Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Vista Smart Security"/"AKM Antivirus" infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 danthro

danthro

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 29 April 2010 - 08:38 AM

So yesterday afternoon I was working on my laptop when all of a sudden I started getting these windows that looked like Windows Security Center warning me that my computer was being attacked and that I needed to turn on windows firewall and other services to protect myself -- but that I could only do this by purchasing a certain program. I figured out that this was itself a virus. I downloaded spybot, but it wasn't able to finish its scan before a million windows popped up and I had to manually restart. (Also, it keeps asking me when something's modifying the registry, but I can't tell when to say allow or deny all the time so sometimes I just guessed.)

The program called itself "Vista Smart Security" so I googled that name and found a bleeping computer page with instructions on its removal:
http://www.bleepingcomputer.com/virus-remo...-smart-security

I followed those instructions (though the screen shot doesn't look like the windows I saw from the virus -- the windows that popped up for me look like Windows Vista's security center). However, I am still having problems:

First, it doesn't appear that the virus is gone. Midway through the Malware Bytes' Anti-Malware scan, the windows appeared again, the only difference being that this time the program called itself "AKM Antivirus Pro 2010" and showed up on the list of programs I could open through my start menu (but doesn't show up on the list of programs I can uninstall through the control panel). I wasn't sure what to do then, so I just hit ctrl alt delete and ended the main process associated with it, hoping the Malware Bytes' scan would find anything else and get rid of it.

When the scan was over late last night I was noticing the following issues:
--"AKM Antivirus Pro 2010" was still listed in my start menu among the programs.
--My recycle bin still does not show up on my desktop (I have to go to Run > %UserProfile%\desktop, and then I see it in the folder).
--Open Office programs will not open. I just get a message from windows that the program stopped working, and my only option is to hit "cancel".
--When I tried to open the program PDF Xchange Viewer to do some reading (it's finals week, I have to write papers) I get a message from Windows User Account Control telling me it needs my permission to continue for the registry editor (same message I get when I do something that needs administrative privileges) -- regardless of whether I say ok or cancel, the program still opens.
--After the scan, and after I told it to remove what it found, it told me some programs could not be removed. And I got a separate message that I needed to restart to remove stuff completely, so I assumed they were interrelated. When I restarted and logged in I got an immediate error message (sorry don't remember the exact words) saying something about how wosul.dll couldn't start or be found.
--I downloaded HijackThis and ran a scan and tried to create a log, but for some reason it will run the scan but it won't create a log. Instead of opening a notepad file showing the log, it opens a blank notepad file and gives me this error message: "Cannot find the C:\Program Files\HijackThis\Trend Micro\HijackThis\hijackthis.log file. Do you want to create a new file?" I say Yes, but it doesn't make any file I can find.

So I followed the instructions for posting here (they appeared at http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ ). Below is the text from the DDS scan, and the other file is attached (the web instructions say just to attach, but the program instructions said to attach as a zip file, so I have both). The ark.txt file is also attached.

I fell asleep before I could finish writing the above message. When I woke up this morning, I had the pop up windows from "AKM Antivirus" again. So I'm now completely certain it's not gone.

Any help you can give me will be *greatly* appreciated! Thanks in advance! (and of course, let me know if you need any info.)

-----


DDS (Ver_10-03-17.01) - NTFSx86
Run by Bames at 0:17:33.98 on Thu 04/29/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1477 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: VirusScan Enterprise + AntiSpyware Enterprise *enabled* (Updated) {24E45799-D058-4314-AC5D-1B2EE5C3151F}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\system32\fsproflt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Crawler\Notes\CNotes.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Bames\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://listen.grooveshark.com/
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6843
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6843
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6843
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6843
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\PDFXCviewIEPlugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\Icon3E5562ED7.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {00000130-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/ACELPACM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bames\appdata\roaming\mozilla\firefox\profiles\xaxowqkp.default\
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com|http://news.google.com|http://www.hindustantimes.com/
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\bames\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2009-6-8 43792]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-6-8 73392]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-30 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-5-22 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-5-22 54608]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-4-28 1153368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-20 24652]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-1-30 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-1-30 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-1-30 174952]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-04-29 00:35:43 0 d-----w- c:\users\bames\appdata\roaming\scdata
2010-04-29 00:31:15 34816 ----a-w- c:\users\bames\appdata\roaming\alggui.exe
2010-04-29 00:31:14 80 ----a-w- c:\users\bames\appdata\roaming\wp4.dat
2010-04-29 00:31:14 3 ----a-w- c:\users\bames\appdata\roaming\wp3.dat
2010-04-29 00:31:13 36 ----a-w- c:\users\bames\appdata\roaming\skynet.dat
2010-04-29 00:31:04 0 d-----w- c:\users\bames\appdata\roaming\AKM Antivirus 2010 Pro
2010-04-29 00:30:52 1047552 ----a-w- c:\users\bames\appdata\roaming\wpp.exe
2010-04-29 00:30:43 0 d-----w- c:\programdata\yulejoka
2010-04-29 00:30:42 0 d-----w- c:\programdata\yobijowu
2010-04-29 00:30:42 0 d-----w- c:\programdata\kizonivo
2010-04-29 00:30:42 0 d-----w- c:\programdata\dorehimo
2010-04-28 23:15:43 0 d-----w- c:\users\bames\appdata\roaming\Malwarebytes
2010-04-28 23:12:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 23:12:43 0 d-----w- c:\programdata\Malwarebytes
2010-04-28 23:12:42 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 23:12:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 22:14:17 0 d-----w- c:\programdata\sohibesi
2010-04-28 22:14:17 0 d-----w- c:\programdata\ratifuya
2010-04-28 22:14:17 0 d-----w- c:\programdata\pewafahu
2010-04-28 21:32:12 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-28 21:32:12 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-26 18:37:45 0 d-----w- c:\program files\JRE
2010-04-15 01:58:00 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 01:57:59 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 01:57:58 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 01:57:49 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 01:57:48 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 01:57:44 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 01:57:27 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-15 01:57:26 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-15 01:57:20 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 01:57:18 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-15 01:57:18 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 08:29:38 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 08:29:32 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-11 20:24:06 1594 ----a-w- c:\windows\VPNInstall.MIF
2010-04-11 20:21:10 0 d-----w- c:\program files\common files\Deterministic Networks
2010-04-11 20:21:01 0 d-----w- c:\program files\Cisco Systems
2010-04-11 07:00:51 0 d-----w- c:\program files\MSXML 4.0
2010-04-10 23:49:52 0 d-----w- c:\program files\Windows Installer Clean Up
2010-04-10 23:48:42 0 d-----w- c:\program files\MSECACHE
2010-04-10 14:02:52 0 d---a-w- c:\programdata\TEMP
2010-04-10 14:02:41 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-04-10 14:02:41 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-04-10 14:02:33 0 d-----w- c:\program files\File Recover

