Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Suite / Virtumonde


  • This topic is locked This topic is locked
19 replies to this topic

#1 aLuffabo

aLuffabo

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 13 April 2010 - 11:51 AM

Hello!

I have been infected by the Antivirus Suite atrocity! I surfed your site and found the removal guide, and attempted to follow those instructions to remove it myself. However, I ran into a few problems. Firstly, I got through all the steps, I downloaded Rkill.log to stop any malware processes, but when I went to download MalwareBytes program to actually remove the Suite, it wouldn't open once downloaded. So, I would download MalwareBytes and have the icon on the desktop, but when I go to open it, it says that there is nothing in the folder and asks if I would like to remove the shortcut. I have tried multiple downloads, uninstalling MalwareBytes and reinstalling it, with no change in the outcome (I did all this is safe mode with networking, per the instructions). Now, my computer won't go into safe-mode any more, and I am still stuck with the virus.

I also have a Virtumonde that my malware/spyware programs won't remove, I don't if you have an easy way to remove that as well, but that is secondary to the Suite, which is making it impossible to use the computer! For clarities sake, I want to let you know that I have been using IoBit Systemcare and Iobit Security 360 Free versions as my antivirus. I also had SpywareDoctor for a bit, but it is out of date now and should probably be removed, but I can't do that because of the Suite on my computer. I also have SpyBot Search & Destroy, which I downloaded recently in an attmept to clear up the computer.

Thank you in advance for your help, this is truly an awesome thing you guys do for people! Much appreciated! Have a fantastic day and I look forward to hearing from you.

-Brit Peterson


DDS (Ver_10-03-17.01) - NTFSx86
Run by Marcia Bennett at 2:04:23.34 on Tue 04/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1450 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Outdated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marcia Bennett\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://idp.cor.safemls.net/idp/Authn/UserPassword
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {d4119301-7ac7-42fe-aa80-4d340fcd08c8} - melepoju.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [henbagvc] c:\documents and settings\marcia bennett\local settings\application data\tuedocveo\veyamjgtssd.exe
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [henbagvc] c:\documents and settings\marcia bennett\local settings\application data\tuedocveo\veyamjgtssd.exe
mRun: [dagugosaze] Rundll32.exe "darejaju.dll",s
mRun: [kulenotul] Rundll32.exe "c:\windows\system32\vajozesi.dll",a
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} c:\program files\irfanview\ebay\ebay.htm - c:\program files\irfanview\ebay\ebay.htm\inprocserver32 does not exist!
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\vajozesi.dll,suzejuta.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: zoliwutiv - {9a952a41-ed84-44c3-a65f-d022aab4217f} -
SSODL: juretapaw - {14405649-2168-47b0-82d3-014204751ef5} - No File
SSODL: jiyisemod - {d4d1ac56-8b5b-4d83-993c-90584338c446} -
SSODL: koposijet - {ba774bc8-827e-4a6f-88c8-046dfd639006} - No File
SSODL: jagawarab - {5b619474-132f-4f95-8609-8fa9cc6138a0} - c:\windows\system32\vajozesi.dll
STS: {9a952a41-ed84-44c3-a65f-d022aab4217f}: jugezatag
STS: {d4d1ac56-8b5b-4d83-993c-90584338c446}: gahurihor
STS: tokatiluy: {5b619474-132f-4f95-8609-8fa9cc6138a0} - c:\windows\system32\vajozesi.dll
LSA: Notification Packages = scecli zunohuwu.dll suzejuta.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marcia~1\applic~1\mozilla\firefox\profiles\jvvlk4li.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-3-19 207280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-3-19 112592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-3-17 311568]

=============== Created Last 30 ================

2010-04-13 07:02:35 0 ----a-w- c:\documents and settings\marcia bennett\defogger_reenable
2010-04-09 05:58:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 23:13:44 0 d-----w- c:\docume~1\marcia~1\applic~1\Malwarebytes
2010-04-08 22:05:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-01 21:04:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-01 05:14:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-01 05:14:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-19 21:37:51 882 ----a-w- c:\windows\RegSDImport.xml
2010-03-19 21:37:51 879 ----a-w- c:\windows\RegISSImport.xml
2010-03-19 21:37:51 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-19 21:37:51 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-19 21:37:51 131 ----a-w- c:\windows\IDB.zip
2010-03-19 21:37:50 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-19 21:37:50 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-19 21:37:50 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-03-19 21:37:50 1152444 ----a-w- c:\windows\UDB.zip
2010-03-19 21:35:59 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-03-19 21:35:59 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-19 21:35:51 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-19 21:35:51 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-03-19 21:35:51 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-19 21:35:51 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-19 21:35:45 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-03-19 21:35:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-19 21:35:36 0 d-----w- c:\program files\Spyware Doctor
2010-03-19 21:35:36 0 d-----w- c:\program files\common files\PC Tools
2010-03-19 21:35:36 0 d-----w- c:\docume~1\marcia~1\applic~1\PC Tools
2010-03-19 21:35:36 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-03-19 08:01:29 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-19 08:01:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-17 23:57:01 0 d-----w- c:\docume~1\marcia~1\applic~1\IObit
2010-03-17 23:47:44 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-03-17 23:47:41 0 d-----w- c:\program files\IObit
2010-03-17 18:51:40 47104 ------w- c:\windows\AKDeInstall.exe
2010-03-17 18:51:39 0 d-----w- c:\program files\mpegable
2010-03-17 18:31:30 0 d-----w- c:\docume~1\alluse~1\applic~1\VideoMach

==================== Find3M ====================

2010-04-09 05:35:46 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-06 15:28:01 2608 -c--a-w- c:\docume~1\marcia~1\applic~1\wklnhst.dat
2010-01-06 15:35:36 39424 --sha-w- c:\windows\system32\fokitape.dll
2010-01-05 13:30:50 39424 --sha-w- c:\windows\system32\gubebusi.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\herifolu.dll
1601-01-01 00:03:52 71168 --sha-w- c:\windows\system32\melepoju.dll
2010-01-09 20:41:42 41984 --sha-w- c:\windows\system32\mowukiwe.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\sugefeso.dll
2010-01-09 20:41:42 94720 --sha-w- c:\windows\system32\vajozesi.dll
2010-01-07 03:34:25 92160 --sha-w- c:\windows\system32\wupijabe.dll
2009-10-16 00:27:05 245760 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-10-17 02:58:13 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101620081017\index.dat

============= FINISH: 2:07:15.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:33 AM

Posted 18 April 2010 - 05:05 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 aLuffabo

aLuffabo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 21 April 2010 - 12:46 AM

Hi there Elise!

I appreciate your response and help...

Well, I performed the scans on the infected computer and pasted the logs into the window, but when I clicked "submit", my IE window said that I was having connection problems. I was wired, not on wireless. I could navigate the internet fine (albeit slowly), so it must have had something to do with the virus not allowing me to send data even though I was connected to the internet.

Since I couldn't reply through the site, I attempted to open my YahooMail account, paste the information in an e-mail sent to that same e-mail address, so that I could open it, copy the logs and try to send it from an uninfected computer. But the same thing happened, when I clicked send on the e-mail, the browser went back to the same "not connected to internet" screen.

So, that's where I'm at! My only other thought to be able to get the logs on here would be to use my jump drive (I think that's what they're called, the little mini data storage things), save the log files onto there so I could open them on this, the uninfected computer. However, I hesitated to do that, for fear of bringing the viruses I have on that computer to this one. I might just be being overly paranoid, but I wanted your opinion either way. So, should I use the jump drive, or do you have another suggestion?

Thank you very much for your time, Elise!

-Brit

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:33 AM

Posted 21 April 2010 - 05:21 AM

Yes you can try using a flashdrive. You can use flash disinfector on your clean computer to prevent spreading any infections.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 aLuffabo

aLuffabo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 21 April 2010 - 01:28 PM

I couldn't get the flash disinfector to run, so I just used the flashdrive without it.

