 | ---- | C] () -- C:\Program Files\dds.scr
[2010/04/03 00:58:37 | 002,428,763 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\reload.zip
[2010/04/02 22:13:11 | 000,002,355 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GHTCP.lnk
[2010/04/02 21:55:41 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Play Guitar Hero III.lnk
[2010/04/02 21:14:05 | 000,182,784 | -HS- | C] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\1633618601.dll
[2010/04/02 21:14:01 | 000,010,424 | -HS- | C] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\Wv7V1mEL4UH
[2010/04/02 21:14:01 | 000,010,424 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\Wv7V1mEL4UH
[2010/04/01 13:01:31 | 000,134,665 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\fpsb-top_new_skin_lol.jpg
[2010/03/30 00:07:57 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\crusades.doc
[2010/03/28 21:51:11 | 004,696,240 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\rmsnm0.jpg.gif
[2010/03/27 02:09:11 | 003,062,830 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\tacotown.gif
[2010/03/26 14:32:28 | 002,808,907 | ---- | C] () -- C:\Program Files\FeedBack0.97b.zip
[2010/03/21 23:35:29 | 003,108,842 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\pottery.gif
[2010/03/21 21:41:27 | 000,000,666 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\SopCast.lnk
[2010/03/21 21:40:02 | 005,277,219 | ---- | C] () -- C:\Program Files\SopCast-328.zip
[2010/03/20 17:49:07 | 000,384,300 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\brainscan.gif
[2010/03/19 19:03:45 | 000,032,033 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\killer-robot.jpg
[2010/03/19 18:45:20 | 000,144,076 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\angel.jpg
[2010/03/18 15:45:11 | 000,580,995 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\quote.jpg
[2010/03/17 22:48:47 | 005,877,661 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Movie_00021.wmv
[2010/03/17 22:25:52 | 007,843,252 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Movie_00012.wmv
[2010/03/17 22:23:35 | 001,502,715 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Movie2.wmv
[2010/03/16 20:27:44 | 003,749,317 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\ufc-overeem.gif
[2010/03/15 01:23:30 | 000,000,296 | ---- | C] () -- C:\WINDOWS\tasks\tgkmhcnb.job
[2010/03/01 01:43:56 | 000,014,110 | -HS- | C] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\MYhtd
[2010/03/01 01:43:55 | 000,189,440 | -HS- | C] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\av.exe
[2010/01/31 23:23:26 | 014,892,016 | ---- | C] () -- C:\Program Files\ManyCam.exe
[2010/01/13 02:43:59 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/01/08 12:18:50 | 000,096,768 | -HS- | C] () -- C:\WINDOWS\System32\kujonuva.dll
[2010/01/08 12:18:50 | 000,043,520 | -HS- | C] () -- C:\WINDOWS\System32\reposoku.dll
[2010/01/07 23:26:03 | 000,097,280 | -HS- | C] () -- C:\WINDOWS\System32\lokesigo.dll
[2010/01/07 23:26:03 | 000,064,000 | -HS- | C] () -- C:\WINDOWS\System32\vasajiyo.dll
[2010/01/07 23:26:03 | 000,043,520 | -HS- | C] () -- C:\WINDOWS\System32\fohakibi.dll
[2010/01/07 11:25:48 | 000,043,008 | -HS- | C] () -- C:\WINDOWS\System32\kufiselu.dll
[2010/01/06 23:25:45 | 000,044,032 | -HS- | C] () -- C:\WINDOWS\System32\rakevaka.dll
[2010/01/06 23:23:05 | 000,066,048 | -HS- | C] () -- C:\WINDOWS\System32\nanehutu.dll
[2010/01/06 23:23:05 | 000,066,048 | -HS- | C] () -- C:\WINDOWS\System32\muribabi.dll
[2009/12/22 21:43:03 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\housecall.guid.cache
[2009/12/22 20:10:30 | 000,000,934 | ---- | C] () -- C:\WINDOWS\System32\krl32mainweq.dll
[2009/12/22 20:08:52 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2009/12/21 13:24:17 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2009/12/20 23:28:49 | 018,030,130 | ---- | C] () -- C:\Program Files\vlc-1.0.3-win32.exe
[2009/12/16 23:48:36 | 000,048,128 | ---- | C] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/16 22:54:56 | 000,495,616 | -H-- | C] () -- C:\Documents and Settings\Billy\ntuser.dat.LOG
[2009/12/16 22:54:56 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Billy\ntuser.ini
[2009/12/16 22:54:55 | 005,767,168 | -H-- | C] () -- C:\Documents and Settings\Billy\NTUSER.DAT
[2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2004/08/04 08:00:00 | 000,052,480 | ---- | C] () -- C:\WINDOWS\System32\drivers\i8042prt.sys
[1997/06/13 22:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/12/17 08:34:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/12/17 08:34:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/12/17 08:34:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/12/17 08:34:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

========== Files - Unicode (All) ==========
[2009/12/17 00:54:57 | 000,019,456 | ---- | C] ()(C:\Documents and Settings\Billy\My Documents\R??L R?vTLµti??.doc) -- C:\Documents and Settings\Billy\My Documents\ŖǿғŁ Řέ√ΘĻµŧįỠ₪.doc
[2006/03/08 20:16:20 | 000,019,456 | ---- | M] ()(C:\Documents and Settings\Billy\My Documents\R??L R?vTLµti??.doc) -- C:\Documents and Settings\Billy\My Documents\ŖǿғŁ Řέ√ΘĻµŧįỠ₪.doc

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

And here is the Extras.txt file:

OTL Extras logfile created on: 4/8/2010 1:56:51 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Billy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 91.26 Gb Free Space | 30.61% Space Free | Partition Type: NTFS
Drive D: | 562.83 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BILLYZONE
Current User Name: Billy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe File not found

[HKEY_USERS\S-1-5-21-484763869-796845957-725345543-1003\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome File not found
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 File not found
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome File not found
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome File not found
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VLC Media Player\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VLC Media Player\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 File not found
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"13727:TCP" = 13727:TCP:*:Enabled:BitComet 13727 TCP
"13727:UDP" = 13727:UDP:*:Enabled:BitComet 13727 UDP
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"3838:TCP" = 3838:TCP:*:Enabled:kjggb

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"C:\Program Files\Valve\Steam\Steam.exe" = C:\Program Files\Valve\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Valve\Steam\steamapps\billydakid014\counter-strike source\hl2.exe" = C:\Program Files\Valve\Steam\steamapps\billydakid014\counter-strike source\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet.exe -- (www.BitComet.com)
"C:\Program Files\Autodesk\backburner\monitor.exe" = C:\Program Files\Autodesk\backburner\monitor.exe:*:Enabled:backburner 2.3 monitor -- (Autodesk, Inc.)
"C:\Program Files\Autodesk\backburner\manager.exe" = C:\Program Files\Autodesk\backburner\manager.exe:*:Enabled:backburner 2.3 manager -- (Autodesk, Inc.)
"C:\Program Files\Autodesk\backburner\server.exe" = C:\Program Files\Autodesk\backburner\server.exe:*:Enabled:backburner 2.3 server -- (Autodesk, Inc.)
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe" = C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ -- ()
"C:\Program Files\Unreal Tournament 3\Binaries\UT3.exe" = C:\Program Files\Unreal Tournament 3\Binaries\UT3.exe:*:Enabled:Unreal Tournament 3 -- ()
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Midtown Madness 2\Midtown2.exe" = C:\Program Files\Microsoft Games\Midtown Madness 2\Midtown2.exe:*:Enabled:Midtown Madness 2 Executable -- (Angel Studios)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\Program Files\McAfee\MSK\msksrver.exe" = C:\Program Files\McAfee\MSK\msksrver.exe:*:Enabled:MskSrver -- File not found
"C:\Program Files\McAfee.com\Agent\mcupdate.exe" = C:\Program Files\McAfee.com\Agent\mcupdate.exe:*:Enabled:mcupdate -- File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0CE1A6C0-F3F7-49E6-8F9D-2431F9827441}" = Guitar Hero III
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D347E6D-5A03-4342-B5BA-6A771885F379}" = Backburner
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty® 4 - Modern Warfare™ 1.6 Patch
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A638557B-1F13-40A0-9627-C892FBCA6960}" = McAfee Agent
"{A651A7C3-798E-44B6-AD64-EC14BBC10D88}" = Guitar Hero Three Control Panel
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}" = Unreal Tournament 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{DBB313D6-4B13-4961-BD5F-673CDA1793CC}" = Autodesk 3ds Max 8
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Age of Empires 2.0" = Microsoft Age of Empires II
"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"BitComet" = BitComet 1.16
"BPM Counter_is1" = BPM Counter 1.0.3.0
"Cool Edit Pro 2.1" = Cool Edit Pro 2.1
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Google Chrome" = Google Chrome
"ie8" = Windows Internet Explorer 8
"InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty® 4 - Modern Warfare™ 1.6 Patch
"InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"ManyCam" = ManyCam 2.4 (remove only)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.16)" = Mozilla Firefox (3.0.16)
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"SopCast" = SopCast 3.2.8
"SystemRequirementsLab" = System Requirements Lab
"VLC media player" = VLC media player 1.0.3
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xbox_360_CC_Driver" = Xbox 360 Controller for Windows

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-484763869-796845957-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"InstallShield_{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}" = Unreal Tournament 3
"Winamp Detect" = Winamp Application Detect

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/5/2010 6:42:00 PM | Computer Name = BILLYZONE | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x3d954928.