==================== Find3M ====================

2010-04-28 07:01:01 98504 ----a-w- c:\windows\fonts\consola.ttf
2010-04-28 07:01:01 97752 ----a-w- c:\windows\fonts\leelawad.ttf
2010-04-28 07:01:01 5178844 ----a-w- c:\windows\fonts\kaiu.ttf
2010-04-28 07:01:00 89656 ----a-w- c:\windows\fonts\browa.ttf
2010-04-28 07:01:00 64648 ----a-w- c:\windows\fonts\upckb.ttf
2010-04-28 07:01:00 593740 ----a-w- c:\windows\fonts\couri.ttf
2010-04-28 07:01:00 57100 ----a-w- c:\windows\fonts\upclbi.ttf
2010-04-28 07:01:00 56752 ----a-w- c:\windows\fonts\upcli.ttf
2010-04-28 07:01:00 164892 ----a-w- c:\windows\fonts\Candarab.ttf
2010-04-28 07:01:00 126376 ----a-w- c:\windows\fonts\trebucbd.ttf
2010-04-11 20:23:07 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-11 20:23:07 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-11 20:23:06 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-28 13:19:17 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-02-27 23:02:20 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-02-27 23:02:20 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-17 08:25:49 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-20 08:15:08 135630545 ----a-w- c:\program files\openofficeorg1.cab
2009-08-20 08:13:26 9815040 ----a-w- c:\program files\openofficeorg31.msi
2009-08-19 08:31:00 336 ----a-w- c:\program files\setup.ini
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe
2009-11-21 05:50:49 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-16 04:07:14 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 0:19:12.17 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 01:18:31
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Bames\AppData\Local\Temp\uwloqkog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAA798A3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAA798A65]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAA798A4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAA798A27]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwTerminateProcess 8223FDA3 5 Bytes JMP AA798A2B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82268F3D 7 Bytes JMP AA798A53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 82290E19 5 Bytes JMP AA798A3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 822E0847 5 Bytes JMP AA798A69 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[628] ntdll.dll!LdrLoadDll 770F9390 5 Bytes JMP 00B313F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[628] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 006C1C81
.text C:\Program Files\Mozilla Firefox\firefox.exe[628] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 006C1D52
.text C:\Program Files\Mozilla Firefox\firefox.exe[628] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 006C1B84
.text C:\Program Files\Mozilla Firefox\firefox.exe[628] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 006C1B1E
.text C:\Program Files\Mozilla Firefox\firefox.exe[628] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 006C1B9B
.text C:\Program Files\Mozilla Firefox\firefox.exe[628] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 006C1BF4
.text C:\Program Files\Mozilla Firefox\firefox.exe[628] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 006C1C2B
.text C:\Program Files\Mozilla Firefox\firefox.exe[628] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 006C1C6A
.text C:\Program Files\Mozilla Firefox\firefox.exe[628] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 006C1CB8
.text C:\Windows\ehome\ehtray.exe[748] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Windows\ehome\ehtray.exe[748] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Windows\ehome\ehtray.exe[748] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Windows\ehome\ehtray.exe[748] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Windows\ehome\ehtray.exe[748] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Windows\ehome\ehtray.exe[748] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Windows\ehome\ehtray.exe[748] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Windows\ehome\ehtray.exe[748] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Windows\ehome\ehtray.exe[748] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Program Files\Crawler\Notes\CNotes.exe[1048] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\Crawler\Notes\CNotes.exe[1048] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\Crawler\Notes\CNotes.exe[1048] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\Crawler\Notes\CNotes.exe[1048] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\Crawler\Notes\CNotes.exe[1048] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\Crawler\Notes\CNotes.exe[1048] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\Crawler\Notes\CNotes.exe[1048] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\Crawler\Notes\CNotes.exe[1048] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\Crawler\Notes\CNotes.exe[1048] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1212] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1212] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1212] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1212] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1212] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1212] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1212] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1212] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1212] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Windows\system32\taskeng.exe[2484] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 00981C81
.text C:\Windows\system32\taskeng.exe[2484] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 00981D52
.text C:\Windows\system32\taskeng.exe[2484] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 00981B84
.text C:\Windows\system32\taskeng.exe[2484] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 00981B1E
.text C:\Windows\system32\taskeng.exe[2484] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 00981B9B
.text C:\Windows\system32\taskeng.exe[2484] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 00981BF4
.text C:\Windows\system32\taskeng.exe[2484] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 00981C2B
.text C:\Windows\system32\taskeng.exe[2484] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 00981C6A
.text C:\Windows\system32\taskeng.exe[2484] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 00981CB8
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2720] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2720] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2720] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2720] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2720] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2720] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2720] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2720] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2720] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Windows\ehome\ehmsas.exe[2728] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Windows\ehome\ehmsas.exe[2728] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Windows\ehome\ehmsas.exe[2728] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Windows\ehome\ehmsas.exe[2728] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Windows\ehome\ehmsas.exe[2728] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Windows\ehome\ehmsas.exe[2728] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Windows\ehome\ehmsas.exe[2728] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Windows\ehome\ehmsas.exe[2728] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Windows\ehome\ehmsas.exe[2728] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Windows\system32\Dwm.exe[2812] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 04F21C81
.text C:\Windows\system32\Dwm.exe[2812] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 04F21D52
.text C:\Windows\system32\Dwm.exe[2812] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 04F21B84
.text C:\Windows\system32\Dwm.exe[2812] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 04F21B1E
.text C:\Windows\system32\Dwm.exe[2812] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 04F21B9B
.text C:\Windows\system32\Dwm.exe[2812] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 04F21BF4
.text C:\Windows\system32\Dwm.exe[2812] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 04F21C2B
.text C:\Windows\system32\Dwm.exe[2812] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 04F21C6A
.text C:\Windows\system32\Dwm.exe[2812] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 04F21CB8
.text C:\Windows\Explorer.EXE[2912] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 03831C81
.text C:\Windows\Explorer.EXE[2912] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 03831D52
.text C:\Windows\Explorer.EXE[2912] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 03831B84
.text C:\Windows\Explorer.EXE[2912] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 03831B1E
.text C:\Windows\Explorer.EXE[2912] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 03831B9B
.text C:\Windows\Explorer.EXE[2912] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 03831BF4
.text C:\Windows\Explorer.EXE[2912] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 03831C2B
.text C:\Windows\Explorer.EXE[2912] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 03831C6A
.text C:\Windows\Explorer.EXE[2912] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 03831CB8
.text C:\Program Files\Windows Defender\MSASCui.exe[3500] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\Windows Defender\MSASCui.exe[3500] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\Windows Defender\MSASCui.exe[3500] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\Windows Defender\MSASCui.exe[3500] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\Windows Defender\MSASCui.exe[3500] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\Windows Defender\MSASCui.exe[3500] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\Windows Defender\MSASCui.exe[3500] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\Windows Defender\MSASCui.exe[3500] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\Windows Defender\MSASCui.exe[3500] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3508] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 01571C81
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3508] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 01571D52
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3508] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 01571B84
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3508] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 01571B1E
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3508] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 01571B9B