Here are the logs:

OTL logfile created on: 4/20/2010 7:11:09 PM - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Marcia Bennett\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 1056 2112 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.01 Gb Total Space | 12.17 Gb Free Space | 32.88% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-USER
Current User Name: Marcia Bennett
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - File not found -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\tuedocveo\veyamjgtssd.exe
PRC - [2010/04/20 19:10:31 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe
PRC - [2010/04/14 11:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/03/29 14:54:52 | 002,343,120 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2009/12/24 17:02:32 | 001,280,272 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360tray.exe
PRC - [2009/12/24 17:02:30 | 000,311,568 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/05/16 23:15:10 | 000,071,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
PRC - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2005/08/10 13:15:50 | 000,035,328 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
PRC - [2005/07/12 20:14:42 | 000,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2005/07/08 02:13:14 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2005/01/17 19:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2004/08/28 03:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe


========== Modules (SafeList) ==========

MOD - [2099/01/01 12:00:00 | 000,071,168 | -HS- | M] () -- C:\WINDOWS\system32\melepoju.dll
MOD - [2099/01/01 12:00:00 | 000,071,168 | ---- | M] () -- C:\WINDOWS\system32\darejaju.dll
MOD - [2010/04/20 19:10:31 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe
MOD - [2010/01/20 19:06:22 | 000,094,720 | -HS- | M] () -- C:\WINDOWS\system32\fipuyuko.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/12/24 17:02:30 | 000,311,568 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/08/10 13:15:50 | 000,035,328 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2005/07/12 20:14:42 | 000,040,960 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2005/07/08 02:13:14 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2005/01/17 19:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/08/28 03:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)


========== Driver Services (SafeList) ==========

DRV - [2010/04/14 11:35:47 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/04/14 11:35:25 | 000,162,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/04/14 11:31:39 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/04/14 11:31:12 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/04/14 11:31:01 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/14 11:30:45 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2005/11/15 19:40:24 | 000,043,264 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tvs.sys -- (Tvs)
DRV - [2005/11/15 12:00:22 | 001,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/11/10 19:44:12 | 004,064,256 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/10/20 17:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
DRV - [2005/09/12 21:08:30 | 000,468,736 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/08/24 18:20:28 | 000,009,472 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (tbiosdrv)
DRV - [2005/08/04 01:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/08/01 08:10:00 | 000,092,700 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/08/01 08:10:00 | 000,087,004 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/08/01 08:10:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/08/01 08:10:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/08/01 08:10:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/08/01 08:10:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/08/01 08:10:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/07/28 06:30:00 | 000,088,704 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/07/07 12:03:34 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/07/07 12:02:56 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/07/07 08:10:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/06/02 06:33:00 | 000,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2005/03/04 14:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2005/01/12 03:05:46 | 000,204,160 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\KR10N.sys -- (KR10N)
DRV - [2004/10/14 18:14:04 | 000,185,728 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/09/19 18:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/01/29 17:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2003/01/10 15:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://idp.cor.safemls.net/idp/Authn/UserPassword
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/03 17:14:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/03 17:14:59 | 000,000,000 | ---D | M]