Error - 4/6/2010 12:20:11 PM | Computer Name = BILLYZONE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 4/6/2010 12:20:11 PM | Computer Name = BILLYZONE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/6/2010 12:20:11 PM | Computer Name = BILLYZONE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2010 11:12:18 AM | Computer Name = BILLYZONE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 4/7/2010 11:12:19 AM | Computer Name = BILLYZONE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2010 11:12:19 AM | Computer Name = BILLYZONE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/8/2010 12:15:23 PM | Computer Name = BILLYZONE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 4/8/2010 12:15:23 PM | Computer Name = BILLYZONE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/8/2010 12:15:24 PM | Computer Name = BILLYZONE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 4/8/2010 12:59:23 PM | Computer Name = BILLYZONE | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 4/8/2010 12:59:23 PM | Computer Name = BILLYZONE | Source = atapi | ID = 262149
Description = A parity error was detected on \Device\Ide\IdePort1.

Error - 4/8/2010 12:59:23 PM | Computer Name = BILLYZONE | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 4/8/2010 12:59:51 PM | Computer Name = BILLYZONE | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 4/8/2010 1:00:40 PM | Computer Name = BILLYZONE | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 4/8/2010 1:00:56 PM | Computer Name = BILLYZONE | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 4/8/2010 1:01:37 PM | Computer Name = BILLYZONE | Source = PlugPlayManager | ID = 12
Description = The device 'WDC WD2500AAKS-00VYA0' (IDE\DiskWDC_WD2500AAKS-00VYA0___________________12.01B02\5&65b6fab&0&0.1.0)
disappeared from the system without first being prepared for removal.

Error - 4/8/2010 1:52:42 PM | Computer Name = BILLYZONE | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
-Embedding

Error - 4/8/2010 1:54:10 PM | Computer Name = BILLYZONE | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
-Embedding

Error - 4/8/2010 1:57:47 PM | Computer Name = BILLYZONE | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
-Embedding


< End of report >

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:24 PM

Posted 09 April 2010 - 06:40 AM

Hi WildBill4,

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    SRV - File not found [On_Demand | Stopped] -- -- (gusvc)
    O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
    O2 - BHO: (no name) - {45b191b0-bc08-4180-9b7f-42a50c3f6e3e} - File not found
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll File not found
    O4 - HKLM..\Run: [Fgisit] C:\WINDOWS\upayiyuk.DLL File not found
    O4 - HKLM..\Run: [jepihopami] File not found
    O4 - HKLM..\Run: [kosekudod] C:\WINDOWS\System32\kujonuva.DLL ()
    O4 - HKLM..\Run: [nwiz] File not found
    O4 - HKLM..\Run: [UserFaultCheck] File not found
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O20 - AppInit_DLLs: (lebobofu.dll) - File not found
    O20 - AppInit_DLLs: (c:\windows\system32\nisinupo.dll) - C:\WINDOWS\System32\nisinupo.dll File not found
    O20 - AppInit_DLLs: (c:\windows\system32\nukiyofi.dll) - C:\WINDOWS\System32\nukiyofi.dll File not found
    O20 - AppInit_DLLs: (c:\windows\system32\hilemebu.dll) - C:\WINDOWS\System32\hilemebu.dll File not found
    O20 - AppInit_DLLs: (c:\windows\system32\dolivowa.dll) - C:\WINDOWS\System32\dolivowa.dll File not found
    O20 - AppInit_DLLs: (c:\windows\system32\kujonuva.dll) - C:\WINDOWS\system32\kujonuva.dll ()
    O21 - SSODL: lekipibey - {5ce86582-61be-4e39-906a-dd2bb411c2e6} - C:\WINDOWS\System32\hilemebu.dll File not found
    O21 - SSODL: mufasudom - {13e83c55-c6a1-42ee-91b8-c4d823325aed} - C:\WINDOWS\System32\dolivowa.dll File not found
    O21 - SSODL: nelijekap - {3cdadaa8-295f-4b83-8766-81a774179f67} - C:\WINDOWS\system32\kujonuva.dll ()
    O21 - SSODL: sojihofef - {a3ab4004-aa82-48ba-a989-c68927c895a3} - C:\WINDOWS\System32\nukiyofi.dll File not found
    O21 - SSODL: zavumutah - {b4866378-8491-41dc-81b0-fe31a632962d} - C:\WINDOWS\System32\habanuvo.dll File not found
    O22 - SharedTaskScheduler: {13e83c55-c6a1-42ee-91b8-c4d823325aed} - kupuhivus - C:\WINDOWS\System32\dolivowa.dll File not found
    O22 - SharedTaskScheduler: {3cdadaa8-295f-4b83-8766-81a774179f67} - mujuzedij - C:\WINDOWS\system32\kujonuva.dll ()
    O22 - SharedTaskScheduler: {5ce86582-61be-4e39-906a-dd2bb411c2e6} - mujuzedij - C:\WINDOWS\System32\hilemebu.dll File not found
    O22 - SharedTaskScheduler: {a3ab4004-aa82-48ba-a989-c68927c895a3} - jugezatag - C:\WINDOWS\System32\nukiyofi.dll File not found
    O22 - SharedTaskScheduler: {b4866378-8491-41dc-81b0-fe31a632962d} - tokatiluy - C:\WINDOWS\System32\habanuvo.dll File not found
    O37 - HKU\S-1-5-21-484763869-796845957-725345543-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found
    [2010/04/08 14:00:00 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\yqrbdfle.job
    [2010/04/08 13:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\tgkmhcnb.job
    [2010/04/05 15:22:40 | 000,010,424 | -HS- | M] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\Wv7V1mEL4UH
    [2010/04/05 15:22:40 | 000,010,424 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\Wv7V1mEL4UH
    [2010/04/05 15:15:33 | 000,182,784 | -HS- | M] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\1633618601.dll
    [2010/03/29 19:41:45 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Cvorexexiv.dat
    [2010/03/29 01:27:09 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Lvuhoz.bin
    [2010/01/08 12:18:50 | 000,043,520 | -HS- | C] () -- C:\WINDOWS\System32\reposoku.dll
    [2010/01/07 23:26:03 | 000,097,280 | -HS- | C] () -- C:\WINDOWS\System32\lokesigo.dll
    [2010/01/07 23:26:03 | 000,064,000 | -HS- | C] () -- C:\WINDOWS\System32\vasajiyo.dll
    [2010/01/07 23:26:03 | 000,043,520 | -HS- | C] () -- C:\WINDOWS\System32\fohakibi.dll
    [2010/01/07 11:25:48 | 000,043,008 | -HS- | C] () -- C:\WINDOWS\System32\kufiselu.dll
    [2010/01/06 23:25:45 | 000,044,032 | -HS- | C] () -- C:\WINDOWS\System32\rakevaka.dll
    [2010/01/06 23:23:05 | 000,066,048 | -HS- | C] () -- C:\WINDOWS\System32\nanehutu.dll
    [2010/01/06 23:23:05 | 000,066,048 | -HS- | C] () -- C:\WINDOWS\System32\muribabi.dll
    [2009/12/22 20:10:30 | 000,000,934 | ---- | C] () -- C:\WINDOWS\System32\krl32mainweq.dll
    [2009/12/17 00:54:57 | 000,019,456 | ---- | C] ()(C:\Documents and Settings\Billy\My Documents\R??L R?vTLµti??.doc) -- C:\Documents and Settings\Billy\My Documents\R,o/'?? R(???L,µ?i;O+~?.doc
    [2006/03/08 20:16:20 | 000,019,456 | ---- | M] ()(C:\Documents and Settings\Billy\My Documents\R??L R?vTLµti??.doc) -- C:\Documents and Settings\Billy\My Documents\R,o/'?? R(???L,µ?i;O+~?.doc
    @Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan without the bold text, and post the new OTL log.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Then please post back here with the following logs:
  • OTL results
  • New OTL log
  • MBAM log

Thanks

unite.jpg


#5 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 10 April 2010 - 02:19 PM

Hello! Here are the fix's log results:

CODE
All processes killed
========== OTL ==========
Service gusvc stopped successfully!
Service gusvc deleted successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45b191b0-bc08-4180-9b7f-42a50c3f6e3e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45b191b0-bc08-4180-9b7f-42a50c3f6e3e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Fgisit deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\jepihopami deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\kosekudod deleted successfully.
File C:\WINDOWS\System32\kujonuva.DLL not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\nwiz deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:lebobofu.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\nisinupo.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\nukiyofi.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\hilemebu.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\dolivowa.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\kujonuva.dll deleted successfully.
File C:\WINDOWS\system32\kujonuva.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\lekipibey deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5ce86582-61be-4e39-906a-dd2bb411c2e6}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\mufasudom deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13e83c55-c6a1-42ee-91b8-c4d823325aed}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\nelijekap not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3cdadaa8-295f-4b83-8766-81a774179f67}\ not found.
File C:\WINDOWS\system32\kujonuva.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\sojihofef deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a3ab4004-aa82-48ba-a989-c68927c895a3}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\zavumutah deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4866378-8491-41dc-81b0-fe31a632962d}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{13e83c55-c6a1-42ee-91b8-c4d823325aed} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13e83c55-c6a1-42ee-91b8-c4d823325aed}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{3cdadaa8-295f-4b83-8766-81a774179f67} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3cdadaa8-295f-4b83-8766-81a774179f67}\ not found.
File C:\WINDOWS\system32\kujonuva.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{5ce86582-61be-4e39-906a-dd2bb411c2e6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5ce86582-61be-4e39-906a-dd2bb411c2e6}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{a3ab4004-aa82-48ba-a989-c68927c895a3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a3ab4004-aa82-48ba-a989-c68927c895a3}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{b4866378-8491-41dc-81b0-fe31a632962d} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4866378-8491-41dc-81b0-fe31a632962d}\ not found.
Registry key HKEY_USERS\S-1-5-21-484763869-796845957-725345543-1003_Classes\.exe\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\WINDOWS\tasks\yqrbdfle.job moved successfully.
C:\WINDOWS\tasks\tgkmhcnb.job moved successfully.
C:\Documents and Settings\Billy\Local Settings\Application Data\Wv7V1mEL4UH moved successfully.
C:\Documents and Settings\All Users\Application Data\Wv7V1mEL4UH moved successfully.
C:\Documents and Settings\Billy\Local Settings\Application Data\1633618601.dll moved successfully.
C:\WINDOWS\Cvorexexiv.dat moved successfully.
C:\WINDOWS\Lvuhoz.bin moved successfully.
C:\WINDOWS\system32\reposoku.dll moved successfully.
File C:\WINDOWS\System32\lokesigo.dll not found.
C:\WINDOWS\system32\vasajiyo.dll moved successfully.
C:\WINDOWS\system32\fohakibi.dll moved successfully.
C:\WINDOWS\system32\kufiselu.dll moved successfully.
C:\WINDOWS\system32\rakevaka.dll moved successfully.
C:\WINDOWS\system32\nanehutu.dll moved successfully.
C:\WINDOWS\system32\muribabi.dll moved successfully.
C:\WINDOWS\system32\krl32mainweq.dll moved successfully.
File C:\Documents and Settings\Billy\My Documents\R,o/'?? R(???L,µ?i;O+~?.doc not found.
File C:\Documents and Settings\Billy\My Documents\R,o/'?? R(???L,µ?i;O+~?.doc not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Billy
->Temp folder emptied: 694224257 bytes
->Temporary Internet Files folder emptied: 204248137 bytes
->Java cache emptied: 49216788 bytes
->FireFox cache emptied: 68484326 bytes
->Google Chrome cache emptied: 110114534 bytes
->Flash cache emptied: 64505 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2800281 bytes
%systemroot%\System32 .tmp files removed: 2932753 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 73458464 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23958342 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 3880627935 bytes