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3508] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 01571BF4
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3508] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 01571C2B
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3508] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 01571C6A
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3508] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 01571CB8
.text C:\Windows\system32\wbem\unsecapp.exe[3580] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Windows\system32\wbem\unsecapp.exe[3580] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Windows\system32\wbem\unsecapp.exe[3580] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Windows\system32\wbem\unsecapp.exe[3580] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Windows\system32\wbem\unsecapp.exe[3580] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Windows\system32\wbem\unsecapp.exe[3580] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Windows\system32\wbem\unsecapp.exe[3580] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Windows\system32\wbem\unsecapp.exe[3580] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Windows\system32\wbem\unsecapp.exe[3580] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Program Files\Camera Assistant Software for Gateway\traybar.exe[3676] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\Camera Assistant Software for Gateway\traybar.exe[3676] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\Camera Assistant Software for Gateway\traybar.exe[3676] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\Camera Assistant Software for Gateway\traybar.exe[3676] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\Camera Assistant Software for Gateway\traybar.exe[3676] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\Camera Assistant Software for Gateway\traybar.exe[3676] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\Camera Assistant Software for Gateway\traybar.exe[3676] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\Camera Assistant Software for Gateway\traybar.exe[3676] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\Camera Assistant Software for Gateway\traybar.exe[3676] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe[3732] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe[3732] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe[3732] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe[3732] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe[3732] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe[3732] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe[3732] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe[3732] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe[3732] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3752] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3752] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3752] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3752] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3752] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3752] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3752] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3752] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3752] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Windows\System32\igfxtray.exe[3776] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 01A41C81
.text C:\Windows\System32\igfxtray.exe[3776] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 01A41D52
.text C:\Windows\System32\igfxtray.exe[3776] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 01A41B84
.text C:\Windows\System32\igfxtray.exe[3776] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 01A41B1E
.text C:\Windows\System32\igfxtray.exe[3776] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 01A41B9B
.text C:\Windows\System32\igfxtray.exe[3776] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 01A41BF4
.text C:\Windows\System32\igfxtray.exe[3776] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 01A41C2B
.text C:\Windows\System32\igfxtray.exe[3776] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 01A41C6A
.text C:\Windows\System32\igfxtray.exe[3776] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 01A41CB8
.text C:\Windows\System32\hkcmd.exe[3784] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 01B91C81
.text C:\Windows\System32\hkcmd.exe[3784] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 01B91D52
.text C:\Windows\System32\hkcmd.exe[3784] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 01B91B84
.text C:\Windows\System32\hkcmd.exe[3784] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 01B91B1E
.text C:\Windows\System32\hkcmd.exe[3784] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 01B91B9B
.text C:\Windows\System32\hkcmd.exe[3784] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 01B91BF4
.text C:\Windows\System32\hkcmd.exe[3784] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 01B91C2B
.text C:\Windows\System32\hkcmd.exe[3784] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 01B91C6A
.text C:\Windows\System32\hkcmd.exe[3784] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 01B91CB8
.text C:\Windows\System32\igfxpers.exe[3824] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 00351C81
.text C:\Windows\System32\igfxpers.exe[3824] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 00351D52
.text C:\Windows\System32\igfxpers.exe[3824] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 00351B84
.text C:\Windows\System32\igfxpers.exe[3824] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 00351B1E
.text C:\Windows\System32\igfxpers.exe[3824] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 00351B9B
.text C:\Windows\System32\igfxpers.exe[3824] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 00351BF4
.text C:\Windows\System32\igfxpers.exe[3824] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 00351C2B
.text C:\Windows\System32\igfxpers.exe[3824] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 00351C6A
.text C:\Windows\System32\igfxpers.exe[3824] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 00351CB8
.text C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe[3896] ntdll.dll!DbgBreakPoint 77118B2E 1 Byte [90]
.text C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe[3896] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe[3896] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe[3896] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe[3896] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe[3896] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe[3896] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe[3896] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe[3896] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe[3896] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Program Files\My Lockbox\mylbx.exe[3912] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\My Lockbox\mylbx.exe[3912] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\My Lockbox\mylbx.exe[3912] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\My Lockbox\mylbx.exe[3912] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\My Lockbox\mylbx.exe[3912] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\My Lockbox\mylbx.exe[3912] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\My Lockbox\mylbx.exe[3912] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\My Lockbox\mylbx.exe[3912] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\My Lockbox\mylbx.exe[3912] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Windows\sttray.exe[3948] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 00911C81
.text C:\Windows\sttray.exe[3948] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 00911D52
.text C:\Windows\sttray.exe[3948] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 00911B84
.text C:\Windows\sttray.exe[3948] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 00911B1E
.text C:\Windows\sttray.exe[3948] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 00911B9B
.text C:\Windows\sttray.exe[3948] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 00911BF4
.text C:\Windows\sttray.exe[3948] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 00911C2B
.text C:\Windows\sttray.exe[3948] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 00911C6A
.text C:\Windows\sttray.exe[3948] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 00911CB8
.text C:\Program Files\iTunes\iTunesHelper.exe[3992] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\iTunes\iTunesHelper.exe[3992] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\iTunes\iTunesHelper.exe[3992] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\iTunes\iTunesHelper.exe[3992] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\iTunes\iTunesHelper.exe[3992] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\iTunes\iTunesHelper.exe[3992] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\iTunes\iTunesHelper.exe[3992] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\iTunes\iTunesHelper.exe[3992] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\iTunes\iTunesHelper.exe[3992] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCview.exe[4292] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCview.exe[4292] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCview.exe[4292] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCview.exe[4292] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCview.exe[4292] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCview.exe[4292] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCview.exe[4292] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCview.exe[4292] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCview.exe[4292] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8
.text C:\Windows\system32\wuauclt.exe[5296] kernel32.dll!DeleteFileW 759CF4B6 5 Bytes JMP 10001C81
.text C:\Windows\system32\wuauclt.exe[5296] kernel32.dll!MoveFileExW 759D10C8 5 Bytes JMP 10001D52
.text C:\Windows\system32\wuauclt.exe[5296] kernel32.dll!FindNextFileW 759DB79E 7 Bytes JMP 10001B84
.text C:\Windows\system32\wuauclt.exe[5296] kernel32.dll!FindFirstFileExW 759EECA2 5 Bytes JMP 10001B1E
.text C:\Windows\system32\wuauclt.exe[5296] kernel32.dll!CreateFileW 759FAECB 5 Bytes JMP 10001B9B
.text C:\Windows\system32\wuauclt.exe[5296] kernel32.dll!GetFileAttributesW 759FD281 5 Bytes JMP 10001BF4
.text C:\Windows\system32\wuauclt.exe[5296] kernel32.dll!Module32FirstW 75A060EB 5 Bytes JMP 10001C2B
.text C:\Windows\system32\wuauclt.exe[5296] kernel32.dll!Module32NextW 75A0639E 5 Bytes JMP 10001C6A
.text C:\Windows\system32\wuauclt.exe[5296] PSAPI.DLL!EnumProcessModules 772016ED 5 Bytes JMP 10001CB8