[2008/09/03 15:42:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marcia Bennett\Application Data\Mozilla\Extensions
[2010/04/07 23:51:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marcia Bennett\Application Data\Mozilla\Firefox\Profiles\jvvlk4li.default\extensions
[2009/09/02 11:29:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Marcia Bennett\Application Data\Mozilla\Firefox\Profiles\jvvlk4li.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2007/07/03 09:53:56 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Application Data\Mozilla\Firefox\Profiles\jvvlk4li.default\searchplugins\siteadvisor.xml
[2010/04/07 23:51:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (no name) - {d4119301-7ac7-42fe-aa80-4d340fcd08c8} - File not found
O3 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\..\Toolbar\WebBrowser: (no name) - {C17590D2-ECB4-4B15-8820-F58798DCC118} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [dagugosaze] File not found
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [kulenotul] C:\WINDOWS\System32\vipukeyu.DLL File not found
O4 - HKU\S-1-5-21-358494757-3737170480-6948779-1006..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKU\S-1-5-21-358494757-3737170480-6948779-1006..\Run: [henbagvc] C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\tuedocveo\veyamjgtssd.exe File not found
O4 - HKU\S-1-5-21-358494757-3737170480-6948779-1006..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-358494757-3737170480-6948779-1006..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10d.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.90.130.101 216.82.202.14
O20 - AppInit_DLLs: (suzejuta.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\vipukeyu.dll) - C:\WINDOWS\System32\vipukeyu.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\fipuyuko.dll) - C:\WINDOWS\system32\fipuyuko.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O21 - SSODL: jiyisemod - {d4d1ac56-8b5b-4d83-993c-90584338c446} - CLSID or File not found.
O21 - SSODL: juretapaw - {14405649-2168-47b0-82d3-014204751ef5} - CLSID or File not found.
O21 - SSODL: koposijet - {ba774bc8-827e-4a6f-88c8-046dfd639006} - CLSID or File not found.
O21 - SSODL: kuwuzihid - {686bb6cc-fc8e-487e-a6c5-fc32dc779923} - C:\WINDOWS\system32\fipuyuko.dll ()
O21 - SSODL: zoliwutiv - {9a952a41-ed84-44c3-a65f-d022aab4217f} - CLSID or File not found.
O22 - SharedTaskScheduler: {686bb6cc-fc8e-487e-a6c5-fc32dc779923} - kupuhivus - C:\WINDOWS\system32\fipuyuko.dll ()
O22 - SharedTaskScheduler: {9a952a41-ed84-44c3-a65f-d022aab4217f} - jugezatag - Reg Error: Value error. File not found
O22 - SharedTaskScheduler: {d4d1ac56-8b5b-4d83-993c-90584338c446} - gahurihor - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O27 - HKLM IFEO\MpCmdRun.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MsMpEng.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\msseces.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/11/04 21:30:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2066dec4-8eb0-11db-91e7-0016e30e2402}\Shell - "" = AutoRun
O33 - MountPoints2\{2066dec4-8eb0-11db-91e7-0016e30e2402}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2066dec4-8eb0-11db-91e7-0016e30e2402}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/20 19:10:30 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe
[2010/04/15 19:28:31 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/15 19:28:30 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/15 19:28:28 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/15 19:28:26 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/15 19:28:23 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/15 19:28:23 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/15 19:28:22 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/15 19:28:00 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/15 19:28:00 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/15 19:27:53 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/15 19:27:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/13 02:10:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marcia Bennett\Desktop\gmer
[2010/04/09 00:58:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/08 18:13:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marcia Bennett\Application Data\Malwarebytes
[2010/04/08 17:05:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/05 12:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/04 01:37:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\tuedocveo
[2010/04/01 01:03:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/01 01:02:34 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/01 01:02:34 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/01 01:02:34 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/01 00:14:58 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/01 00:14:58 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/01 00:13:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marcia Bennett\Application Data\Sun
[2010/03/25 13:38:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/03/25 13:38:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/03/24 15:02:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/03/22 14:55:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/03/22 14:55:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/03/17 18:42:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/03/17 18:42:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/03/17 18:42:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/16 15:08:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/16 15:08:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/16 13:34:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/15 22:19:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/01/06 17:47:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/03 18:14:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/04/27 08:50:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/01/02 18:36:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2007/03/11 23:32:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2007/03/11 23:32:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2005/11/04 21:59:49 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[2005/05/12 00:36:48 | 000,012,288 | ---- | C] (Hewlett-Packard Co.) -- C:\WINDOWS\Fonts\RandFont.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2099/01/01 12:00:00 | 000,000,001 | -HS- | M] () -- C:\WINDOWS\System32\sugefeso.dll
[2099/01/01 12:00:00 | 000,000,001 | -HS- | M] () -- C:\WINDOWS\System32\herifolu.dll
[2010/04/20 20:05:07 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\gbulszyy.job
[2010/04/20 20:00:21 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/20 19:13:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/20 19:10:31 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe
[2010/04/20 18:48:17 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/20 18:41:27 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/04/20 18:33:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/20 18:33:18 | 2078,527,488 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/20 18:05:46 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/15 19:51:18 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Marcia Bennett\NTUSER.DAT
[2010/04/15 19:51:18 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Marcia Bennett\ntuser.ini
[2010/04/15 19:51:15 | 002,205,456 | -H-- | M] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\IconCache.db
[2010/04/15 19:43:18 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/15 19:37:34 | 000,013,614 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\21a34KM55vORW
[2010/04/15 19:28:32 | 000,001,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/15 19:27:19 | 048,417,032 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\setup_av_free.exe
[2010/04/15 19:12:58 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/15 19:12:36 | 000,000,396 | ---- | M] () -- C:\WINDOWS\tasks\Registry Reviver-Marcia Bennett-Startup.job
[2010/04/14 11:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 11:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 11:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 11:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 11:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 11:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 11:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 11:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 11:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/13 02:10:27 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\gmer.zip
[2010/04/13 02:03:27 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\dds.scr
[2010/04/13 02:02:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\defogger_reenable
[2010/04/08 16:58:25 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\rkill.com
[2010/04/08 16:08:45 | 000,075,384 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/06 10:45:15 | 000,001,276 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3Yfi
[2010/04/03 20:12:39 | 000,000,926 | -HS- | M] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\8s32
[2010/04/03 20:12:39 | 000,000,926 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8s32
[2010/04/02 17:24:08 | 000,001,352 | -HS- | M] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\Wv7V1mEL4UH
[2010/04/02 17:24:08 | 000,001,352 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\Wv7V1mEL4UH
[2010/04/01 20:36:49 | 000,000,487 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/04/01 18:45:50 | 000,000,952 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\Spybot - Search & Destroy.lnk
[2010/04/01 18:08:15 | 000,001,130 | -HS- | M] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\8Cq4r
[2010/04/01 18:08:15 | 000,001,130 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8Cq4r
[2010/04/01 16:04:42 | 000,001,008 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\6qL6O1xRNm5
[2010/04/01 11:07:49 | 000,267,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/31 16:39:05 | 000,000,566 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/30 19:59:03 | 001,022,345 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\topsecretrecipes1.pdf
[2010/03/29 14:12:07 | 000,000,924 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\N8t8HBsW
[2010/03/27 12:05:38 | 000,001,100 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\PqdPe6YoKQ5
[2010/03/24 20:49:49 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2010/03/24 15:03:07 | 000,001,100 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8VoB3
[2010/03/22 14:49:20 | 000,001,276 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\VH56DJI7u87yo
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,000,001 | -HS- | C] () -- C:\WINDOWS\System32\sugefeso.dll
[2099/01/01 12:00:00 | 000,000,001 | -HS- | C] () -- C:\WINDOWS\System32\herifolu.dll
[2010/04/20 19:06:24 | 000,000,296 | ---- | C] () -- C:\WINDOWS\tasks\gbulszyy.job
[2010/04/20 18:05:40 | 2078,527,488 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/15 19:35:38 | 000,013,614 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\21a34KM55vORW
[2010/04/15 19:35:38 | 000,013,614 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\21a34KM55vORW
[2010/04/15 19:28:32 | 000,001,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/15 19:27:19 | 048,417,032 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\setup_av_free.exe
[2010/04/13 02:10:27 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\gmer.zip
[2010/04/13 02:03:27 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\dds.scr
[2010/04/13 02:02:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\defogger_reenable
[2010/04/08 17:01:06 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\rkill.com
[2010/04/06 10:45:14 | 000,001,276 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\3Yfi
[2010/04/06 10:45:14 | 000,001,276 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3Yfi
[2010/04/03 20:12:39 | 000,000,926 | -HS- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\8s32
[2010/04/03 17:35:29 | 000,000,926 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8s32
[2010/04/03 17:35:29 | 000,000,872 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\8s32
[2010/04/02 17:24:07 | 000,001,352 | -HS- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\Wv7V1mEL4UH
[2010/04/02 17:24:07 | 000,001,352 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\Wv7V1mEL4UH
[2010/04/01 18:45:50 | 000,000,952 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\Spybot - Search & Destroy.lnk
[2010/04/01 18:08:14 | 000,001,130 | -HS- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\8Cq4r
[2010/04/01 18:08:14 | 000,001,130 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8Cq4r
[2010/04/01 18:08:07 | 000,201,216 | -HS- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\MSASCui.exe
[2010/04/01 16:04:40 | 000,001,008 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\6qL6O1xRNm5
[2010/04/01 16:04:40 | 000,001,008 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6qL6O1xRNm5
[2010/04/01 16:04:04 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/30 19:59:01 | 001,022,345 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\topsecretrecipes1.pdf
[2010/03/29 14:12:06 | 000,000,924 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\N8t8HBsW
[2010/03/29 14:12:06 | 000,000,924 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\N8t8HBsW
[2010/03/27 12:05:37 | 000,001,100 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PqdPe6YoKQ5
[2010/03/27 12:05:37 | 000,001,100 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\PqdPe6YoKQ5
[2010/03/24 15:03:18 | 000,201,728 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\vma.exe
[2010/03/24 15:03:07 | 000,001,100 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\8VoB3
[2010/03/24 15:03:07 | 000,001,100 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8VoB3
[2010/03/24 15:03:04 | 000,197,632 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\MSASCui.exe
[2010/03/22 14:49:20 | 000,001,276 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\VH56DJI7u87yo
[2010/03/22 14:49:20 | 000,001,276 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\VH56DJI7u87yo
[2010/03/22 14:49:19 | 000,201,728 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\MSASCui.exe
[2010/03/19 03:01:44 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2010/03/16 09:56:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\prvlcl.dat
[2010/01/20 19:06:22 | 000,094,720 | -HS- | C] () -- C:\WINDOWS\System32\fipuyuko.dll
[2010/01/20 19:06:22 | 000,064,512 | -HS- | C] () -- C:\WINDOWS\System32\filoloye.dll
[2010/01/20 19:06:22 | 000,041,984 | -HS- | C] () -- C:\WINDOWS\System32\sivuvaje.dll
[2010/01/13 02:57:55 | 000,041,472 | -HS- | C] () -- C:\WINDOWS\System32\goradoja.dll
[2010/01/09 15:41:42 | 000,041,984 | -HS- | C] () -- C:\WINDOWS\System32\mowukiwe.dll
[2010/01/06 22:34:25 | 000,092,160 | -HS- | C] () -- C:\WINDOWS\System32\wupijabe.dll
[2010/01/06 10:35:36 | 000,039,424 | -HS- | C] () -- C:\WINDOWS\System32\fokitape.dll
[2010/01/05 08:30:50 | 000,039,424 | -HS- | C] () -- C:\WINDOWS\System32\gubebusi.dll
[2007/12/19 22:58:02 | 000,001,356 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/04/10 07:55:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2007/04/07 14:07:44 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\emfxp.dll
[2007/01/01 18:45:36 | 000,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2007/01/01 18:43:12 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2007/01/01 18:43:01 | 000,000,234 | ---- | C] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2007/01/01 18:41:59 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2007/01/01 18:41:18 | 000,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2007/01/01 18:29:58 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/12/30 13:01:31 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/12/21 12:37:25 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2006/11/19 01:36:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/10/14 22:31:48 | 000,797,238 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop(2)
[2006/05/11 21:00:25 | 000,002,608 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Application Data\wklnhst.dat
[2006/05/09 20:18:45 | 000,000,924 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2006/05/08 23:53:55 | 000,000,047 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/05/08 23:13:18 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/05/08 22:09:32 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\fusioncache.dat
[2006/05/08 22:09:31 | 005,242,880 | -H-- | C] () -- C:\Documents and Settings\Marcia Bennett\NTUSER.DAT
[2006/05/08 22:09:31 | 000,040,960 | -H-- | C] () -- C:\Documents and Settings\Marcia Bennett\ntuser.dat.LOG
[2006/05/08 22:09:31 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Marcia Bennett\ntuser.ini
[2006/05/08 22:09:13 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2005/12/21 20:04:48 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/11/30 18:16:05 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2005/11/30 18:16:05 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2005/11/30 18:16:05 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2005/11/30 18:16:05 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2005/11/29 17:52:15 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2005/11/29 17:22:08 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/11/07 12:00:07 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/11/07 11:27:47 | 000,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2005/11/04 23:07:42 | 000,000,487 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/11/04 23:03:51 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/11/04 23:03:51 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/11/04 23:03:51 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/11/04 23:03:51 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/11/04 23:03:51 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/11/04 23:03:51 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/11/04 22:31:32 | 000,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2005/11/04 22:27:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2005/11/04 21:59:49 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2005/11/04 21:26:52 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/11/04 19:56:25 | 000,000,341 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/24 18:20:28 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2001/10/24 18:00:40 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 03:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 173 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