Total Files Cleaned = 4,874.00 mb


[EMPTYFLASH]

User: All Users

User: Billy
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.1.0 log created on 04102010_014809

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


And here are the new OTL scan results:

CODE
OTL logfile created on: 4/10/2010 1:59:55 AM - Run 2
OTL by OldTimer - Version 3.2.1.0     Folder = C:\Documents and Settings\Billy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 95.92 Gb Free Space | 32.18% Space Free | Partition Type: NTFS
Drive D: | 562.83 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BILLYZONE
Current User Name: Billy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/08 13:56:01 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Billy\Desktop\OTL.exe
PRC - [2010/04/02 00:26:25 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/20 00:00:30 | 001,217,872 | ---- | M] (Valve Corporation) -- C:\Program Files\Valve\Steam\steam.exe
PRC - [2009/12/20 22:36:28 | 000,072,704 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
PRC - [2009/01/09 12:31:16 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/09/29 08:07:00 | 000,143,088 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2008/09/29 08:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2008/09/29 08:07:00 | 000,067,904 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2008/09/29 08:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2008/09/29 08:07:00 | 000,026,672 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2008/09/29 08:07:00 | 000,019,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/14 04:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2008/03/14 04:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2008/03/14 04:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2008/03/14 04:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2005/09/21 15:13:44 | 000,065,536 | ---- | M] () -- C:\Program Files\Autodesk\3DS Max 8\mentalray\satellite\raysat_3dsmax8server.exe


========== Modules (SafeList) ==========

MOD - [2010/04/08 13:56:01 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Billy\Desktop\OTL.exe
MOD - [2010/01/10 00:59:39 | 000,097,280 | -HS- | M] () -- C:\WINDOWS\system32\jojopedu.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] --  -- (McProxy)
SRV - File not found [Auto | Stopped] --  -- (mcmscsvc)
SRV - [2009/12/20 22:36:28 | 000,072,704 | ---- | M] (Autodesk) [Auto | Running] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2009/01/09 12:31:16 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/09/29 08:07:00 | 000,143,088 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2008/09/29 08:07:00 | 000,067,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2008/09/29 08:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2008/09/29 08:07:00 | 000,019,456 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2008/03/14 04:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2005/09/21 15:13:44 | 000,065,536 | ---- | M] () [Auto | Running] -- C:\Program Files\Autodesk\3DS Max 8\mentalray\satellite\raysat_3dsmax8server.exe -- (mi-raysat_3dsmax8)


========== Driver Services (SafeList) ==========

DRV - [2010/04/05 19:10:18 | 000,052,480 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2010/02/15 14:14:32 | 000,124,464 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/02/15 14:14:25 | 000,036,272 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2010/02/15 14:14:25 | 000,036,272 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/11/20 22:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/09/29 08:07:00 | 000,340,592 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/09/29 08:07:00 | 000,090,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/09/29 08:07:00 | 000,074,648 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2008/09/29 08:07:00 | 000,064,432 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2008/09/29 08:07:00 | 000,062,704 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2008/09/29 08:07:00 | 000,042,424 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/01/14 06:06:32 | 000,021,632 | ---- | M] (ManyCam LLC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ManyCam.sys -- (ManyCam)
DRV - [2007/10/23 06:51:04 | 000,103,296 | R--- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/04/10 20:04:40 | 004,397,568 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/07/01 23:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/01 14:15:20 | 000,509,440 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xnacc.sys -- (xnacc)
DRV - [2005/03/16 02:23:54 | 000,013,696 | R--- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BIOS.sys -- (BIOS)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-484763869-796845957-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-484763869-796845957-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100211.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {4C5FA377-44B8-46A5-B329-33B2C547E87F}:1.9.1

FF - HKLM\software\mozilla\Firefox\extensions\\{4C5FA377-44B8-46A5-B329-33B2C547E87F}: C:\Documents and Settings\Billy\Local Settings\Application Data\{4C5FA377-44B8-46A5-B329-33B2C547E87F} [2010/01/12 01:06:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: E:\Program Files\Mozilla Firefox\components
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: E:\Program Files\Mozilla Firefox\plugins
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 00:26:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 00:26:28 | 000,000,000 | ---D | M]