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.++-\OpenWithProgids@X%\30%i%_\0a\0u\0t\0o\0_\0f\0i\0l\0e

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Maurice Naggar, 01 May 2010 - 11:19 AM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:34 PM

Posted 01 May 2010 - 11:32 AM

Hello Danthro and welcome to BC forums.

Please follow my guidance and also do not make changes or adds on your own.
You will want to print out or copy these instructions to Notepad for offline reference!
If you are a casual viewer, do NOT try this on your system!
If you are not danthro and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along.

Do as much as possible of the following.

Disable Spybot's Tea Timer (and keep it that way) otherwise it will reverse any fixes we make.
Right click the Spybot Icon (blue icon with lock ) in the system tray (notification area).
  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.
Step 2
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 3
Show all files:
  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.
Step 4
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".
Step 5
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.
    Link 2
    Link 3
    Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
  • If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL
Step 6
Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please RIGHT-click OTL.exe and choose Run As Administrator to start it.
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    *****************************************************************
    :files
    c:\users\bames\appdata\roaming\AKM Antivirus 2010 Pro
    c:\programdata\yulejoka
    c:\programdata\yobijowu
    c:\programdata\kizonivo
    c:\programdata\dorehimo
    c:\programdata\sohibesi
    c:\programdata\ratifuya
    c:\programdata\pewafahu
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler

    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]

    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 7
You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.
Using Internet Explorer browser only, go to ESET Online Scanner website:
http://www.eset.com/onlinescan/
  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here
    http://www.eset.com/onlinescan/cac4.php?page=faq
    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break
Step 8
Download RootRepeal:
http://rootrepeal.googlepages.com/RootRepeal.zip
  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.
Reply with copy of the OTL MovedFiles log
the Eset scan log
and the RootRepeal log

Edited by Maurice Naggar, 01 May 2010 - 11:33 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 danthro

danthro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 02 May 2010 - 01:31 AM

Dear Maurice Naggar,

Thanks so much for your help! I followed the instructions (more on that below). I also thought I should mention that before receiving your response I did a couple things: I ran spybot and a program called vcleaner I got from a friend in safe mode, and spybot ran again on reboot (but before windows loaded). It didn't get rid of the virus, but it did seem to make my computer a bit less insanely slow.

Also, I noticed other weird issues, like the taskbar disappearing sometimes, the links from google redirecting to other pages (that seems not to be happening now), occasionally getting a message from windows that a "host" had stopped working and this might be problematic somehow, and (since I have a setting where if I hold down ctrl, a circle moves in on where the mouse is located in the screen) these circles were appearing to locate the mouse at random times when I wasn't even touching the computer).

So, I followed the instructions to the best of my ability. Some issues arose:

--I followed the instructions for turning off spybot's teatimer, but it automatically went back on when I restarted. So I went to the control I access through windows defender to stop disable it from starting on start up.
--I had a similar issue with not knowing how to disable McAfee (the instructions on the website didn't match the menu I was seeing), so I also used the control to disable it from starting on start up.
--I used the fourth link for Rkill because when I downloaded the first three links to my desktop and right-clicked the icon there was no option to run as administrator, the fourth one was the only one that allowed me to do so. The DOS box showed up so I assume it worked.
--I ran ESET from IE as instructed. Should I have run it from firefox too, since that's the browser I usually use?
--I tried to run RootRepeal twice, but after about 1.5-2 hours, it had errors/closed. Basically, it worked really fast at first and then it got stuck--it said it was looking in something like C:\Windows\winsxs\Manifests and it stayed on that for 1.5-2 hours without adding anything new to the list. Then it closed. The second time I saw it give some errors (but the error box was transparent--I took a screen shot, if you want to see it let me know). The only option I had was to click the red x to close the error box, and I think there were multiple ones on top of each other because I had to click multiple times. Then the program closed. I saw in the RootRepeal folder in the program files, there are six .txt files called "RootRepeal_Crash_" followed by a number. The first one says

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP2
Exception Code: 0xc0000005
Exception Address: 0x0040ab12
Attempt to write to address: 0x00000004

The other five say:

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP2
Exception Code: 0xc0000005
Exception Address: 0x004cbf6b
Attempt to read from address: 0x00000004


In any case, the other logs you asked for are pasted below.

Please let me know how to proceed next.

And once again, thank you **very** much for your assistance!