OTL Extras logfile created on: 4/20/2010 7:11:10 PM - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Marcia Bennett\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 1056 2112 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.01 Gb Total Space | 12.17 Gb Free Space | 32.88% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-USER
Current User Name: Marcia Bennett
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\IVP\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- (TOSHIBA Corporation)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"D:\Setup.exe" = D:\Setup.exe:*:Enabled:Setup -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- File not found
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery
"{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}" = Atheros Wireless LAN MiniPCI card Driver
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{076E4577-D2B7-472D-BB49-1F3075B6305C}" = SpanishNow!
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{172975EB-9465-4861-95B5-C7BB6D3DE62A}" = DocumentViewer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK
"{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 19
"{29D851C2-048C-4B5E-8D1F-25D473342BB5}" = ScanSoft OmniPage SE 4.0
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{2F7D3BAF-D9B9-4330-9548-25D5964E9FFF}" = EnterpriseNPI
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}" = InstantShareDevices
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36E47DA1-10E1-45d9-8B19-14D19607CDCF}" = CP_CalendarTemplates1
"{3A316611-45D1-429C-AA26-B71259C44689}" = HP Photosmart and Officejet 7.0.A Corporate Edition
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{56EE8B17-8274-418d-89AC-C057C5DB251E}" = RandMap
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5A01C58E-B0EC-49b9-AD71-7C0468688087}" = CP_Package_Basic1
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zooming Utility
"{64DD71BC-3109-4C88-9AD3-D5422644B722}" = TOSHIBA Hotkey Utility
"{66BA8C26-AFE4-4408-807B-43E76B57EF53}" = SkinsHP1
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6815FCDD-401D-481E-BA88-31B4754C2B46}" = Macromedia Flash Player 8
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6F1974D6-4249-43B6-88B0-9A9B8A33956C}" = OpenMG Secure Module 4.0.00
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}" = Atheros Client Utility
"{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}" = SonicStage
"{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}" = TOSHIBA Utilities
"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{80FD852F-5AAC-4129-B931-06AAFFA43138}" = iTunes
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B12BA86-ADAC-4BA6-B441-FFC591087252}" = TOSHIBA Virtual Sound
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for TOSHIBA
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}" = CueTour
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4D279F1-4309-49cc-A4B5-3A0D2E59C7B5}" = PanoStandAlone
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"avast5" = avast! Free Antivirus
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Google Updater" = Google Updater
"HP Document Viewer" = HP Document Viewer 5.3
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Photo & Imaging" = HP Image Zone 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"HPExtendedCapabilities" = HP Extended Capabilities 5.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{6F1974D6-4249-43B6-88B0-9A9B8A33956C}" = OpenMG Secure Module 4.0.00
"IObit Security 360_is1" = IObit Security 360
"IrfanView" = IrfanView (remove only)
"LimeWire" = LimeWire 4.14.12
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"mpegable DS" = mpegable DS decoder
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"Picasa 3" = Picasa 3
"sat_screensaver_30mb.scr" = sat_screensaver_30mb
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"ViewpointMediaPlayer" = Viewpoint Media Player
"WILLPower" = WILLPower v6
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/15/2010 8:21:58 PM | Computer Name = TOSHIBA-USER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 4/15/2010 8:21:59 PM | Computer Name = TOSHIBA-USER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/15/2010 8:28:23 PM | Computer Name = TOSHIBA-USER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 4/15/2010 8:28:25 PM | Computer Name = TOSHIBA-USER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/15/2010 8:44:13 PM | Computer Name = TOSHIBA-USER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 4/15/2010 8:44:13 PM | Computer Name = TOSHIBA-USER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/20/2010 7:42:10 PM | Computer Name = TOSHIBA-USER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 4/20/2010 7:42:11 PM | Computer Name = TOSHIBA-USER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/20/2010 8:19:53 PM | Computer Name = TOSHIBA-USER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 4/20/2010 8:19:57 PM | Computer Name = TOSHIBA-USER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 4/1/2010 2:06:14 AM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 2:06:14 AM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 2:06:15 AM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 2:06:15 AM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 2:06:15 AM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 4:44:48 PM | Computer Name = TOSHIBA-USER | Source = Dhcp | ID = 1002
Description = The IP address lease 66.90.212.101 for the Network Card with network
address 00A0D1380622 has been denied by the DHCP server 192.168.100.1 (The DHCP
Server sent a DHCPNACK message).

Error - 4/1/2010 4:45:10 PM | Computer Name = TOSHIBA-USER | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.100.11 for the Network Card with network
address 00A0D1380622 has been denied by the DHCP server 192.168.100.1 (The DHCP
Server sent a DHCPNACK message).

Error - 4/2/2010 1:06:24 PM | Computer Name = TOSHIBA-USER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/4/2010 2:38:15 AM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 4/4/2010 8:06:29 PM | Computer Name = TOSHIBA-USER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.


< End of report >

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-21 00:11:13
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MARCIA~1\LOCALS~1\Temp\awliyfob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB2715C08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB2715AC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB2716078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB2715FA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB271569A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB2715B9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB27155DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB271563E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB2715CBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB2716146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB2715C7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB2715DFE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB272250A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB272232E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB2722468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP B271F97E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP B2722332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP B272250E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F84D 5 Bytes JMP B271E4AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3AF1 7 Bytes JMP B272246C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74B8794]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0075000A
.text C:\WINDOWS\System32\svchost.exe[232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0076000A
.text C:\WINDOWS\System32\svchost.exe[232] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0074000C
.text C:\WINDOWS\System32\svchost.exe[232] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0070000A
.text C:\WINDOWS\notepad.exe[392] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[392] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[392] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[392] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[392] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[392] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[392] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[392] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[392] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\melepoju.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[836] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[836] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[836] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[836] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[836] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[836] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[836] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[836] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\suzejuta.dll
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01A40001
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1400] PSAPI.dll!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\Explorer.EXE[1500] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E9000A
.text C:\WINDOWS\Explorer.EXE[1500] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0155000A
.text C:\WINDOWS\Explorer.EXE[1500] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E8000A
.text C:\WINDOWS\Explorer.EXE[1500] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[1500] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1500] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1604] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1604] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1604] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1604] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1604] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1604] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1604] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1604] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1604] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0203000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0204000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0202000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1620] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents[1836] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Documents[1836] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Documents[1836] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Documents[1836] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Documents[1836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01670001
.text C:\Documents[1836] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Documents[1836] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Documents[1836] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Documents[1836] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\Documents[1836] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text C:\Documents[1836] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A
.text C:\Documents[1836] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1860] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 015D1C38 C:\WINDOWS\system32\darejaju.dll
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1860] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 015D1B62 C:\WINDOWS\system32\darejaju.dll
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1860] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 015D1BC8 C:\WINDOWS\system32\darejaju.dll
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015D1BDF C:\WINDOWS\system32\darejaju.dll
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1860] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 015D1CC5 C:\WINDOWS\system32\darejaju.dll
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1860] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 015D1D96 C:\WINDOWS\system32\darejaju.dll
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1860] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 015D1C6F C:\WINDOWS\system32\darejaju.dll
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1860] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 015D1CAE C:\WINDOWS\system32\darejaju.dll
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1860] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 015D1CFC C:\WINDOWS\system32\darejaju.dll
.text C:\WINDOWS\system32\ctfmon.exe[1880] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1880] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[1880] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1880] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BB0001
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\darejaju.dll
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\darejaju.dll
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\darejaju.dll
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\darejaju.dll
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\darejaju.dll
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\darejaju.dll
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\darejaju.dll
.text C:\WINDOWS\system32\ctfmon.exe[1880] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\darejaju.dll
.text C:\WINDOWS\system32\ctfmon.exe[1880] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[1880] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1880] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1880] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\ctfmon.exe[1880] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1880] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\darejaju.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\gmer\gmer.exe[1888] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\gmer\gmer.exe[1888] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\gmer\gmer.exe[1888] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\gmer\gmer.exe[1888] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\gmer\gmer.exe[1888] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\gmer\gmer.exe[1888] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\gmer\gmer.exe[1888] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\gmer\gmer.exe[1888] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\gmer\gmer.exe[1888] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[1896] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 01441C38 C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[1896] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 01441B62 C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[1896] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 01441BC8 C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[1896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01441BDF C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[1896] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 01441CC5 C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[1896] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 01441D96 C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[1896] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 01441C6F C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[1896] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 01441CAE C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[1896] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 01441CFC C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1916] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1916] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1916] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1916] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1916] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1916] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1916] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1916] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\darejaju.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[2324] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[2324] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[2324] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[2324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[2324] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[2324] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[2324] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[2324] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[2324] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\suzejuta.dll
.text C:\WINDOWS\system32\HPZipm12.exe[2468] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\suzejuta.dll
.text C:\WINDOWS\system32\HPZipm12.exe[2468] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\suzejuta.dll
.text C:\WINDOWS\system32\HPZipm12.exe[2468] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\suzejuta.dll
.text C:\WINDOWS\system32\HPZipm12.exe[2468] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\suzejuta.dll
.text C:\WINDOWS\system32\HPZipm12.exe[2468] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\suzejuta.dll
.text C:\WINDOWS\system32\HPZipm12.exe[2468] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\suzejuta.dll
.text C:\WINDOWS\system32\HPZipm12.exe[2468] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\suzejuta.dll
.text C:\WINDOWS\system32\HPZipm12.exe[2468] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\suzejuta.dll
.text C:\WINDOWS\system32\HPZipm12.exe[2468] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[2916] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[2916] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[2916] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[2916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[2916] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[2916] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[2916] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[2916] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe[2916] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe[3480] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe[3480] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe[3480] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe[3480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe[3480] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe[3480] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe[3480] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe[3480] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\suzejuta.dll
.text C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe[3480] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 028F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0290000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 028E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD189 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2548CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED9C0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\notepad.exe[3924] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001C38 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[3924] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[3924] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[3924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001BDF C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[3924] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[3924] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001D96 C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[3924] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001C6F C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[3924] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001CAE C:\WINDOWS\system32\melepoju.dll
.text C:\WINDOWS\notepad.exe[3924] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001CFC C:\WINDOWS\system32\melepoju.dll
.text C:\Program Files\IObit\IObit Security 360\is360.exe[3948] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 016B1C38 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\IObit\IObit Security 360\is360.exe[3948] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 016B1B62 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\IObit\IObit Security 360\is360.exe[3948] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 016B1BC8 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\IObit\IObit Security 360\is360.exe[3948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 016B1BDF C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\IObit\IObit Security 360\is360.exe[3948] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 016B1CC5 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\IObit\IObit Security 360\is360.exe[3948] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 016B1D96 C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\IObit\IObit Security 360\is360.exe[3948] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 016B1C6F C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\IObit\IObit Security 360\is360.exe[3948] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 016B1CAE C:\WINDOWS\system32\suzejuta.dll
.text C:\Program Files\IObit\IObit Security 360\is360.exe[3948] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 016B1CFC C:\WINDOWS\system32\suzejuta.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[628] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00700002
IAT C:\WINDOWS\system32\services.exe[628] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00700000
IAT C:\Program Files\Internet Explorer\iexplore.exe[3692] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A723CA1
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\WINDOWS\notepad.exe [392] 0x00F60000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [576] 0x10000000
Library c:\windows\system32\vipukeyu.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [576] 0x004F0000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [628] 0x10000000
Library c:\windows\system32\vipukeyu.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [628] 0x00680000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [640] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [836] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\Google\Update\GoogleUpdate.exe [1020] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [1400] 0x00D50000
Library c:\windows\system32\vipukeyu.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1500] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1500] 0x02AA0000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1604] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [1620] 0x02CD0000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [1752] 0x10000000
Library c:\windows\system32\vipukeyu.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [1752] 0x00820000
Library c:\windows\system32\vipukeyu.dll (*** hidden *** ) @ C:\Program Files\IObit\IObit Security 360\IS360tray.exe [1828] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\IObit\IObit Security 360\IS360tray.exe [1828] 0x04120000
Library C:\Documents (*** hidden *** ) @ C:\Documents [1836] 0x00400000
Library c:\windows\system32\vipukeyu.dll (*** hidden *** ) @ C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [1860] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [1860] 0x014D0000
Library c:\windows\system32\vipukeyu.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1880] 0x00DA0000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1880] 0x00E10000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Documents and Settings\Marcia Bennett\Desktop\gmer\gmer.exe [1888] 0x10000000
Library c:\windows\system32\vipukeyu.dll (*** hidden *** ) @ C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [1896] 0x01550000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [1896] 0x016E0000
Library c:\windows\system32\vipukeyu.dll (*** hidden *** ) @ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [1916] 0x01260000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [1916] 0x0FF60000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [2324] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\WINDOWS\system32\HPZipm12.exe [2468] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe [2916] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe [3480] 0x10000000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3692] 0x03650000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\WINDOWS\notepad.exe [3924] 0x00F60000
Library C:\WINDOWS\system32\suzejuta.dll (*** hidden *** ) @ C:\Program Files\IObit\IObit Security 360\is360.exe [3948] 0x016B0000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 118
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 103