[2010/02/03 15:32:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy\Application Data\Mozilla\Extensions
[2010/02/03 15:32:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/04/09 15:32:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\extensions
[2009/12/16 23:56:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/16 23:56:23 | 000,000,000 | ---D | M] (Aquatint Black Gloss) -- C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}
[2010/03/27 14:56:44 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/04/09 13:13:05 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/17 20:31:54 | 000,063,488 | ---- | M] (Nullsoft) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {45b191b0-bc08-4180-9b7f-42a50c3f6e3e} -  File not found
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
O3 - HKU\S-1-5-21-484763869-796845957-725345543-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [jepihopami]  File not found
O4 - HKLM..\Run: [kosekudod] C:\WINDOWS\System32\jojopedu.DLL ()
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-484763869-796845957-725345543-1003..\Run: [Steam] c:\program files\valve\steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\Billy\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-484763869-796845957-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 65.182.32.35 65.182.32.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.231,93.188.161.72
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\windows\system32\jojopedu.dll) - C:\WINDOWS\system32\jojopedu.dll ()
O20 - AppInit_DLLs: (lebobofu.dll) -  File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O21 - SSODL: pesamojoy - {a5f66586-70b2-4ae3-84d4-5b5d55814b81} - C:\WINDOWS\system32\jojopedu.dll ()
O22 - SharedTaskScheduler: {a5f66586-70b2-4ae3-84d4-5b5d55814b81} - mujuzedij - C:\WINDOWS\system32\jojopedu.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Billy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Billy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O27 - HKLM IFEO\MpCmdRun.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MSASCui.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MsMpEng.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\msseces.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\taskmgr.exe: Debugger - "C:\PROGRAM FILES\PROCESS EXPLORER\PROCEXP.EXE" (Sysinternals - www.sysinternals.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/16 22:47:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/10/28 01:44:05 | 000,000,175 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{853026ba-f007-11de-89ff-00e04d747828}\Shell - "" = AutoRun
O33 - MountPoints2\{853026ba-f007-11de-89ff-00e04d747828}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{853026ba-f007-11de-89ff-00e04d747828}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{c350b446-02db-11df-8a1f-00e04d747828}\Shell - "" = AutoRun
O33 - MountPoints2\{c350b446-02db-11df-8a1f-00e04d747828}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c350b446-02db-11df-8a1f-00e04d747828}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{c350b447-02db-11df-8a1f-00e04d747828}\Shell - "" = AutoRun
O33 - MountPoints2\{c350b447-02db-11df-8a1f-00e04d747828}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/10 02:10:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/10 02:08:22 | 005,115,824 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Program Files\mbam-setup.exe
[2010/04/10 01:48:09 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/08 13:56:00 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Billy\Desktop\OTL.exe
[2010/04/05 18:41:54 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2010/04/02 21:24:36 | 000,000,000 | ---D | C] -- C:\Program Files\Aspyr
[2010/04/02 21:22:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/04/02 21:16:25 | 021,116,611 | ---- | C] (Aspyr Media, Inc) -- C:\Program Files\GH3_PC_1.3_Patch.exe
[2010/04/02 20:30:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy\My Documents\Aspyr
[2010/04/02 20:30:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy\Local Settings\Application Data\Aspyr
[2010/04/02 20:29:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Billy\Application Data\SecuROM
[2010/04/02 20:29:42 | 000,107,888 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/04/02 01:00:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy\My Documents\Astronomy
[2010/03/30 12:17:18 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/03/30 12:16:58 | 000,119,808 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Billy\Desktop\VundoFix.exe
[2010/03/29 11:25:16 | 000,000,000 | ---D | C] -- C:\QUARANTINE
[2010/03/29 11:15:57 | 000,064,432 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/03/29 11:15:56 | 000,090,360 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/03/29 11:15:56 | 000,074,648 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2010/03/29 11:15:56 | 000,042,424 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/03/29 11:15:55 | 000,340,592 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2010/03/29 11:15:55 | 000,062,704 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdik.sys
[2010/03/29 11:15:54 | 000,067,904 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2010/03/29 11:15:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Cisco Systems
[2010/03/29 11:15:17 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/03/26 14:29:19 | 000,000,000 | ---D | C] -- C:\Program Files\FeedBack0.97b
[2010/03/21 21:41:27 | 000,000,000 | ---D | C] -- C:\Program Files\SopCast
[2010/02/26 15:15:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/25 02:15:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/02/25 02:01:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/02/25 01:59:05 | 002,020,136 | ---- | C] (Skype Technologies S.A.) -- C:\Program Files\SkypeSetup.exe
[2010/02/12 20:08:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/02/12 20:08:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/22 21:42:22 | 001,839,496 | ---- | C] (Trend Micro) -- C:\Program Files\HousecallLauncher.exe
[2009/12/17 09:04:10 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/16 22:47:38 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/04/10 02:08:30 | 005,115,824 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Program Files\mbam-setup.exe
[2010/04/10 01:54:25 | 000,272,291 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/04/10 01:53:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/10 01:53:14 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/10 01:53:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/10 01:53:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/10 01:50:42 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\Billy\NTUSER.DAT
[2010/04/10 01:27:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/09 02:15:50 | 004,791,200 | -H-- | M] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\IconCache.db
[2010/04/09 01:02:27 | 000,378,501 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\dust2.jpg
[2010/04/09 00:47:22 | 000,050,176 | ---- | M] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/08 13:56:01 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Billy\Desktop\OTL.exe
[2010/04/08 12:57:36 | 000,001,712 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Day of Defeat Source.lnk
[2010/04/08 12:57:31 | 000,001,712 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Counter-Strike Source.lnk
[2010/04/07 22:47:46 | 001,032,516 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\ufc-pallahares.gif
[2010/04/07 01:48:31 | 000,224,768 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Personality_ppt.ppt
[2010/04/06 00:22:28 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\xp_exe_fix.zip
[2010/04/05 21:36:53 | 000,000,803 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Shortcut to Leeme.html.lnk
[2010/04/05 19:10:18 | 000,052,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i8042prt.sys
[2010/04/05 19:10:18 | 000,052,480 | ---- | M] () -- C:\WINDOWS\System32\drivers\i8042prt.sys
[2010/04/04 22:52:01 | 003,531,211 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\ufc-tavares-smith.gif
[2010/04/03 21:21:10 | 000,002,355 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GHTCP.lnk
[2010/04/03 14:11:17 | 000,525,824 | ---- | M] () -- C:\Program Files\dds.scr
[2010/04/03 00:58:38 | 002,428,763 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\reload.zip
[2010/04/02 21:55:41 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Play Guitar Hero III.lnk
[2010/04/02 21:16:26 | 021,116,611 | ---- | M] (Aspyr Media, Inc) -- C:\Program Files\GH3_PC_1.3_Patch.exe
[2010/04/02 20:29:42 | 000,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/04/02 00:28:46 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Billy\ntuser.ini
[2010/04/01 13:01:33 | 000,134,665 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\fpsb-top_new_skin_lol.jpg
[2010/03/31 21:27:56 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/03/30 13:43:21 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\crusades.doc
[2010/03/30 12:17:01 | 000,119,808 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Billy\Desktop\VundoFix.exe
[2010/03/28 23:37:20 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/28 21:51:12 | 004,696,240 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\rmsnm0.jpg.gif
[2010/03/27 02:09:12 | 003,062,830 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\tacotown.gif
[2010/03/26 14:40:21 | 000,000,725 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Shortcut to FeedBack.exe.lnk
[2010/03/26 14:32:52 | 002,808,907 | ---- | M] () -- C:\Program Files\FeedBack0.97b.zip
[2010/03/21 23:35:30 | 003,108,842 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\pottery.gif
[2010/03/21 21:41:27 | 000,000,666 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\SopCast.lnk
[2010/03/21 21:40:11 | 005,277,219 | ---- | M] () -- C:\Program Files\SopCast-328.zip
[2010/03/20 17:49:08 | 000,384,300 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\brainscan.gif
[2010/03/19 19:20:48 | 000,144,076 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\angel.jpg
[2010/03/19 19:03:45 | 000,032,033 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\killer-robot.jpg
[2010/03/18 15:45:12 | 000,580,995 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\quote.jpg
[2010/03/17 22:48:48 | 005,877,661 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Movie_00021.wmv
[2010/03/17 22:25:55 | 007,843,252 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Movie_00012.wmv
[2010/03/17 22:23:36 | 001,502,715 | ---- | M] () -- C:\Documents and Settings\Billy\Desktop\Movie2.wmv
[2010/03/16 20:27:45 | 003,749,317 | ---- | M] () -- C:\Documents and Settings\Billy\My Documents\ufc-overeem.gif
[2010/03/14 13:24:19 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 13:24:19 | 000,435,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 13:24:19 | 000,068,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/13 22:59:40 | 000,014,110 | -HS- | M] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\MYhtd

========== Files Created - No Company Name ==========

[2010/04/09 01:02:26 | 000,378,501 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\dust2.jpg
[2010/04/08 12:57:36 | 000,001,712 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Day of Defeat Source.lnk
[2010/04/08 12:57:31 | 000,001,712 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Counter-Strike Source.lnk
[2010/04/07 22:47:45 | 001,032,516 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\ufc-pallahares.gif
[2010/04/07 01:48:31 | 000,224,768 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Personality_ppt.ppt
[2010/04/06 00:22:27 | 000,000,745 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\xp_exe_fix.zip
[2010/04/05 21:36:53 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Shortcut to Leeme.html.lnk
[2010/04/05 00:26:52 | 000,014,549 | ---- | C] () -- C:\Program Files\Attach.txt
[2010/04/05 00:26:46 | 000,016,145 | ---- | C] () -- C:\Program Files\DDS.txt
[2010/04/04 22:51:58 | 003,531,211 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\ufc-tavares-smith.gif
[2010/04/03 14:11:16 | 000,525,824 | ---- | C] () -- C:\Program Files\dds.scr
[2010/04/03 00:58:37 | 002,428,763 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\reload.zip
[2010/04/02 22:13:11 | 000,002,355 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GHTCP.lnk
[2010/04/02 21:55:41 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Play Guitar Hero III.lnk
[2010/04/01 13:01:31 | 000,134,665 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\fpsb-top_new_skin_lol.jpg
[2010/03/30 00:07:57 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\crusades.doc
[2010/03/28 21:51:11 | 004,696,240 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\rmsnm0.jpg.gif
[2010/03/27 02:09:11 | 003,062,830 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\tacotown.gif
[2010/03/26 14:32:28 | 002,808,907 | ---- | C] () -- C:\Program Files\FeedBack0.97b.zip
[2010/03/21 23:35:29 | 003,108,842 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\pottery.gif
[2010/03/21 21:41:27 | 000,000,666 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\SopCast.lnk
[2010/03/21 21:40:02 | 005,277,219 | ---- | C] () -- C:\Program Files\SopCast-328.zip
[2010/03/20 17:49:07 | 000,384,300 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\brainscan.gif
[2010/03/19 19:03:45 | 000,032,033 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\killer-robot.jpg
[2010/03/19 18:45:20 | 000,144,076 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\angel.jpg
[2010/03/18 15:45:11 | 000,580,995 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\quote.jpg
[2010/03/17 22:48:47 | 005,877,661 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Movie_00021.wmv
[2010/03/17 22:25:52 | 007,843,252 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Movie_00012.wmv
[2010/03/17 22:23:35 | 001,502,715 | ---- | C] () -- C:\Documents and Settings\Billy\Desktop\Movie2.wmv
[2010/03/16 20:27:44 | 003,749,317 | ---- | C] () -- C:\Documents and Settings\Billy\My Documents\ufc-overeem.gif
[2010/03/01 01:43:56 | 000,014,110 | -HS- | C] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\MYhtd
[2010/03/01 01:43:55 | 000,189,440 | -HS- | C] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\av.exe
[2010/01/31 23:23:26 | 014,892,016 | ---- | C] () -- C:\Program Files\ManyCam.exe
[2010/01/13 02:43:59 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/01/10 00:59:39 | 000,097,280 | -HS- | C] () -- C:\WINDOWS\System32\jojopedu.dll
[2010/01/10 00:59:39 | 000,044,032 | -HS- | C] () -- C:\WINDOWS\System32\lamisefi.dll
[2010/01/09 13:02:16 | 000,043,008 | -HS- | C] () -- C:\WINDOWS\System32\sapahore.dll
[2010/01/09 00:18:54 | 000,043,520 | -HS- | C] () -- C:\WINDOWS\System32\yohabinu.dll
[2009/12/22 21:43:03 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\housecall.guid.cache
[2009/12/22 20:08:52 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2009/12/21 13:24:17 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2009/12/20 23:28:49 | 018,030,130 | ---- | C] () -- C:\Program Files\vlc-1.0.3-win32.exe
[2009/12/16 23:48:36 | 000,050,176 | ---- | C] () -- C:\Documents and Settings\Billy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/16 22:54:56 | 000,348,160 | -H-- | C] () -- C:\Documents and Settings\Billy\ntuser.dat.LOG
[2009/12/16 22:54:56 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Billy\ntuser.ini
[2009/12/16 22:54:55 | 005,767,168 | -H-- | C] () -- C:\Documents and Settings\Billy\NTUSER.DAT
[2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2004/08/04 08:00:00 | 000,052,480 | ---- | C] () -- C:\WINDOWS\System32\drivers\i8042prt.sys
[1997/06/13 22:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== Files - Unicode (All) ==========
[2009/12/17 00:54:57 | 000,019,456 | ---- | C] ()(C:\Documents and Settings\Billy\My Documents\R??L R?vTLµti??.doc) -- C:\Documents and Settings\Billy\My Documents\ŖǿғŁ Řέ√ΘĻµŧįỠ₪.doc
[2006/03/08 20:16:20 | 000,019,456 | ---- | M] ()(C:\Documents and Settings\Billy\My Documents\R??L R?vTLµti??.doc) -- C:\Documents and Settings\Billy\My Documents\ŖǿғŁ Řέ√ΘĻµŧįỠ₪.doc
< End of report >


The link you posted to download mbam-setup.exe seems to be down, however I did have luck locating other mirrors for it and ended up using this one. However, when I finished installing it and told the installer to launch it the program appears for a split second then closes, and it pops up an error message saying "Unable to execute file mbam.exe" and "CreateProcess failed; code 2. The system cannot find the file specified." When I go into the directory everything was installed in, the mbam.exe file is no longer there. Apparently the mbam.exe file gets deleted almost immediately. I tried some of the fixes recommended in this thread but none of them worked. I believe I installed MBAM version 1.41, so if you send me a link to the mbam.exe file for that version I could try placing it in the right folder and running it since all other files created during the installation seem to still be there. Just a thought.