Here is the OTL log:

All processes killed
========== FILES ==========
c:\users\bames\appdata\roaming\AKM Antivirus 2010 Pro folder moved successfully.
c:\programdata\yulejoka folder moved successfully.
c:\programdata\yobijowu folder moved successfully.
c:\programdata\kizonivo folder moved successfully.
c:\programdata\dorehimo folder moved successfully.
File\Folder c:\programdata\sohibesi not found.
c:\programdata\ratifuya folder moved successfully.
c:\programdata\pewafahu folder moved successfully.
File\Folder C:\recycler not found.
File\Folder D:\recycler not found.
File\Folder e:\recycler not found.
File\Folder f:\recycler not found.
File\Folder g:\recycler not found.
File\Folder h:\recycler not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bames
->Temp folder emptied: 423558 bytes
->Temporary Internet Files folder emptied: 115887 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 12887912 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 434 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 56889344 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 67.00 mb



OTL by OldTimer - Version 3.2.4.0 log created on 05012010_151710

Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\WFVFA07.tmp not found!

Registry entries deleted on Reboot...

______________________________________________________________

ESET log:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=70a799eae363fa4ca121a67d8a72322a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-01 11:14:20
# local_time=2010-05-01 07:14:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 109349807 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=148252
# found=9
# cleaned=9
# scan_time=13381
C:\wpp.exe a variant of Win32/Adware.PCProtector.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\My Lockbox\mylbx.exe Win32/Induc.A virus (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\ProgramData\Spybot - Search & Destroy\Recovery\Virtumondesdn2.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bames\AppData\Local\Temp\NOD23E4.tmp Win32/Induc.A virus (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Users\Bames\AppData\Roaming\alggui.exe a variant of Win32/Adware.PCProtector.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bames\AppData\Roaming\Microsoft\Internet Explorer\novavappq.exe probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bames\AppData\Roaming\scdata\wispex.html Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bames\Downloads\jZipV1h.exe a variant of Win32/Adware.Toolbar.Shopper.AA application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Windows\System32\nadojizu.exe a variant of Win32/Adware.PCProtector.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C




#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:34 PM

Posted 03 May 2010 - 06:23 AM

Eset online scan was run so there's no need to run it a second time in Firefox.
Eset did remove a number of malwares. Let's now get a report from OTL.
  • Close all open windows on the Task Bar. Right-Click the OTL icon and select Run as Administrator to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.
Download Security Check by screen317 and save it to your Desktop: here or here
  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):
  • the contents of OTL.txt
  • the contents of Extras.txt
  • and Checkup.txt

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 danthro

danthro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 03 May 2010 - 08:42 AM

Dear Maurice Naggar,

I pasted the logs you asked for below. There were a few document names that had my lastname in them so I altered their names below just slightly (I replaced my last name with the word Lastname) -- I didn't think it should matter for our purposes. Also, I noticed the last log says that spybot is disabled--this is just because I disabled that (and mcafee and malwarebytes') based on the instructions in your first post--let me know if you wanted them back on.

Hopefully these logs help us find what's causing the remaining problems. The browser is redirecting links and opening other tabs to random sites when I follow links. And my recycle bin still doesn't show on my desktop unless I go to the folder. Also, when I reboot my computer and log in, I get an error message that "ratifuya.dll" couldn't be found -- I think that was one of the processes or files associated with the virus. Anyway, I imagine you're already aware of this sort of thing, but figured it's better to give you more info than less.

Thanks again for your help!

OTL.txt

OTL logfile created on: 5/3/2010 8:59:42 AM - Run 1
OTL by OldTimer - Version 3.2.4.0 Folder = C:\Users\Bames\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 63.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 137.12 Gb Total Space | 83.82 Gb Free Space | 61.13% Space Free | Partition Type: NTFS
Drive D: | 11.93 Gb Total Space | 5.19 Gb Free Space | 43.52% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NBA-LAPTOP
Current User Name: Bames
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/01 14:53:24 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Bames\Desktop\OTL.exe
PRC - [2009/11/17 12:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2009/05/03 15:22:28 | 000,073,392 | ---- | M] (FSPro Labs) -- C:\Windows\System32\fsproflt.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/05/22 21:50:00 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
PRC - [2008/05/22 21:50:00 | 000,079,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcupdate.exe
PRC - [2008/05/22 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2008/01/20 22:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/12/11 00:15:04 | 000,012,800 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2007/10/25 11:05:40 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2007/10/25 11:04:08 | 000,169,280 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
PRC - [2007/10/25 11:03:28 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2007/09/27 19:27:02 | 004,839,936 | ---- | M] () -- C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
PRC - [2007/09/13 17:09:44 | 000,638,976 | ---- | M] (Chicony) -- C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
PRC - [2007/09/06 22:23:36 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Windows\sttray.exe
PRC - [2007/07/12 19:36:12 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/07/12 19:36:10 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe


========== Modules (SafeList) ==========

MOD - [2010/05/01 14:53:24 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Bames\Desktop\OTL.exe
MOD - [2009/04/11 02:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/20 22:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/11/17 12:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2009/09/24 21:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/05/03 15:22:28 | 000,073,392 | ---- | M] (FSPro Labs) [Auto | Running] -- C:\Windows\System32\fsproflt.exe -- (fsproflt)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/05/22 21:50:00 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2008/05/22 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/11 00:15:04 | 000,012,800 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2007/10/25 11:03:28 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2007/07/12 19:36:12 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - [2009/11/17 12:07:06 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009/01/20 07:49:26 | 000,142,848 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/11/17 16:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel®
DRV - [2008/11/16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2008/06/23 10:44:54 | 000,062,464 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTSTOR.sys -- (RTSTOR)
DRV - [2008/06/05 22:37:54 | 000,043,792 | ---- | M] (FSPro Labs) [File_System | Boot | Running] -- C:\Windows\System32\Drivers\FSPFltd.sys -- (FSProFilter)
DRV - [2008/05/22 21:50:00 | 000,174,952 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/05/22 21:50:00 | 000,072,936 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/05/22 21:50:00 | 000,064,232 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2008/05/22 21:50:00 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2008/05/22 21:50:00 | 000,033,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/02/29 04:13:38 | 001,202,560 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/02/11 20:36:10 | 002,302,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/01/20 22:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 22:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 22:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 22:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 22:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 22:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 22:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 22:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 22:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 22:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 22:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 22:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 22:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 22:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 22:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 22:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 22:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 22:23:20 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2008/01/20 22:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 22:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 22:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 22:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/09/06 22:26:04 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/07/12 19:35:02 | 000,305,176 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007/05/23 20:37:40 | 000,011,776 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/05/23 17:26:34 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2007/04/29 18:45:18 | 002,219,520 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2007/04/26 05:38:40 | 000,186,680 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/01/18 20:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:30:56 | 002,589,184 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw2v32.sys -- (NETw2v32) Intel®
DRV - [2006/11/02 03:30:56 | 000,194,048 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=M-6843
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=M-6843
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TB&M=M-6843