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ---

Thanks!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:33 AM

Posted 21 April 2010 - 03:49 PM

Hello again,

Unfortunately you have a nasty rootkit infection. Please consider the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 aLuffabo

aLuffabo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 21 April 2010 - 06:38 PM

Took a couple times, but here is the log:

ComboFix 10-04-21.01 - Marcia Bennett 04/21/2010 18:27:43.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1488 [GMT -5:00]
Running from: c:\documents and settings\Marcia Bennett\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Marcia Bennett\Recent\Reservations - Book Flight - View Reservation Details(2).url
c:\documents and settings\Marcia Bennett\Recent\Reservations - Book Flight - View Reservation Details.url
c:\windows\system32\herifolu.dll
c:\windows\system32\sivaforu.dll
c:\windows\system32\sivuvaje.dll
c:\windows\system32\sugefeso.dll
c:\windows\system32\vawirofa.dll
c:\windows\system32\vujigami.dll
c:\windows\Tasks\jcbfexji.job

.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-16 00:28 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-16 00:28 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-16 00:28 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-16 00:28 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-16 00:28 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-16 00:28 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-16 00:28 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-16 00:28 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-16 00:28 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-16 00:27 . 2010-04-16 00:27 -------- d-----w- c:\program files\Alwil Software
2010-04-16 00:27 . 2010-04-16 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-09 05:58 . 2010-04-09 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 23:13 . 2010-04-08 23:13 -------- d-----w- c:\documents and settings\Marcia Bennett\Application Data\Malwarebytes
2010-04-08 22:05 . 2010-04-08 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 06:37 . 2010-04-20 23:40 -------- d-----w- c:\documents and settings\Marcia Bennett\Local Settings\Application Data\tuedocveo
2010-04-02 00:41 . 2010-04-02 00:41 503808 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1b742f8f-n\msvcp71.dll
2010-04-02 00:40 . 2010-04-02 00:41 499712 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1b742f8f-n\jmc.dll
2010-04-02 00:40 . 2010-04-02 00:41 12800 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ade1b6f-n\decora-d3d.dll
2010-04-02 00:40 . 2010-04-02 00:40 61440 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ade1b6f-n\decora-sse.dll
2010-04-02 00:40 . 2010-04-02 00:40 348160 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1b742f8f-n\msvcr71.dll
2010-04-01 21:04 . 2010-04-20 23:48 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-01 05:14 . 2010-03-09 09:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-01 05:13 . 2010-04-01 05:13 152576 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-03-25 18:38 . 2010-03-25 18:38 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 23:41 . 2008-12-29 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-16 00:38 . 2010-03-19 21:35 -------- d-----w- c:\program files\Spyware Doctor
2010-04-16 00:36 . 2010-03-19 21:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 00:35 . 2006-05-09 03:09 75384 -c--a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 05:35 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-08 21:08 . 2006-05-09 03:09 75384 -c--a-w- c:\documents and settings\Marcia Bennett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-02 01:38 . 2010-03-19 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-01 23:54 . 2010-03-19 08:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-01 06:10 . 2006-05-10 01:12 -------- d-----w- c:\program files\Canon
2010-04-01 06:05 . 2006-12-14 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-01 06:02 . 2005-11-05 04:22 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 06:02 . 2005-11-05 04:22 -------- d-----w- c:\program files\Java
2010-03-31 21:55 . 2006-09-30 02:06 -------- d-----w- c:\program files\Webshots
2010-03-18 18:34 . 2010-03-17 23:57 -------- d-----w- c:\documents and settings\Marcia Bennett\Application Data\IObit
2010-03-18 18:29 . 2007-12-20 16:25 -------- d-----w- c:\program files\LimeWire
2010-03-18 18:29 . 2006-12-21 17:32 -------- d-----w- c:\program files\HP
2010-03-18 18:29 . 2006-09-24 22:15 -------- d-----w- c:\program files\IrfanView
2010-03-17 23:57 . 2010-03-17 23:47 -------- d-----w- c:\program files\IObit
2010-03-17 23:47 . 2010-03-17 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-03-17 23:44 . 2010-01-22 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-17 18:52 . 2010-03-16 14:56 0 ----a-w- c:\documents and settings\Marcia Bennett\Local Settings\Application Data\prvlcl.dat
2010-03-17 18:51 . 2010-03-17 18:51 -------- d-----w- c:\program files\mpegable
2010-03-17 18:51 . 2010-03-17 18:51 47104 ------w- c:\windows\AKDeInstall.exe
2010-03-17 18:31 . 2010-03-17 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\VideoMach
2010-03-10 06:15 . 2005-11-05 00:53 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 22:34 . 2010-03-08 22:33 -------- d-----w- c:\program files\DivX
2010-03-08 22:33 . 2010-03-08 22:33 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-25 06:24 . 2005-11-05 00:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-11-05 00:52 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10 . 2005-11-05 00:53 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-11-05 00:52 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-11-05 00:53 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-06 15:28 . 2006-05-12 02:00 2608 -c--a-w- c:\documents and settings\Marcia Bennett\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4119301-7ac7-42fe-aa80-4d340fcd08c8}]
melepoju.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-03-29 2343120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"henbagvc"="c:\documents and settings\Marcia Bennett\Local Settings\Application Data\tuedocveo\veyamjgtssd.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-12-24 1280272]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"kulenotul"="c:\windows\system32\sivaforu.dll" [BU]
"dagugosaze"="darejaju.dll" [BU]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{e2bd204f-7352-43ce-9453-485723e65eed}"= "c:\windows\system32\sivaforu.dll" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bezokehap"= {e2bd204f-7352-43ce-9453-485723e65eed} - c:\windows\system32\sivaforu.dll [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcia Bennett^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Marcia Bennett\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-10-15 14:29 88203 -c--a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 02:43 69632 -c--a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-08-01 13:10 122940 -c--a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 05:12 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-19 19:10 267048 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IVPServiceMgr]
2003-10-20 17:37 475136 -c--a-w- c:\toshiba\IVP\ISM\Ivpsvmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
c:\program files\McAfee.com\Agent\mcagent.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
NDSTray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 18:00 49152 -c--a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-03-21 18:19 69632 -c--a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
2005-03-18 01:37 151552 ----a-w- c:\toshiba\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-11-10 19:14 15473664 -c--a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
c:\program files\Skype\Phone\Skype.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2005-04-27 00:13 122880 -c--a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-09-30 05:14 155648 -c--a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-10-14 23:26 688218 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-10-14 23:28 98394 -c--a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
2005-11-25 21:07 352256 -c--a-w- c:\program files\TOSHIBA\TOSHIBA Applet\THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
2005-11-10 18:24 73728 -c--a-w- c:\program files\TOSHIBA\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/15/2010 7:28 PM 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/15/2010 7:28 PM 19024]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:42 PM 135664]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [3/17/2010 6:47 PM 311568]
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-30 05:03]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:42]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://idp.cor.safemls.net/idp/Authn/UserPassword
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Marcia Bennett\Application Data\Mozilla\Firefox\Profiles\jvvlk4li.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{9a952a41-ed84-44c3-a65f-d022aab4217f} - (no file)
SharedTaskScheduler-{d4d1ac56-8b5b-4d83-993c-90584338c446} - (no file)
SSODL-zoliwutiv-{9a952a41-ed84-44c3-a65f-d022aab4217f} - (no file)
SSODL-juretapaw-{14405649-2168-47b0-82d3-014204751ef5} - (no file)
SSODL-jiyisemod-{d4d1ac56-8b5b-4d83-993c-90584338c446} - (no file)
SSODL-koposijet-{ba774bc8-827e-4a6f-88c8-046dfd639006} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 18:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-21 18:36:07
ComboFix-quarantined-files.txt 2010-04-21 23:35