Thanks again for your help!

Edited by WildBill4, 10 April 2010 - 02:23 PM.


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:24 PM

Posted 10 April 2010 - 03:52 PM

Ok don't worry about Malwarebytes for now we will run another tool.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 11 April 2010 - 01:40 AM

ComboFix.txt:

CODE
ComboFix 10-04-10.02 - Billy 04/10/2010  21:15:55.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1689 [GMT -4:00]
Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\sysReserve.ini
c:\documents and settings\Billy\Local Settings\Application Data\{4C5FA377-44B8-46A5-B329-33B2C547E87F}
c:\documents and settings\Billy\Local Settings\Application Data\{4C5FA377-44B8-46A5-B329-33B2C547E87F}\chrome.manifest
c:\documents and settings\Billy\Local Settings\Application Data\{4C5FA377-44B8-46A5-B329-33B2C547E87F}\chrome\content\_cfg.js
c:\documents and settings\Billy\Local Settings\Application Data\{4C5FA377-44B8-46A5-B329-33B2C547E87F}\chrome\content\overlay.xul
c:\documents and settings\Billy\Local Settings\Application Data\{4C5FA377-44B8-46A5-B329-33B2C547E87F}\install.rdf
c:\documents and settings\Billy\Local Settings\Application Data\av.exe
c:\program files\driver
c:\windows\system32\H8SRTkklyxyqwth.dat
c:\windows\system32\lamisefi.dll
c:\windows\system32\lefopase.dll
c:\windows\system32\liwoduki.dll
c:\windows\system32\sapahore.dll
c:\windows\system32\spool\prtprocs\w32x86\00001db6.tmp
c:\windows\system32\srcr.dat
c:\windows\system32\wiwifezi.dll
c:\windows\system32\yohabinu.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
(((((((((((((((((((((((((   Files Created from 2010-03-11 to 2010-04-11  )))))))))))))))))))))))))))))))
.

2010-04-10 18:51 . 2010-04-10 18:51    --------    d-----w-    c:\program files\Malwarebytes-Anti-Malware
2010-04-10 18:41 . 2009-09-10 18:54    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 18:41 . 2010-04-10 18:49    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-04-10 18:41 . 2009-09-10 18:53    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-04-10 06:14 . 2010-04-10 06:14    --------    d-----w-    c:\documents and settings\Billy\Application Data\Malwarebytes
2010-04-10 06:10 . 2010-04-10 06:10    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 06:08 . 2010-04-10 06:08    5115824    ----a-w-    c:\program files\mbam-setup.exe
2010-04-10 05:48 . 2010-04-10 05:48    --------    d-----w-    C:\_OTL
2010-04-05 22:41 . 2010-04-05 22:41    --------    d-----w-    C:\spoolerlogs
2010-04-03 18:11 . 2010-04-03 18:11    525824    ----a-w-    c:\program files\dds.scr
2010-04-03 01:24 . 2010-04-03 02:11    --------    d-----w-    c:\program files\Aspyr
2010-04-03 01:16 . 2010-04-03 01:16    21116611    ----a-w-    c:\program files\GH3_PC_1.3_Patch.exe
2010-04-03 00:30 . 2010-04-03 00:30    --------    d-----w-    c:\documents and settings\Billy\Local Settings\Application Data\Aspyr
2010-04-03 00:29 . 2010-04-03 00:29    --------    d--h--r-    c:\documents and settings\Billy\Application Data\SecuROM
2010-04-03 00:29 . 2010-04-03 00:29    107888    ----a-w-    c:\windows\system32\CmdLineExt.dll
2010-03-30 16:17 . 2010-03-30 16:17    --------    d-----w-    C:\VundoFix Backups
2010-03-29 15:25 . 2010-04-07 02:23    --------    d-----w-    C:\QUARANTINE
2010-03-29 15:15 . 2008-09-29 12:07    64432    ----a-w-    c:\windows\system32\drivers\mferkdet.sys
2010-03-29 15:15 . 2008-09-29 12:07    90360    ----a-w-    c:\windows\system32\drivers\mfeavfk.sys
2010-03-29 15:15 . 2008-09-29 12:07    74648    ----a-w-    c:\windows\system32\drivers\mfeapfk.sys
2010-03-29 15:15 . 2008-09-29 12:07    42424    ----a-w-    c:\windows\system32\drivers\mfebopk.sys
2010-03-29 15:15 . 2008-09-29 12:07    62704    ----a-w-    c:\windows\system32\drivers\mfetdik.sys
2010-03-29 15:15 . 2008-09-29 12:07    340592    ----a-w-    c:\windows\system32\drivers\mfehidk.sys
2010-03-29 15:15 . 2008-09-29 12:07    67904    ----a-w-    c:\windows\system32\mfevtps.exe
2010-03-29 15:15 . 2010-03-29 15:15    --------    d-----w-    c:\program files\Common Files\Cisco Systems
2010-03-29 15:15 . 2010-03-29 15:15    --------    d-----w-    c:\program files\McAfee
2010-03-26 18:32 . 2010-03-26 18:32    2808907    ----a-w-    c:\program files\FeedBack0.97b.zip
2010-03-26 18:29 . 2010-03-26 18:38    --------    d-----w-    c:\program files\FeedBack0.97b
2010-03-22 01:41 . 2010-03-22 01:41    --------    d-----w-    c:\program files\SopCast
2010-03-22 01:40 . 2010-03-22 01:40    5277219    ----a-w-    c:\program files\SopCast-328.zip

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 23:10 . 2004-08-04 12:00    52480    ----a-w-    c:\windows\system32\drivers\i8042prt.sys
2010-04-05 04:26 . 2010-04-05 04:26    14549    ----a-w-    c:\program files\Attach.txt
2010-04-05 04:26 . 2010-04-05 04:26    16145    ----a-w-    c:\program files\DDS.txt
2010-04-03 05:01 . 2009-12-21 03:34    --------    d-----w-    c:\documents and settings\Billy\Application Data\vlc
2010-04-03 00:24 . 2009-12-20 02:54    --------    d-----w-    c:\program files\BitComet
2010-03-30 18:43 . 2009-12-19 02:24    --------    d-----w-    c:\program files\iPod
2010-03-29 15:15 . 2010-02-12 19:18    --------    d-----w-    c:\documents and settings\All Users\Application Data\McAfee
2010-03-29 15:15 . 2010-02-12 19:20    --------    d-----w-    c:\program files\Common Files\McAfee
2010-03-29 05:06 . 2010-02-25 06:01    --------    d-----w-    c:\documents and settings\Billy\Application Data\Skype
2010-03-29 03:37 . 2010-02-25 06:14    --------    d-----w-    c:\documents and settings\Billy\Application Data\skypePM
2010-02-25 06:14 . 2010-02-25 06:14    56    ---ha-w-    c:\windows\system32\ezsidmv.dat
2010-02-25 06:01 . 2010-02-25 06:00    --------    d-----w-    c:\program files\Google
2010-02-25 06:00 . 2010-02-25 06:00    --------    d-----r-    c:\program files\Skype
2010-02-25 06:00 . 2010-02-25 06:00    --------    d-----w-    c:\program files\Common Files\Skype
2010-02-25 06:00 . 2010-02-25 06:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\Skype
2010-02-25 05:59 . 2010-02-25 05:59    2020136    ----a-w-    c:\program files\SkypeSetup.exe
2010-02-15 19:08 . 2009-12-17 03:55    --------    d-----w-    c:\documents and settings\Billy\Application Data\Apple Computer
2010-02-15 18:47 . 2010-02-15 18:14    --------    d-----w-    c:\documents and settings\All Users\Application Data\Norton
2010-02-15 18:14 . 2010-02-15 18:14    806    ----a-w-    c:\windows\system32\drivers\SYMEVENT.INF
2010-02-15 18:14 . 2010-02-15 18:14    60808    ----a-w-    c:\windows\system32\S32EVNT1.DLL
2010-02-15 18:14 . 2010-02-15 18:14    124464    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-15 18:14 . 2010-02-15 18:14    10635    ----a-w-    c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-15 18:14 . 2010-02-15 18:14    --------    d-----w-    c:\program files\Symantec
2010-02-15 18:14 . 2010-02-15 18:14    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2010-02-15 18:14 . 2010-02-15 18:14    36272    ----a-r-    c:\windows\system32\drivers\SymIM.sys
2010-02-15 18:13 . 2010-02-15 18:13    --------    d-----w-    c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-01 03:23 . 2010-02-01 03:23    14892016    ----a-w-    c:\program files\ManyCam.exe
2010-01-26 02:18 . 2009-12-21 05:19    69616    ----a-w-    c:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 01:42 . 2009-12-23 01:42    1839496    ----a-w-    c:\program files\HousecallLauncher.exe
2009-12-21 03:30 . 2009-12-21 03:28    18030130    ----a-w-    c:\program files\vlc-1.0.3-win32.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-02-20 1217872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-19 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

c:\documents and settings\Billy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 08:06    40048    ----a-w-    c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\billydakid014\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Midtown Madness 2\\Midtown2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13727:TCP"= 13727:TCP:BitComet 13727 TCP
"13727:UDP"= 13727:UDP:BitComet 13727 UDP
"3838:TCP"= 3838:TCP:kjggb