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=M-6843
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://gmail.com|http://news.google.com|http://www.hindustantimes.com/"
FF - prefs.js..extensions.enabledItems: zotero@chnm.gmu.edu:2.0.2
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {bf70ba50-e70d-11dd-ba2f-0800200c9a66}:1.0.9
FF - prefs.js..extensions.enabledItems: nasanightlaunch@example.com:0.6.20100314
FF - prefs.js..extensions.enabledItems: {2dc42b10-7622-11de-8a39-0800200c9a66}:1.1.4
FF - prefs.js..extensions.enabledItems: kempelton-fx@arvidaxelsson.se:3.2.1
FF - prefs.js..extensions.enabledItems: {de5809e0-2b07-11dd-bd0b-0800200c9a66}:1.2.0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 17:21:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 17:21:04 | 000,000,000 | ---D | M]

[2008/08/20 15:38:00 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\mozilla\Extensions
[2010/05/02 23:20:54 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\mozilla\Firefox\Profiles\xaxowqkp.default\extensions
[2010/04/28 14:19:12 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Bames\AppData\Roaming\mozilla\Firefox\Profiles\xaxowqkp.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/20 02:14:13 | 000,000,000 | ---D | M] (Royal Blue) -- C:\Users\Bames\AppData\Roaming\mozilla\Firefox\Profiles\xaxowqkp.default\extensions\{2dc42b10-7622-11de-8a39-0800200c9a66}
[2008/11/03 21:45:29 | 000,000,000 | ---D | M] (Aquatint Black Gloss) -- C:\Users\Bames\AppData\Roaming\mozilla\Firefox\Profiles\xaxowqkp.default\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}
[2010/04/07 15:45:57 | 000,000,000 | ---D | M] (Gradient iBlu) -- C:\Users\Bames\AppData\Roaming\mozilla\Firefox\Profiles\xaxowqkp.default\extensions\{bf70ba50-e70d-11dd-ba2f-0800200c9a66}
[2010/04/10 09:58:47 | 000,000,000 | ---D | M] (Gradient iCool) -- C:\Users\Bames\AppData\Roaming\mozilla\Firefox\Profiles\xaxowqkp.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
[2010/03/25 12:36:36 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\mozilla\Firefox\Profiles\xaxowqkp.default\extensions\kempelton-fx@arvidaxelsson.se
[2010/03/18 12:43:38 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\mozilla\Firefox\Profiles\xaxowqkp.default\extensions\nasanightlaunch@example.com
[2010/04/07 17:02:44 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\mozilla\Firefox\Profiles\xaxowqkp.default\extensions\zotero@chnm.gmu.edu
[2009/07/06 19:35:26 | 000,001,587 | ---- | M] () -- C:\Users\Bames\AppData\Roaming\Mozilla\FireFox\Profiles\xaxowqkp.default\searchplugins\dictionary---referencecom.xml
[2009/07/06 19:36:37 | 000,002,850 | ---- | M] () -- C:\Users\Bames\AppData\Roaming\Mozilla\FireFox\Profiles\xaxowqkp.default\searchplugins\goofram-search.xml
[2010/05/02 15:10:56 | 000,002,065 | ---- | M] () -- C:\Users\Bames\AppData\Roaming\Mozilla\FireFox\Profiles\xaxowqkp.default\searchplugins\serpanalytics-google-search.xml
[2010/01/28 17:33:06 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/04/30 13:11:57 | 000,393,089 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13577 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll (McAfee, Inc.)
O2 - BHO: (PDF-XChange Viewer IE-Plugin) - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll (Tracker Software Products Ltd.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Windows\System32\BAE.dll (Gateway Inc.)
O2 - BHO: (no name) - {cd7d3f30-7359-407e-b6bf-9ad1ea7241e6} - C:\ProgramData\sohibesi\sohibesi.dll File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Gateway\traybar.exe (Chicony)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [mylbx] C:\Program Files\My Lockbox\mylbx.exe File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [yabajuyosa] C:\ProgramData\ratifuya\ratifuya.DLL File not found
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {00000130-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/ACELPACM.CAB (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} http://support.microsoft.com/mats/DiagWebControl.cab (Diagnostics ActiveX WebControl)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 141.211.144.17 141.211.125.17
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Bames\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Bames\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2004/04/30 05:01:00 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ NTFS ]
O33 - MountPoints2\{1220eadb-fece-11dd-b639-00e0b8faab91}\Shell - "" = AutoRun
O33 - MountPoints2\{1220eadb-fece-11dd-b639-00e0b8faab91}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{69ffa9fd-e8e0-11dd-8e63-00e0b8faab91}\Shell\AutoRun\command - "" = WDSetup.exe
O33 - MountPoints2\{f082137c-3d06-11de-a12f-00e0b8faab91}\Shell - "" = AutoRun
O33 - MountPoints2\{f082137c-3d06-11de-a12f-00e0b8faab91}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\F\Shell\AutoRun\command - "" = WDSetup.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/02 00:14:17 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/05/01 22:19:59 | 000,000,000 | ---D | C] -- C:\Users\Bames\Desktop\RootRepeal
[2010/05/01 15:28:12 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/01 15:17:10 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/01 14:53:07 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Users\Bames\Desktop\OTL.exe
[2010/05/01 14:51:16 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\Bames\Desktop\TFC.exe
[2010/05/01 14:48:53 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/01 14:47:35 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/30 21:37:28 | 000,000,000 | ---D | C] -- C:\AKM Antivirus 2010 Pro