Pre-Run: 12,800,290,816 bytes free
Post-Run: 12,768,419,840 bytes free

- - End Of File - - 201B027A762A40B9B551E98721BB9911


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:33 AM

Posted 22 April 2010 - 05:09 AM

Hello again,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4119301-7ac7-42fe-aa80-4d340fcd08c8}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"henbagvc"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kulenotul"=-
"dagugosaze"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{e2bd204f-7352-43ce-9453-485723e65eed}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bezokehap"=

File::
c:\documents and settings\Marcia Bennett\Local Settings\Application Data\tuedocveo\veyamjgtssd.exe
c:\windows\system32\sivaforu.dll

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please rerun also the GMER scan and post me both the Combofix and GMER logs.





regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 aLuffabo

aLuffabo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 25 April 2010 - 06:44 PM

Hi Elise!

Sorry for the slow reply, I was out of town and couldn't get to the internet.

Here are the logs:

ComboFix 10-04-21.01 - Marcia Bennett 04/25/2010 16:08:49.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1564 [GMT -5:00]
Running from: c:\documents and settings\Marcia Bennett\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marcia Bennett\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"c:\documents and settings\Marcia Bennett\Local Settings\Application Data\tuedocveo\veyamjgtssd.exe"
"c:\windows\system32\sivaforu.dll"
.

((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.

2010-04-16 00:28 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-16 00:28 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-16 00:28 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-16 00:28 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-16 00:28 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-16 00:28 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-16 00:28 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-16 00:28 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-16 00:28 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-16 00:27 . 2010-04-16 00:27 -------- d-----w- c:\program files\Alwil Software
2010-04-16 00:27 . 2010-04-16 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-09 05:58 . 2010-04-09 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 23:13 . 2010-04-08 23:13 -------- d-----w- c:\documents and settings\Marcia Bennett\Application Data\Malwarebytes
2010-04-08 22:05 . 2010-04-08 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 06:37 . 2010-04-20 23:40 -------- d-----w- c:\documents and settings\Marcia Bennett\Local Settings\Application Data\tuedocveo
2010-04-02 00:41 . 2010-04-02 00:41 503808 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1b742f8f-n\msvcp71.dll
2010-04-02 00:40 . 2010-04-02 00:41 499712 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1b742f8f-n\jmc.dll
2010-04-02 00:40 . 2010-04-02 00:41 12800 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ade1b6f-n\decora-d3d.dll
2010-04-02 00:40 . 2010-04-02 00:40 61440 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ade1b6f-n\decora-sse.dll
2010-04-02 00:40 . 2010-04-02 00:40 348160 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1b742f8f-n\msvcr71.dll
2010-04-01 21:04 . 2010-04-20 23:48 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-01 05:14 . 2010-03-09 09:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-01 05:13 . 2010-04-01 05:13 152576 ----a-w- c:\documents and settings\Marcia Bennett\Application Data\Sun\Java\jre1.6.0_16\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 21:01 . 2008-12-29 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-16 00:38 . 2010-03-19 21:35 -------- d-----w- c:\program files\Spyware Doctor
2010-04-16 00:36 . 2010-03-19 21:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 00:35 . 2006-05-09 03:09 75384 -c--a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 05:35 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-08 21:08 . 2006-05-09 03:09 75384 -c--a-w- c:\documents and settings\Marcia Bennett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-02 01:38 . 2010-03-19 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-01 23:54 . 2010-03-19 08:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-01 06:10 . 2006-05-10 01:12 -------- d-----w- c:\program files\Canon
2010-04-01 06:05 . 2006-12-14 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-01 06:02 . 2005-11-05 04:22 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 06:02 . 2005-11-05 04:22 -------- d-----w- c:\program files\Java
2010-03-31 21:55 . 2006-09-30 02:06 -------- d-----w- c:\program files\Webshots
2010-03-25 18:38 . 2010-03-25 18:38 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-18 18:34 . 2010-03-17 23:57 -------- d-----w- c:\documents and settings\Marcia Bennett\Application Data\IObit
2010-03-18 18:29 . 2007-12-20 16:25 -------- d-----w- c:\program files\LimeWire
2010-03-18 18:29 . 2006-12-21 17:32 -------- d-----w- c:\program files\HP
2010-03-18 18:29 . 2006-09-24 22:15 -------- d-----w- c:\program files\IrfanView
2010-03-17 23:57 . 2010-03-17 23:47 -------- d-----w- c:\program files\IObit
2010-03-17 23:47 . 2010-03-17 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-03-17 23:44 . 2010-01-22 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-17 18:52 . 2010-03-16 14:56 0 ----a-w- c:\documents and settings\Marcia Bennett\Local Settings\Application Data\prvlcl.dat
2010-03-17 18:51 . 2010-03-17 18:51 -------- d-----w- c:\program files\mpegable
2010-03-17 18:51 . 2010-03-17 18:51 47104 ------w- c:\windows\AKDeInstall.exe
2010-03-17 18:31 . 2010-03-17 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\VideoMach
2010-03-10 06:15 . 2005-11-05 00:53 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 22:34 . 2010-03-08 22:33 -------- d-----w- c:\program files\DivX
2010-03-08 22:33 . 2010-03-08 22:33 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-25 06:24 . 2005-11-05 00:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-11-05 00:52 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10 . 2005-11-05 00:53 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-11-05 00:52 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-11-05 00:53 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-06 15:28 . 2006-05-12 02:00 2608 -c--a-w- c:\documents and settings\Marcia Bennett\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-04-21_23.33.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-25 21:01 . 2010-04-25 21:01 16384 c:\windows\Temp\Perflib_Perfdata_584.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-03-29 2343120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-12-24 1280272]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bezokehap"= {e2bd204f-7352-43ce-9453-485723e65eed} - c:\windows\system32\sivaforu.dll [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcia Bennett^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Marcia Bennett\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-10-15 14:29 88203 -c--a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 02:43 69632 -c--a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-08-01 13:10 122940 -c--a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 05:12 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-19 19:10 267048 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IVPServiceMgr]
2003-10-20 17:37 475136 -c--a-w- c:\toshiba\IVP\ISM\Ivpsvmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
c:\program files\McAfee.com\Agent\mcagent.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
NDSTray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 18:00 49152 -c--a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-03-21 18:19 69632 -c--a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
2005-03-18 01:37 151552 ----a-w- c:\toshiba\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-11-10 19:14 15473664 -c--a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
c:\program files\Skype\Phone\Skype.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2005-04-27 00:13 122880 -c--a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-09-30 05:14 155648 -c--a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-10-14 23:26 688218 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-10-14 23:28 98394 -c--a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
2005-11-25 21:07 352256 -c--a-w- c:\program files\TOSHIBA\TOSHIBA Applet\THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
2005-11-10 18:24 73728 -c--a-w- c:\program files\TOSHIBA\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/15/2010 7:28 PM 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/15/2010 7:28 PM 19024]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:42 PM 135664]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [3/17/2010 6:47 PM 311568]
.
Contents of the 'Scheduled Tasks' folder