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/16/2009 10:56 PM 13696]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/29/2010 11:15 AM 67904]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
S2 bbcgzieyu;Installer Windows;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]
S2 gupdate1cab5dfdcb64e30;Google Update Service (gupdate1cab5dfdcb64e30);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 2:00 AM 133104]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/29/2010 11:15 AM 64432]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
bbcgzieyu
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{45b191b0-bc08-4180-9b7f-42a50c3f6e3e} - hugimizu.dll
HKLM-Run-jepihopami - liwoduki.dll
HKLM-Run-kosekudod - c:\windows\system32\wiwifezi.dll
SharedTaskScheduler-{ee36931d-9d93-48e1-8b71-c6fdd4274cb8} - c:\windows\system32\wiwifezi.dll
SSODL-rekayuziz-{ee36931d-9d93-48e1-8b71-c6fdd4274cb8} - c:\windows\system32\wiwifezi.dll
MSConfigStartUp-Fgisit - c:\windows\upayiyuk.dll
MSConfigStartUp-kosekudod - c:\windows\system32\doguvuvo.dll
MSConfigStartUp-richtx64 - c:\docume~1\Billy\LOCALS~1\Temp\richtx64.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Mozilla Firefox (3.0.16) - e:\program files\Mozilla Firefox\uninstall\helper.exe
AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_0E996B068B56FCA2.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 21:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2712)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\windows\RTHDCPL.EXE
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Autodesk\3DS Max 8\mentalray\satellite\raysat_3dsmax8server.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-10  21:43:56 - machine was rebooted
ComboFix-quarantined-files.txt  2010-04-11 01:43

Pre-Run: 106,355,937,280 bytes free
Post-Run: 106,301,108,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - DCA009446C320452B82CBB78B5A89A38


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:24 PM

Posted 11 April 2010 - 12:56 PM

That's looking better, please let me know how the computer is running?

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3838:TCP"=
Driver::
bbcgzieyu


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" "%userprofile%\desktop\export.txt"
  • This will create a file on your desktop name export.txt, please post the contents in your reply.


Then please post back here with the following logs:
  • Combofix.txt
  • export.txt

Thanks

unite.jpg


#9 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 11 April 2010 - 07:28 PM

Hey! The computer already seems to be much more stable, and I've noticed a few other minor improvements as well, so that's a good sign. Here is the new ComboFix.txt log:

CODE
ComboFix 10-04-10.02 - Billy 04/11/2010  17:59:28.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1425 [GMT -4:00]
Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Billy\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BBCGZIEYU
-------\Service_bbcgzieyu


(((((((((((((((((((((((((   Files Created from 2010-03-11 to 2010-04-11  )))))))))))))))))))))))))))))))
.

2010-04-11 01:38 . 2009-10-23 15:28    3558912    -c----w-    c:\windows\system32\dllcache\moviemk.exe
2010-04-10 18:51 . 2010-04-10 18:51    --------    d-----w-    c:\program files\Malwarebytes-Anti-Malware
2010-04-10 18:41 . 2009-09-10 18:54    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 18:41 . 2010-04-10 18:49    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-04-10 18:41 . 2009-09-10 18:53    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-04-10 06:14 . 2010-04-10 06:14    --------    d-----w-    c:\documents and settings\Billy\Application Data\Malwarebytes
2010-04-10 06:10 . 2010-04-10 06:10    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 06:08 . 2010-04-10 06:08    5115824    ----a-w-    c:\program files\mbam-setup.exe
2010-04-10 05:48 . 2010-04-10 05:48    --------    d-----w-    C:\_OTL
2010-04-05 22:41 . 2010-04-05 22:41    --------    d-----w-    C:\spoolerlogs
2010-04-03 18:11 . 2010-04-03 18:11    525824    ----a-w-    c:\program files\dds.scr
2010-04-03 01:24 . 2010-04-03 02:11    --------    d-----w-    c:\program files\Aspyr
2010-04-03 01:16 . 2010-04-03 01:16    21116611    ----a-w-    c:\program files\GH3_PC_1.3_Patch.exe
2010-04-03 00:30 . 2010-04-03 00:30    --------    d-----w-    c:\documents and settings\Billy\Local Settings\Application Data\Aspyr
2010-04-03 00:29 . 2010-04-03 00:29    --------    d--h--r-    c:\documents and settings\Billy\Application Data\SecuROM
2010-04-03 00:29 . 2010-04-03 00:29    107888    ----a-w-    c:\windows\system32\CmdLineExt.dll
2010-03-30 16:17 . 2010-03-30 16:17    --------    d-----w-    C:\VundoFix Backups
2010-03-29 15:25 . 2010-04-07 02:23    --------    d-----w-    C:\QUARANTINE
2010-03-29 15:15 . 2008-09-29 12:07    64432    ----a-w-    c:\windows\system32\drivers\mferkdet.sys
2010-03-29 15:15 . 2008-09-29 12:07    90360    ----a-w-    c:\windows\system32\drivers\mfeavfk.sys
2010-03-29 15:15 . 2008-09-29 12:07    74648    ----a-w-    c:\windows\system32\drivers\mfeapfk.sys
2010-03-29 15:15 . 2008-09-29 12:07    42424    ----a-w-    c:\windows\system32\drivers\mfebopk.sys
2010-03-29 15:15 . 2008-09-29 12:07    62704    ----a-w-    c:\windows\system32\drivers\mfetdik.sys
2010-03-29 15:15 . 2008-09-29 12:07    340592    ----a-w-    c:\windows\system32\drivers\mfehidk.sys
2010-03-29 15:15 . 2008-09-29 12:07    67904    ----a-w-    c:\windows\system32\mfevtps.exe
2010-03-29 15:15 . 2010-03-29 15:15    --------    d-----w-    c:\program files\Common Files\Cisco Systems
2010-03-29 15:15 . 2010-03-29 15:15    --------    d-----w-    c:\program files\McAfee
2010-03-26 18:32 . 2010-03-26 18:32    2808907    ----a-w-    c:\program files\FeedBack0.97b.zip
2010-03-26 18:29 . 2010-03-26 18:38    --------    d-----w-    c:\program files\FeedBack0.97b
2010-03-22 01:41 . 2010-03-22 01:41    --------    d-----w-    c:\program files\SopCast
2010-03-22 01:40 . 2010-03-22 01:40    5277219    ----a-w-    c:\program files\SopCast-328.zip

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 23:10 . 2004-08-04 12:00    52480    ----a-w-    c:\windows\system32\drivers\i8042prt.sys
2010-04-05 04:26 . 2010-04-05 04:26    14549    ----a-w-    c:\program files\Attach.txt
2010-04-05 04:26 . 2010-04-05 04:26    16145    ----a-w-    c:\program files\DDS.txt
2010-04-03 05:01 . 2009-12-21 03:34    --------    d-----w-    c:\documents and settings\Billy\Application Data\vlc
2010-04-03 00:24 . 2009-12-20 02:54    --------    d-----w-    c:\program files\BitComet
2010-03-30 18:43 . 2009-12-19 02:24    --------    d-----w-    c:\program files\iPod
2010-03-29 15:15 . 2010-02-12 19:18    --------    d-----w-    c:\documents and settings\All Users\Application Data\McAfee
2010-03-29 15:15 . 2010-02-12 19:20    --------    d-----w-    c:\program files\Common Files\McAfee
2010-03-29 05:06 . 2010-02-25 06:01    --------    d-----w-    c:\documents and settings\Billy\Application Data\Skype
2010-03-29 03:37 . 2010-02-25 06:14    --------    d-----w-    c:\documents and settings\Billy\Application Data\skypePM
2010-02-25 06:14 . 2010-02-25 06:14    56    ---ha-w-    c:\windows\system32\ezsidmv.dat
2010-02-25 06:01 . 2010-02-25 06:00    --------    d-----w-    c:\program files\Google
2010-02-25 06:00 . 2010-02-25 06:00    --------    d-----r-    c:\program files\Skype
2010-02-25 06:00 . 2010-02-25 06:00    --------    d-----w-    c:\program files\Common Files\Skype
2010-02-25 06:00 . 2010-02-25 06:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\Skype
2010-02-25 05:59 . 2010-02-25 05:59    2020136    ----a-w-    c:\program files\SkypeSetup.exe
2010-02-15 19:08 . 2009-12-17 03:55    --------    d-----w-    c:\documents and settings\Billy\Application Data\Apple Computer
2010-02-15 18:47 . 2010-02-15 18:14    --------    d-----w-    c:\documents and settings\All Users\Application Data\Norton
2010-02-15 18:14 . 2010-02-15 18:14    806    ----a-w-    c:\windows\system32\drivers\SYMEVENT.INF
2010-02-15 18:14 . 2010-02-15 18:14    60808    ----a-w-    c:\windows\system32\S32EVNT1.DLL
2010-02-15 18:14 . 2010-02-15 18:14    124464    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-15 18:14 . 2010-02-15 18:14    10635    ----a-w-    c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-15 18:14 . 2010-02-15 18:14    --------    d-----w-    c:\program files\Symantec
2010-02-15 18:14 . 2010-02-15 18:14    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2010-02-15 18:14 . 2010-02-15 18:14    36272    ----a-r-    c:\windows\system32\drivers\SymIM.sys
2010-02-15 18:13 . 2010-02-15 18:13    --------    d-----w-    c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-01 03:23 . 2010-02-01 03:23    14892016    ----a-w-    c:\program files\ManyCam.exe
2010-01-26 02:18 . 2009-12-21 05:19    69616    ----a-w-    c:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 01:42 . 2009-12-23 01:42    1839496    ----a-w-    c:\program files\HousecallLauncher.exe
2009-12-21 03:30 . 2009-12-21 03:28    18030130    ----a-w-    c:\program files\vlc-1.0.3-win32.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-02-20 1217872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-19 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

c:\documents and settings\Billy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 08:06    40048    ----a-w-    c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\billydakid014\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Midtown Madness 2\\Midtown2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13727:TCP"= 13727:TCP:BitComet 13727 TCP
"13727:UDP"= 13727:UDP:BitComet 13727 UDP
"3838:TCP"= 3838:TCP:kjggb