[2010/04/30 21:32:29 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010/04/29 20:30:51 | 000,000,000 | ---D | C] -- C:\ProgramData\leheliyo
[2010/04/29 20:30:50 | 000,000,000 | ---D | C] -- C:\ProgramData\pazewaju
[2010/04/29 20:30:50 | 000,000,000 | ---D | C] -- C:\ProgramData\humopase
[2010/04/29 08:30:44 | 000,000,000 | ---D | C] -- C:\ProgramData\famuheno
[2010/04/29 08:30:43 | 000,000,000 | ---D | C] -- C:\ProgramData\nemirapu
[2010/04/29 08:30:42 | 000,000,000 | ---D | C] -- C:\ProgramData\nepusenu
[2010/04/29 01:55:59 | 000,000,000 | ---D | C] -- C:\Users\Bames\AppData\Local\jZip
[2010/04/29 01:55:08 | 000,000,000 | ---D | C] -- C:\Program Files\jZip
[2010/04/29 01:20:35 | 000,000,000 | ---D | C] -- C:\Users\Bames\AppData\Roaming\WinRAR
[2010/04/29 01:19:39 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/04/29 01:08:06 | 000,000,000 | ---D | C] -- C:\Users\Bames\Desktop\gmer
[2010/04/28 22:34:04 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2010/04/28 20:35:43 | 000,000,000 | ---D | C] -- C:\Users\Bames\AppData\Roaming\scdata
[2010/04/28 19:15:43 | 000,000,000 | ---D | C] -- C:\Users\Bames\AppData\Roaming\Malwarebytes
[2010/04/28 19:12:46 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/28 19:12:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/28 19:12:42 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/28 19:12:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/28 18:16:53 | 000,000,000 | ---D | C] -- C:\Users\Bames\AppData\Local\rlxnwjokg
[2010/04/28 17:32:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/04/28 17:32:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/26 17:24:27 | 000,000,000 | ---D | C] -- C:\Users\Bames\Documents\post OCR
[2010/04/26 14:37:45 | 000,000,000 | ---D | C] -- C:\Program Files\JRE
[2010/04/24 23:34:26 | 000,000,000 | ---D | C] -- C:\Users\Bames\AppData\Roaming\vlc
[2010/04/14 21:57:49 | 003,548,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/04/14 21:57:48 | 003,600,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/04/14 21:57:44 | 000,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/04/14 21:57:27 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm
[2010/04/14 21:57:26 | 000,220,672 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codecp.acm
[2010/04/13 10:20:15 | 000,000,000 | ---D | C] -- C:\Users\Bames\Documents\577 week 12
[2010/04/11 19:12:01 | 000,000,000 | ---D | C] -- C:\Users\Bames\Documents\ppt
[2010/04/11 16:21:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Deterministic Networks
[2010/04/11 16:21:01 | 000,000,000 | ---D | C] -- C:\Program Files\Cisco Systems
[2010/04/11 11:32:23 | 000,000,000 | R--D | C] -- C:\Users\Bames\Documents
[2010/04/11 03:00:51 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2010/04/10 19:49:52 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[2010/04/10 19:48:42 | 000,000,000 | ---D | C] -- C:\Program Files\MSECACHE
[2010/04/10 13:27:21 | 000,000,000 | ---D | C] -- C:\Program Files\Recuva
[2010/04/10 10:02:52 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/04/10 10:02:41 | 000,082,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml4r.dll
[2010/04/10 10:02:41 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml4a.dll
[2010/04/10 10:02:33 | 000,000,000 | ---D | C] -- C:\Program Files\File Recover
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/03 09:05:49 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{824C22FA-78C1-492F-B927-1B11838D9F20}.job
[2010/05/03 08:59:48 | 007,340,032 | -HS- | M] () -- C:\Users\Bames\ntuser.dat
[2010/05/03 08:56:15 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/03 08:56:15 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/03 08:56:12 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/03 08:55:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/03 08:55:47 | 3211,190,272 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/03 08:55:14 | 000,524,288 | -HS- | M] () -- C:\Users\Bames\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms
[2010/05/03 08:55:14 | 000,065,536 | -HS- | M] () -- C:\Users\Bames\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/05/03 08:55:01 | 002,053,240 | -H-- | M] () -- C:\Users\Bames\AppData\Local\IconCache.db
[2010/05/03 08:51:55 | 000,867,892 | ---- | M] () -- C:\Users\Bames\Desktop\SecurityCheck.exe
[2010/05/02 01:49:28 | 000,151,490 | ---- | M] () -- C:\Users\Bames\Desktop\rootrepealerror.jpg
[2010/05/01 22:17:59 | 000,464,491 | ---- | M] () -- C:\Users\Bames\Desktop\RootRepeal.zip
[2010/05/01 15:14:14 | 000,363,520 | ---- | M] () -- C:\Users\Bames\Desktop\rkill.exe
[2010/05/01 15:13:05 | 000,000,345 | ---- | M] () -- C:\Users\Bames\Desktop\rkill.pif.htm
[2010/05/01 15:12:25 | 000,363,520 | ---- | M] () -- C:\Users\Bames\Desktop\rkill.scr
[2010/05/01 15:11:19 | 000,363,520 | ---- | M] () -- C:\Users\Bames\Desktop\rkill.com
[2010/05/01 14:53:24 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Bames\Desktop\OTL.exe
[2010/05/01 14:51:29 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\Bames\Desktop\TFC.exe
[2010/05/01 14:47:37 | 000,000,704 | ---- | M] () -- C:\Users\Bames\Desktop\NTREGOPT.lnk
[2010/05/01 00:42:48 | 003,924,810 | ---- | M] () -- C:\Users\Bames\Desktop\ComboFix.exe
[2010/04/30 22:33:26 | 000,004,100 | -H-- | M] () -- C:\ProgramData\wepamubi
[2010/04/30 13:11:57 | 000,393,089 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/04/29 22:33:20 | 000,000,080 | ---- | M] () -- C:\Users\Bames\AppData\Roaming\wp4.dat