2010-04-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-30 05:03]

2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:42]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://idp.cor.safemls.net/idp/Authn/UserPassword
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Marcia Bennett\Application Data\Mozilla\Firefox\Profiles\jvvlk4li.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 16:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2508)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2010-04-25 16:17:24
ComboFix-quarantined-files.txt 2010-04-25 21:17
ComboFix2.txt 2010-04-21 23:36

Pre-Run: 12,684,935,168 bytes free
Post-Run: 12,656,627,712 bytes free

- - End Of File - - A50438A1A37929CFDB7E6D0653E0F23C


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 18:42:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MARCIA~1\LOCALS~1\Temp\awliyfob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB5993C08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB5993AC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB5994078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB5993FA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB599369A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB5993B9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB59935DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB599363E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB5993CBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB5994146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB5993C7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB5993DFE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB59A050A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB59A032E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB59A0468]
Code \??\C:\DOCUME~1\MARCIA~1\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP B599D97E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP B59A0332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP B59A050E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP B599C4AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP B59A046C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? C:\DOCUME~1\MARCIA~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\Ati2evxx.exe[1424] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01950001
.text C:\WINDOWS\system32\ctfmon.exe[1908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DC0001

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[616] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[616] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:33 AM

Posted 26 April 2010 - 05:01 AM

Looks better, but still a few things that need to go. Could you please post me a new OTL log (no need for extra.txt).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 aLuffabo

aLuffabo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 26 April 2010 - 07:25 PM

OTL logfile created on: 4/26/2010 7:21:46 PM - Run 2
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Marcia Bennett\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 77.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 1056 2112 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.01 Gb Total Space | 11.72 Gb Free Space | 31.67% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-USER
Current User Name: Marcia Bennett
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/20 19:10:31 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe
PRC - [2010/04/14 11:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2005/08/10 13:15:50 | 000,035,328 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
PRC - [2005/07/12 20:14:42 | 000,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2005/07/08 02:13:14 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2005/01/17 19:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2004/08/28 03:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe


========== Modules (SafeList) ==========

MOD - [2010/04/20 19:10:31 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/12/24 17:02:30 | 000,311,568 | ---- | M] (IObit) [Auto | Stopped] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/08/10 13:15:50 | 000,035,328 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2005/07/12 20:14:42 | 000,040,960 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2005/07/08 02:13:14 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2005/01/17 19:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/08/28 03:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)


========== Driver Services (SafeList) ==========

DRV - [2010/04/14 11:35:47 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/04/14 11:35:25 | 000,162,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/04/14 11:31:39 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/04/14 11:31:12 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/04/14 11:31:01 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/14 11:30:45 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2005/11/15 19:40:24 | 000,043,264 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tvs.sys -- (Tvs)
DRV - [2005/11/15 12:00:22 | 001,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/11/10 19:44:12 | 004,064,256 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/10/20 17:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
DRV - [2005/09/12 21:08:30 | 000,468,736 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/08/24 18:20:28 | 000,009,472 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (tbiosdrv)
DRV - [2005/08/04 01:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/08/01 08:10:00 | 000,092,700 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/08/01 08:10:00 | 000,087,004 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/08/01 08:10:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/08/01 08:10:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/08/01 08:10:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/08/01 08:10:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/08/01 08:10:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/07/28 06:30:00 | 000,088,704 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/07/07 12:03:34 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/07/07 12:02:56 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/07/07 08:10:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/06/02 06:33:00 | 000,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2005/03/04 14:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2005/01/12 03:05:46 | 000,204,160 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\KR10N.sys -- (KR10N)
DRV - [2004/10/14 18:14:04 | 000,185,728 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/09/19 18:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/01/29 17:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2003/01/10 15:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://idp.cor.safemls.net/idp/Authn/UserPassword
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-358494757-3737170480-6948779-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/03 17:14:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/03 17:14:59 | 000,000,000 | ---D | M]

[2008/09/03 15:42:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marcia Bennett\Application Data\Mozilla\Extensions
[2010/04/25 18:55:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marcia Bennett\Application Data\Mozilla\Firefox\Profiles\jvvlk4li.default\extensions
[2009/09/02 11:29:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Marcia Bennett\Application Data\Mozilla\Firefox\Profiles\jvvlk4li.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2007/07/03 09:53:56 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Application Data\Mozilla\Firefox\Profiles\jvvlk4li.default\searchplugins\siteadvisor.xml
[2010/04/25 18:55:29 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/04/21 17:41:57 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (no name) - {d4119301-7ac7-42fe-aa80-4d340fcd08c8} - No CLSID value found.
O3 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\..\Toolbar\WebBrowser: (no name) - {C17590D2-ECB4-4B15-8820-F58798DCC118} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKU\S-1-5-21-358494757-3737170480-6948779-1006..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKU\S-1-5-21-358494757-3737170480-6948779-1006..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-358494757-3737170480-6948779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.90.130.101 216.82.202.14
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O21 - SSODL: bezokehap - {e2bd204f-7352-43ce-9453-485723e65eed} - C:\WINDOWS\System32\sivaforu.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/11/04 21:30:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/25 16:17:46 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/25 16:07:32 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/04/21 16:39:25 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/21 16:37:03 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/21 16:37:03 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/21 16:37:03 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/21 16:37:03 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/21 16:36:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/21 16:36:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/20 19:10:30 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe
[2010/04/15 19:28:31 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/15 19:28:30 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/15 19:28:28 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/15 19:28:26 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/15 19:28:23 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/15 19:28:23 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/15 19:28:22 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/15 19:28:00 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/15 19:28:00 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/15 19:27:53 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/15 19:27:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/13 02:10:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marcia Bennett\Desktop\gmer
[2010/04/09 00:58:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/08 18:13:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marcia Bennett\Application Data\Malwarebytes
[2010/04/08 17:05:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/05 12:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/04 01:37:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\tuedocveo
[2010/04/01 01:03:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/01 01:02:34 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/01 01:02:34 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/01 01:02:34 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/01 00:14:58 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/01 00:14:58 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/01 00:13:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marcia Bennett\Application Data\Sun
[2010/03/25 13:38:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/03/25 13:38:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/03/24 15:02:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/03/22 14:55:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/03/17 18:42:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/03/17 18:42:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/03/17 18:42:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/16 15:08:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/16 15:08:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/16 13:34:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/15 22:19:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/01/06 17:47:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/03 18:14:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/04/27 08:50:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/01/02 18:36:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2007/03/11 23:32:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2007/03/11 23:32:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2005/11/04 21:59:49 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[2005/05/12 00:36:48 | 000,012,288 | ---- | C] (Hewlett-Packard Co.) -- C:\WINDOWS\Fonts\RandFont.dll

========== Files - Modified Within 30 Days ==========

[2010/04/26 19:17:50 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/04/26 19:17:37 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/26 19:17:20 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/26 19:17:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/26 19:17:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/26 19:16:57 | 2078,527,488 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/25 19:21:10 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Marcia Bennett\NTUSER.DAT
[2010/04/25 19:21:10 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Marcia Bennett\ntuser.ini
[2010/04/25 19:21:07 | 004,850,960 | -H-- | M] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\IconCache.db
[2010/04/25 18:59:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/25 16:14:47 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/21 18:21:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/21 17:41:57 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/21 17:40:16 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\sumiliyi
[2010/04/21 16:39:34 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/21 16:35:32 | 003,923,062 | R--- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\ComboFix.exe
[2010/04/20 20:48:33 | 000,001,934 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/04/20 19:10:31 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marcia Bennett\Desktop\OTL.exe
[2010/04/20 18:48:17 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/15 19:43:18 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/15 19:37:34 | 000,013,614 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\21a34KM55vORW
[2010/04/15 19:28:32 | 000,001,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/15 19:27:19 | 048,417,032 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\setup_av_free.exe
[2010/04/14 11:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 11:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 11:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 11:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 11:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 11:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 11:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 11:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 11:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/13 02:10:27 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\gmer.zip
[2010/04/13 02:03:27 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\dds.scr
[2010/04/13 02:02:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\defogger_reenable
[2010/04/08 16:58:25 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\rkill.com
[2010/04/08 16:08:45 | 000,075,384 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/06 10:45:15 | 000,001,276 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3Yfi
[2010/04/03 20:12:39 | 000,000,926 | -HS- | M] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\8s32
[2010/04/03 20:12:39 | 000,000,926 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8s32
[2010/04/02 17:24:08 | 000,001,352 | -HS- | M] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\Wv7V1mEL4UH
[2010/04/02 17:24:08 | 000,001,352 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\Wv7V1mEL4UH
[2010/04/01 20:36:49 | 000,000,487 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/04/01 18:45:50 | 000,000,952 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\Spybot - Search & Destroy.lnk
[2010/04/01 18:08:15 | 000,001,130 | -HS- | M] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\8Cq4r
[2010/04/01 18:08:15 | 000,001,130 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8Cq4r
[2010/04/01 16:04:42 | 000,001,008 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\6qL6O1xRNm5
[2010/04/01 11:07:49 | 000,267,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/31 16:39:05 | 000,000,566 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/30 19:59:03 | 001,022,345 | ---- | M] () -- C:\Documents and Settings\Marcia Bennett\Desktop\topsecretrecipes1.pdf
[2010/03/29 14:12:07 | 000,000,924 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\N8t8HBsW