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/16/2009 10:56 PM 13696]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/29/2010 11:15 AM 67904]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
S2 gupdate1cab5dfdcb64e30;Google Update Service (gupdate1cab5dfdcb64e30);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 2:00 AM 133104]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/29/2010 11:15 AM 64432]
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 18:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(396)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Autodesk\3DS Max 8\mentalray\satellite\raysat_3dsmax8server.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-11  18:17:50 - machine was rebooted
ComboFix-quarantined-files.txt  2010-04-11 22:17
ComboFix2.txt  2010-04-11 01:43

Pre-Run: 106,137,210,880 bytes free
Post-Run: 106,094,215,168 bytes free

- - End Of File - - 1253CD9C1CE0BA6DA53C58E848C634EF

And here is the export.txt file:

CODE
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"HTTPFilter"=hex(7):48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,\
  00,00,00,00,00
"LocalService"=hex(7):41,00,6c,00,65,00,72,00,74,00,65,00,72,00,00,00,57,00,65,\
  00,62,00,43,00,6c,00,69,00,65,00,6e,00,74,00,00,00,4c,00,6d,00,48,00,6f,00,\
  73,00,74,00,73,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,\
  00,69,00,73,00,74,00,72,00,79,00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,\
  73,00,74,00,00,00,53,00,53,00,44,00,50,00,53,00,52,00,56,00,00,00,00,00
"NetworkService"=hex(7):44,00,6e,00,73,00,43,00,61,00,63,00,68,00,65,00,00,00,\
  00,00
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
  6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
  00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
  53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
  00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
  76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
  00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
  69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
  00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
  49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
  00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
  76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
  00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
  73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
  00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
  00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
  00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
  74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
  00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
  63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
  00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
  4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
  00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
  00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
  00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,\
  32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,\
  00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,\
  00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,\
  00,76,00,63,00,00,00,78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,42,00,\
  49,00,54,00,53,00,00,00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,00,00,\
  00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,44,00,65,00,74,00,65,00,63,00,\
  74,00,69,00,6f,00,6e,00,00,00,68,00,65,00,6c,00,70,00,73,00,76,00,63,00,00,\
  00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,4e,00,00,00,6e,00,61,00,70,00,\
  61,00,67,00,65,00,6e,00,74,00,00,00,68,00,6b,00,6d,00,73,00,76,00,63,00,00,\
  00,00,00
"DcomLaunch"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,68,\
  00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
  00,00,00,00
"rpcss"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"imgsvc"=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"termsvcs"=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,\
  65,00,00,00,00,00
"eapsvcs"=hex(7):65,00,61,00,70,00,68,00,6f,00,73,00,74,00,00,00,00,00
"dot3svc"=hex(7):64,00,6f,00,74,00,33,00,73,00,76,00,63,00,00,00,00,00
"WudfServiceGroup"=hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,\
  00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\DComLaunch]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\dot3svc]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\eapsvcs]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00003020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth]
"CoInitializeSecurityParam"=dword:00000002
"AuthenticationCapabilities"=dword:00000040

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:24 PM

Posted 12 April 2010 - 10:10 AM

That's looking better, let's just do one more check to make sure you are clean.

  • Go to Start >> Run, and type Notepad into the run box, then click Ok.
  • Copy and paste the following code into Notepad. ( Do not include the word "CODE")
CODE
REGEDIT4

[HKLM\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3838:TCP"=-
  • Click on the File tab, and select Save.
  • In the box that opens type fix.reg for the File name.
  • Change the Save as type to All Files, then save it to your Desktop. (It should look like this )
  • Double click fix.reg, Select yes when it prompts you, then Ok.



You don't have the latest version of Java, you should run JavaRa to clean up any older Java, then
download and install the latest version from here.

Please download JavaRa and unzip it to your desktop.
Then Print these instructions as you won't have Internet access during this particular phase.

Close any instances of Internet Explorer before continuing
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; Select Remove Older Versions, click yes, then ok.
  • A logfile will pop up, you can close it.
  • Now select Additional Tasks and check the following:
    Remove Useless JRE Files
    Remove Startup Entry
  • Click Go then ok to all the prompts, once done restart your computer.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then please post back here with the following logs:
  • ESET report
  • New DDS log

Thanks

unite.jpg


#11 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 12 April 2010 - 07:18 PM

CODE
DDS (Ver_10-03-17.01) - NTFSx86  
Run by Billy at 20:11:29.31 on Mon 04/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1347 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)   {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\McAfee\Common Framework\udaterui .exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT .exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Java\Java Update\jusched .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Autodesk\3DS Max 8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask   .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\billy\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
IFEO: taskmgr.exe - "c:\program files\process explorer\PROCEXP.EXE"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billy\applic~1\mozilla\firefox\profiles\3m0z23rm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-9-29 143088]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-3-29 340592]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-12-16 13696]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2008-9-29 19456]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-9-29 62800]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-3-29 67904]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-29 90360]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-29 42424]
S2 gupdate1cab5dfdcb64e30;Google Update Service (gupdate1cab5dfdcb64e30);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 133104]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe --> c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [?]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-29 64432]

=============== Created Last 30 ================

2010-04-12 21:53:31    112    ----a-w-    c:\docume~1\alluse~1\applic~1\oxQn0y7.dat
2010-04-12 21:53:30    71170    ----a-w-    c:\docume~1\alluse~1\applic~1\bxBM50yb.exe
2010-04-12 15:36:30    0    d-----w-    c:\program files\ESET
2010-04-11 01:38:59    3558912    -c----w-    c:\windows\system32\dllcache\moviemk.exe
2010-04-11 01:11:34    0    d-sha-r-    C:\cmdcons
2010-04-11 01:08:00    98816    ----a-w-    c:\windows\sed.exe
2010-04-11 01:08:00    77312    ----a-w-    c:\windows\MBR.exe
2010-04-11 01:08:00    261632    ----a-w-    c:\windows\PEV.exe
2010-04-11 01:08:00    161792    ----a-w-    c:\windows\SWREG.exe
2010-04-10 18:51:42    0    d-----w-    c:\program files\Malwarebytes-Anti-Malware
2010-04-10 18:41:19    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 18:41:17    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-04-10 18:41:17    0    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-04-10 06:14:31    0    d-----w-    c:\docume~1\billy\applic~1\Malwarebytes
2010-04-10 06:10:35    0    d-----w-    c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-10 06:08:22    5115824    ----a-w-    c:\program files\mbam-setup.exe
2010-04-10 05:48:09    0    d-----w-    C:\_OTL
2010-04-05 22:41:54    0    d-----w-    C:\spoolerlogs
2010-04-03 18:11:16    525824    ----a-w-    c:\program files\dds.scr
2010-04-03 01:24:36    0    d-----w-    c:\program files\Aspyr
2010-04-03 01:22:34    0    d-----w-    c:\windows\system32\appmgmt
2010-04-03 01:16:25    21116611    ----a-w-    c:\program files\GH3_PC_1.3_Patch.exe
2010-04-03 00:29:42    107888    ----a-w-    c:\windows\system32\CmdLineExt.dll
2010-03-30 16:17:18    0    d-----w-    C:\VundoFix Backups
2010-03-29 15:25:16    0    d-----w-    C:\QUARANTINE
2010-03-29 15:15:57    64432    ----a-w-    c:\windows\system32\drivers\mferkdet.sys
2010-03-29 15:15:56    90360    ----a-w-    c:\windows\system32\drivers\mfeavfk.sys
2010-03-29 15:15:56    74648    ----a-w-    c:\windows\system32\drivers\mfeapfk.sys
2010-03-29 15:15:56    42424    ----a-w-    c:\windows\system32\drivers\mfebopk.sys
2010-03-29 15:15:55    62704    ----a-w-    c:\windows\system32\drivers\mfetdik.sys
2010-03-29 15:15:55    340592    ----a-w-    c:\windows\system32\drivers\mfehidk.sys
2010-03-29 15:15:54    67904    ----a-w-    c:\windows\system32\mfevtps.exe
2010-03-29 15:15:25    0    d-----w-    c:\program files\common files\Cisco Systems
2010-03-29 15:15:17    0    d-----w-    c:\program files\McAfee
2010-03-26 18:32:28    2808907    ----a-w-    c:\program files\FeedBack0.97b.zip
2010-03-26 18:29:19    0    d-----w-    c:\program files\FeedBack0.97b
2010-03-22 01:41:27    0    d-----w-    c:\program files\SopCast
2010-03-22 01:40:02    5277219    ----a-w-    c:\program files\SopCast-328.zip

==================== Find3M  ====================

2010-04-13 00:00:47    71170    ----a-w-    c:\windows\fonts\7IMIPX2.com_
2010-04-12 15:27:28    52480    ----a-w-    c:\windows\system32\drivers\i8042prt.sys
2010-04-12 13:33:08    24576    ----a-w-    c:\windows\system32\drivers\kbdclass.sys
2010-04-05 04:26:52    14549    ----a-w-    c:\program files\Attach.txt
2010-04-05 04:26:46    16145    ----a-w-    c:\program files\DDS.txt
2010-02-25 05:59:06    2020136    ----a-w-    c:\program files\SkypeSetup.exe
2010-02-15 18:14:32    806    ----a-w-    c:\windows\system32\drivers\SYMEVENT.INF
2010-02-15 18:14:32    60808    ----a-w-    c:\windows\system32\S32EVNT1.DLL
2010-02-15 18:14:32    124464    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-15 18:14:32    10635    ----a-w-    c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-15 18:14:25    36272    ----a-r-    c:\windows\system32\drivers\SymIM.sys
2010-02-01 03:23:31    14892016    ----a-w-    c:\program files\ManyCam.exe
2009-12-23 01:42:28    1839496    ----a-w-    c:\program files\HousecallLauncher.exe
2009-12-21 03:30:36    18030130    ----a-w-    c:\program files\vlc-1.0.3-win32.exe
2009-12-17 12:57:04    32768    --sha-w-    c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009121720091218\index.dat

============= FINISH: 20:12:29.37 ===============



CODE
JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Apr 12 11:21:50 2010

Found and removed: C:\Documents and Settings\Billy\Application Data\Sun\Java\jre1.6.0_15

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

------------------------------------

Finished reporting.



JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Apr 12 11:23:27 2010

Found and removed: C:\Documents and Settings\Billy\Application Data\Sun\Java\jre1.6.0_17

------------------------------------

Finished reporting.



Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched


Also, ave.exe came back once already but seems to have stopped now, and I'm now getting more pop-ups and advertisements, so it looks like we're not quite there yet. Thanks so much for everything so far though!

Attached Files


Edited by WildBill4, 12 April 2010 - 08:03 PM.


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:24 PM

Posted 13 April 2010 - 10:14 AM

It appears you still have a nasty infection there let's try and get a rootkit scan.

  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.

unite.jpg


#13 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 13 April 2010 - 10:47 PM

Hey! Here's the GMER Log:

CODE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 21:15:00
Windows 5.1.2600 Service Pack 3
Running: 1unf6ioz.exe; Driver: C:\DOCUME~1\Billy\LOCALS~1\Temp\fwrcypob.sys


---- System - GMER 1.0.15 ----

Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwCreateKey [0xB7DBD086]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwCreateProcess [0xB7DBD020]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwCreateProcessEx [0xB7DBD034]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwDeleteKey [0xB7DBD09A]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwDeleteValueKey [0xB7DBD0C6]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwEnumerateKey [0xB7DBD134]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwEnumerateValueKey [0xB7DBD11E]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwLoadKey2 [0xB7DBD14A]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwNotifyChangeKey [0xB7DBD176]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwOpenKey [0xB7DBD072]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwOpenProcess [0xB7DBCFE4]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwOpenThread [0xB7DBCFF8]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwQueryKey [0xB7DBD1B2]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwQueryMultipleValueKey [0xB7DBD108]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwQueryValueKey [0xB7DBD0F2]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwRenameKey [0xB7DBD0B0]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwReplaceKey [0xB7DBD19E]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwRestoreKey [0xB7DBD18A]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwSetContextThread [0xB7DBD05E]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwSetInformationProcess [0xB7DBD04A]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwSetValueKey [0xB7DBD0DC]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwTerminateProcess [0xB7DBD00C]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              ZwUnloadKey [0xB7DBD160]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              NtOpenProcess
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              NtOpenThread
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                              NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

PAGE            ntkrnlpa.exe!NtOpenProcess                                                 805CB40A 5 Bytes  JMP B7DBCFE8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!NtOpenThread                                                  805CB696 5 Bytes  JMP B7DBCFFC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!NtSetInformationProcess                                       805CDE54 5 Bytes  JMP B7DBD04E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwCreateProcessEx                                             805D1144 7 Bytes  JMP B7DBD038 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwCreateProcess                                               805D11FA 5 Bytes  JMP B7DBD024 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwSetContextThread                                            805D1704 5 Bytes  JMP B7DBD062 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwTerminateProcess                                            805D29AC 5 Bytes  JMP B7DBD010 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwQueryValueKey                                               806219EE 7 Bytes  JMP B7DBD0F6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwSetValueKey                                                 80621D3C 7 Bytes  JMP B7DBD0E0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwUnloadKey                                                   80622066 7 Bytes  JMP B7DBD164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwQueryMultipleValueKey                                       80622904 7 Bytes  JMP B7DBD10C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwRenameKey                                                   806231D8 7 Bytes  JMP B7DBD0B4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwCreateKey                                                   806237B6 5 Bytes  JMP B7DBD08A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwDeleteKey                                                   80623C46 7 Bytes  JMP B7DBD09E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwDeleteValueKey                                              80623E16 7 Bytes  JMP B7DBD0CA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwEnumerateKey                                                80623FF6 7 Bytes  JMP B7DBD138 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwEnumerateValueKey                                           80624260 7 Bytes  JMP B7DBD122 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwOpenKey                                                     80624B88 5 Bytes  JMP B7DBD076 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwQueryKey                                                    80624EAE 7 Bytes  JMP B7DBD1B6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwRestoreKey                                                  8062516E 5 Bytes  JMP B7DBD18E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwLoadKey2                                                    806255BE 7 Bytes  JMP B7DBD14E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwReplaceKey                                                  80625862 5 Bytes  JMP B7DBD1A2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwNotifyChangeKey                                             8062597C 5 Bytes  JMP B7DBD17A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                   section is writeable [0xB4E60380, 0x5414D5, 0xE8000020]
.rsrc           C:\WINDOWS\system32\DRIVERS\kbdclass.sys                                   entry point in ".rsrc" section [0xB845CE14]
?               C:\WINDOWS\system32\Drivers\PROCEXP113.SYS                                 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\Explorer.EXE[416] ntdll.dll!NtProtectVirtualMemory              7C90D6EE 5 Bytes  JMP 00B6000A
.text           C:\WINDOWS\Explorer.EXE[416] ntdll.dll!NtWriteVirtualMemory                7C90DFAE 5 Bytes  JMP 00C0000A
.text           C:\WINDOWS\Explorer.EXE[416] ntdll.dll!KiUserExceptionDispatcher           7C90E47C 5 Bytes  JMP 00B5000C
.text           C:\WINDOWS\system32\wuauclt.exe[1284] ntdll.dll!NtProtectVirtualMemory     7C90D6EE 5 Bytes  JMP 00C1000A
.text           C:\WINDOWS\system32\wuauclt.exe[1284] ntdll.dll!NtWriteVirtualMemory       7C90DFAE 5 Bytes  JMP 00C2000A
.text           C:\WINDOWS\system32\wuauclt.exe[1284] ntdll.dll!KiUserExceptionDispatcher  7C90E47C 5 Bytes  JMP 00C0000C
.text           C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtProtectVirtualMemory     7C90D6EE 5 Bytes  JMP 0099000A
.text           C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtWriteVirtualMemory       7C90DFAE 5 Bytes  JMP 009A000A
.text           C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!KiUserExceptionDispatcher  7C90E47C 5 Bytes  JMP 0098000C

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                     mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                   mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                  mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                  mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device           -> \Driver\atapi \Device\Harddisk0\DR0                                    89B95AC8

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\system32\DRIVERS\kbdclass.sys                                   suspicious modification
File            C:\WINDOWS\system32\drivers\atapi.sys                                      suspicious modification

---- EOF - GMER 1.0.15 ----


On a side note, I noticed two processes in Process Explorer (the replacement I use for the Task Manager) running called iTunesHelper.exe and iTunesHelper .exe (which has a space right before the file extension). I've seen iTunesHelper.exe running before and it's normal. It has the iTunes logo on it and under its properties it has a program description and is also listed as being an Apple company product. However here is the interesting part: the virus seems to have renamed it to the one with the space in the file name right before the extension. Now in Process Explorer I see both programs, and iTunesHelper .exe is the legit one and iTunesHelper.exe is the odd one (it does not have an icon associated with it nor a program description or company name associated with it.) Here is a screenshot, and you can see the two programs near the bottom of the list. Both programs are located in the same directory, too. The sketchy one has filesize of only 41kb, which is definitely suspicious.

This may or may not help narrow down what's going on but I figured it was worth pointing out. Thanks again for all your help so far, syler!

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:24 PM

Posted 14 April 2010 - 06:28 AM

Hello,

When you post the logs can you post them without the codebox, thanks.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    CODE
    :filefind
    kbdclass.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

unite.jpg


#15 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 14 April 2010 - 10:48 AM

Sorry about that, I thought it might make distinguishing the logs from the message a little easier but I'll stop. Here are the contents of the SystemLook.txt file:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:23 on 14/04/2010 by Billy (Administrator - Elevation successful)

========== filefind ==========

Searching for "kbdclass.*"
C:\cmdcons\KBDCLASS.SY_ --a--- 12223 bytes [02:58 04/08/2004] [02:58 04/08/2004] 9C0B5DF5E22E6F17A8D40CDFCDACACD8
C:\WINDOWS\$NtServicePackUninstall$\kbdclass.sys -----c 24576 bytes [12:34 17/12/2009] [12:00 04/08/2004] EBDEE8A2EE5393890A1ACEE971C4C246
C:\WINDOWS\ERDNT\cache\kbdclass.sys --a--- 24576 bytes [01:42 11/04/2010] [18:39 13/04/2008] 463C1EC80CD17420A542B7F36A36F128
C:\WINDOWS\ServicePackFiles\i386\kbdclass.sys ------ 24576 bytes [18:39 13/04/2008] [18:39 13/04/2008] 463C1EC80CD17420A542B7F36A36F128
C:\WINDOWS\system32\dllcache\kbdclass.sys --a--c 24576 bytes [12:00 04/08/2004] [13:33 12/04/2010] 463C1EC80CD17420A542B7F36A36F128
C:\WINDOWS\system32\drivers\kbdclass.sys --a--- 24576 bytes [12:00 04/08/2004] [13:33 12/04/2010] 463C1EC80CD17420A542B7F36A36F128

-=End Of File=-

It's worth noting too that I had keyboard issues two days ago after one of the scans. I restarted my computer and the keyboard no longer worked. I googled the problem and found the registry value to edit to fix it (something with kbdclass, but I don't remember the specifics), then I had to uninstall the keyboard driver through the Control Panel. When I restarted again it worked again and I haven't had any issues with it since. I'm not sure if that may be the reason the GMER log listed the kbdclass.sys file as having a suspicious modification or not but I figured I'd point it out.

Also, iTunesHelper.exe no longer has the fake duplicate process with the space in the file name running, but instead jusched.exe, a Java-related program, has a fake duplicate running (with the space right before the file extension in the file name). Maybe that helps and maybe it doesn't, but again I figured I'd speak up. smile.gif Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users