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\sumiliyi
[2010/04/21 16:39:34 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/21 16:39:27 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/21 16:37:03 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/21 16:37:03 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/21 16:37:03 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/21 16:37:03 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/21 16:37:03 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/21 16:35:31 | 003,923,062 | R--- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\ComboFix.exe
[2010/04/20 20:48:32 | 000,001,934 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/04/20 18:05:40 | 2078,527,488 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/15 19:35:38 | 000,013,614 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\21a34KM55vORW
[2010/04/15 19:35:38 | 000,013,614 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\21a34KM55vORW
[2010/04/15 19:28:32 | 000,001,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/15 19:27:19 | 048,417,032 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\setup_av_free.exe
[2010/04/13 02:10:27 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\gmer.zip
[2010/04/13 02:03:27 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\dds.scr
[2010/04/13 02:02:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\defogger_reenable
[2010/04/08 17:01:06 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\rkill.com
[2010/04/06 10:45:14 | 000,001,276 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\3Yfi
[2010/04/06 10:45:14 | 000,001,276 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3Yfi
[2010/04/03 20:12:39 | 000,000,926 | -HS- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\8s32
[2010/04/03 17:35:29 | 000,000,926 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8s32
[2010/04/03 17:35:29 | 000,000,872 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\8s32
[2010/04/02 17:24:07 | 000,001,352 | -HS- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\Wv7V1mEL4UH
[2010/04/02 17:24:07 | 000,001,352 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\Wv7V1mEL4UH
[2010/04/01 18:45:50 | 000,000,952 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\Spybot - Search & Destroy.lnk
[2010/04/01 18:08:14 | 000,001,130 | -HS- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\8Cq4r
[2010/04/01 18:08:14 | 000,001,130 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8Cq4r
[2010/04/01 16:04:40 | 000,001,008 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\6qL6O1xRNm5
[2010/04/01 16:04:40 | 000,001,008 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6qL6O1xRNm5
[2010/04/01 16:04:04 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/30 19:59:01 | 001,022,345 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop\topsecretrecipes1.pdf
[2010/03/29 14:12:06 | 000,000,924 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\N8t8HBsW
[2010/03/29 14:12:06 | 000,000,924 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\N8t8HBsW
[2010/03/27 12:05:37 | 000,001,100 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PqdPe6YoKQ5
[2010/03/27 12:05:37 | 000,001,100 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\PqdPe6YoKQ5
[2010/03/24 15:03:07 | 000,001,100 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\8VoB3
[2010/03/24 15:03:07 | 000,001,100 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8VoB3
[2010/03/22 14:49:20 | 000,001,276 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\VH56DJI7u87yo
[2010/03/22 14:49:20 | 000,001,276 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\VH56DJI7u87yo
[2010/03/19 03:01:44 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2010/03/16 09:56:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\prvlcl.dat
[2007/12/19 22:58:02 | 000,001,356 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/04/10 07:55:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2007/04/07 14:07:44 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\emfxp.dll
[2007/01/01 18:45:36 | 000,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2007/01/01 18:43:12 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2007/01/01 18:43:01 | 000,000,234 | ---- | C] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2007/01/01 18:41:59 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2007/01/01 18:41:18 | 000,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2007/01/01 18:29:58 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/12/30 13:01:31 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/12/21 12:37:25 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2006/11/19 01:36:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/10/14 22:31:48 | 000,797,238 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Desktop(2)
[2006/05/11 21:00:25 | 000,002,608 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Application Data\wklnhst.dat
[2006/05/09 20:18:45 | 000,000,924 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2006/05/08 23:53:55 | 000,000,047 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/05/08 23:13:18 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/05/08 22:09:32 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Marcia Bennett\Local Settings\Application Data\fusioncache.dat
[2006/05/08 22:09:31 | 005,242,880 | -H-- | C] () -- C:\Documents and Settings\Marcia Bennett\NTUSER.DAT
[2006/05/08 22:09:31 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Marcia Bennett\ntuser.dat.LOG
[2006/05/08 22:09:31 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Marcia Bennett\ntuser.ini
[2006/05/08 22:09:13 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2005/12/21 20:04:48 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/11/30 18:16:05 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2005/11/30 18:16:05 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2005/11/30 18:16:05 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2005/11/30 18:16:05 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2005/11/29 17:52:15 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2005/11/29 17:22:08 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/11/07 12:00:07 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/11/07 11:27:47 | 000,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2005/11/04 23:07:42 | 000,000,487 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/11/04 23:03:51 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/11/04 23:03:51 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/11/04 23:03:51 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/11/04 23:03:51 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/11/04 23:03:51 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/11/04 23:03:51 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/11/04 22:31:32 | 000,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2005/11/04 22:27:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2005/11/04 21:59:49 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2005/11/04 21:26:52 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/11/04 19:56:25 | 000,000,341 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/24 18:20:28 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2001/10/24 18:00:40 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 03:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 173 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:33 AM

Posted 27 April 2010 - 04:47 AM

Hi, please follow the steps below and let me know how things are running now.

OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :otl
    O21 - SSODL: bezokehap - {e2bd204f-7352-43ce-9453-485723e65eed} - C:\WINDOWS\System32\sivaforu.dll File not found
    O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "%1" %*
    O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "%1" %*

    :commands
    [emptytemp]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.


UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 aLuffabo

aLuffabo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 27 April 2010 - 12:00 PM

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\bezokehap deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e2bd204f-7352-43ce-9453-485723e65eed}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\secfile\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-18\Software\Classes\.exe\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Classes\secfile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 41 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 704646 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 1611103 bytes
->Flash cache emptied: 11993 bytes

User: Marcia Bennett
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 478178082 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 36509843 bytes
->Flash cache emptied: 10248 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 69 bytes
->Flash cache emptied: 40158 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 3354956 bytes
RecycleBin emptied: 291324 bytes

Total Files Cleaned = 497.00 mb


OTL by OldTimer - Version 3.2.1.3 log created on 04272010_114918

Files\Folders moved on Reboot...
C:\Documents and Settings\Marcia Bennett\Local Settings\Temporary Internet Files\Content.IE5\JILIZUJJ\iframe[1].htm moved successfully.
C:\Documents and Settings\Marcia Bennett\Local Settings\Temporary Internet Files\Content.IE5\I9VAG85O\topic309422[1].htm moved successfully.

Registry entries deleted on Reboot...


#14 aLuffabo

aLuffabo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 27 April 2010 - 01:05 PM

Hi Elise!

OK, I posted the OTL log above. I removed the older versions of Java and installed the new one. I will attach the MalwareBytes log below.

The computer is running great right now!

Thanks again!


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4043

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/27/2010 1:03:26 PM
mbam-log-2010-04-27 (13-03-26).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 167894
Time elapsed: 37 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 45

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016953.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016954.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016955.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016956.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016957.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016958.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016959.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016960.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016961.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016962.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016964.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016965.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016966.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0016963.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0019977.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0019987.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0020992.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0021009.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0021010.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0021024.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0021025.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0021026.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0024052.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0026183.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0026184.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0026219.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0027260.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0029453.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0029470.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0029474.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0029475.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0029476.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0029477.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0029479.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0029480.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0029481.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP10\A0029658.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP11\A0029695.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP11\A0029702.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP5\A0004191.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP5\A0004192.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP5\A0004193.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP9\A0010418.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP9\A0011430.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP9\A0011432.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:33 AM

Posted 27 April 2010 - 03:48 PM

Well done, lets do one last check smile.gif

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users