[2010/04/29 22:33:20 | 000,000,002 | ---- | M] () -- C:\Users\Bames\AppData\Roaming\wp3.dat
[2010/04/29 11:43:53 | 003,554,031 | ---- | M] () -- C:\Users\Bames\Documents\briggs bauman intertextuality.pdf
[2010/04/29 11:32:37 | 000,009,156 | ---- | M] () -- C:\Users\Bames\AppData\Roaming\wklnhst.dat
[2010/04/29 08:31:15 | 000,000,000 | ---- | M] () -- C:\Users\Bames\AppData\Roaming\extra1.dat
[2010/04/29 01:06:47 | 000,284,915 | ---- | M] () -- C:\Users\Bames\Desktop\gmer.zip
[2010/04/29 00:16:23 | 000,525,824 | ---- | M] () -- C:\Users\Bames\Desktop\dds.scr
[2010/04/28 21:56:41 | 000,000,104 | ---- | M] () -- C:\Users\Bames\Desktop\Recycle Bin - Shortcut.lnk
[2010/04/28 20:31:15 | 000,000,009 | ---- | M] () -- C:\Users\Bames\AppData\Roaming\nuar.old
[2010/04/28 20:31:13 | 000,000,036 | ---- | M] () -- C:\Users\Bames\AppData\Roaming\skynet.dat
[2010/04/28 18:55:56 | 000,000,761 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100430-131157.backup
[2010/04/28 18:41:15 | 000,005,715 | ---- | M] () -- C:\Users\Bames\AppData\Roaming\PrimoPDFSet.xml
[2010/04/28 18:41:13 | 000,919,636 | ---- | M] () -- C:\Users\Bames\Documents\Remove Smart Security (Unin...pdf
[2010/04/28 18:31:30 | 000,010,650 | -HS- | M] () -- C:\Users\Bames\AppData\Local\6EUB
[2010/04/28 18:31:30 | 000,010,650 | -HS- | M] () -- C:\ProgramData\6EUB
[2010/04/28 17:24:59 | 000,010,560 | -HS- | M] () -- C:\Users\Bames\AppData\Local\koX6
[2010/04/28 17:24:59 | 000,010,560 | -HS- | M] () -- C:\ProgramData\koX6
[2010/04/28 10:32:18 | 000,018,391 | ---- | M] () -- C:\Users\Bames\Documents\gfh wed amh nyt.pdf
[2010/04/28 03:18:38 | 001,579,520 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/27 15:43:12 | 000,080,704 | ---- | M] () -- C:\Users\Bames\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/04/26 19:09:22 | 000,031,744 | ---- | M] () -- C:\Users\Bames\Documents\India Reading list 042610-3.doc
[2010/04/26 19:08:43 | 000,128,512 | ---- | M] () -- C:\Users\Bames\Documents\India Reading list 042610.doc
[2010/04/26 18:16:52 | 000,080,049 | ---- | M] () -- C:\Users\Bames\Documents\Anthro of South Asia Win 2009 syllabus 28 Jan.doc.pdf
[2010/04/26 14:29:11 | 007,785,019 | ---- | M] () -- C:\Users\Bames\Documents\Bourdieu.pdf
[2010/04/26 09:37:14 | 000,775,875 | ---- | M] () -- C:\Users\Bames\Documents\revolution in ethn time trautmann.pdf
[2010/04/25 23:16:57 | 003,128,451 | ---- | M] () -- C:\Users\Bames\Documents\stocking whats in a name origins of RAI.pdf
[2010/04/25 22:01:59 | 000,014,336 | ---- | M] () -- C:\Users\Bames\Documents\Lastname Final.doc
[2010/04/25 21:20:00 | 003,067,886 | ---- | M] () -- C:\Users\Bames\Documents\leach glimpses of unmentionable.pdf
[2010/04/25 15:49:38 | 000,327,597 | ---- | M] () -- C:\Users\Bames\Documents\style_guide.pdf
[2010/04/23 13:28:24 | 002,801,463 | ---- | M] () -- C:\Users\Bames\Documents\LatourTechnoligyisSociety.pdf
[2010/04/23 11:02:01 | 000,065,909 | ---- | M] () -- C:\Users\Bames\Documents\HBA%20101%20syllabus%20f10.pdf
[2010/04/22 17:33:43 | 000,749,965 | ---- | M] () -- C:\Users\Bames\Documents\midnightsun_partial_draft4.pdf
[2010/04/22 15:31:59 | 000,310,486 | ---- | M] () -- C:\Users\Bames\Documents\Asad.pdf
[2010/04/22 11:22:20 | 002,218,034 | ---- | M] () -- C:\Users\Bames\Documents\Anderson.pdf
[2010/04/22 11:22:05 | 003,134,074 | ---- | M] () -- C:\Users\Bames\Documents\Sahlins2.pdf
[2010/04/22 11:18:12 | 003,332,918 | ---- | M] () -- C:\Users\Bames\Documents\Foucault.pdf
[2010/04/20 17:02:34 | 000,010,827 | ---- | M] () -- C:\Users\Bames\Documents\577precis.instrs.09.pdf
[2010/04/20 17:02:24 | 000,022,433 | ---- | M] () -- C:\Users\Bames\Documents\577papersguide.09.pdf
[2010/04/20 14:26:56 | 000,312,320 | ---- | M] () -- C:\Users\Bames\Documents\Ling 577 notes.doc
[2010/04/18 13:59:28 | 000,050,984 | ---- | M] () -- C:\Users\Bames\Documents\rackham budget 2010 HBA.pdf
[2010/04/18 13:53:28 | 000,101,851 | ---- | M] () -- C:\Users\Bames\Documents\Rackham_statement_HBA2.pdf
[2010/04/18 13:41:28 | 000,036,864 | ---- | M] () -- C:\Users\Bames\Documents\Rackham_statement_HBA.doc
[2010/04/18 11:38:39 | 000,010,240 | ---- | M] () -- C:\Users\Bames\Documents\recipes.doc
[2010/04/14 19:09:40 | 000,375,808 | ---- | M] () -- C:\Users\Bames\Documents\Trads notes.doc
[2010/04/14 17:20:55 | 000,059,392 | ---- | M] () -- C:\Users\Bames\Documents\Lastname midterm AL.doc
[2010/04/14 17:10:04 | 000,000,754 | ---- | M] () -- C:\Users\Bames\Desktop\Recovered Files - Shortcut.lnk
[2010/04/12 17:45:32 | 000,028,160 | ---- | M] () -- C:\Users\Bames\Documents\fac mtg notes 041210.doc
[2010/04/12 11:31:03 | 000,531,105 | ---- | M] () -- C:\Users\Bames\Documents\Petryna- Biological Citizenship.pdf
[2010/04/11 18:15:15 | 000,221,339 | ---- | M] () -- C:\Users\Bames\Documents\PDF+4.11HISTORY_OF_ANTHROPOLOGY_IN_INDIA01.pdf
[2010/04/11 16:24:06 | 000,001,594 | ---- | M] () -- C:\Windows\VPNInstall.MIF
[2010/04/11 16:21:13 | 000,001,982 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
[2010/04/10 18:25:53 | 000,014,848 | ---- | M] () -- C:\Users\Bames\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/10 15:21:20 | 000,196,996 | ---- | M] () -- C:\Users\Bames\Documents\Lastname NSF Final 2009.pdf
[2010/04/10 15:20:00 | 000,012,288 | ---- | M] () -- C:\Users\Bames\Documents\draft e-mail srinivasan.doc
[2010/04/10 15:19:54 | 000,025,600 | ---- | M] () -- C:\Users\Bames\Documents\IIIF statement of purpose.doc
[2010/04/10 15:19:48 | 000,018,432 | ---- | M] () -- C:\Users\Bames\Documents\FINAL summer funding 2010.doc
[2010/04/10 15:18:16 | 001,682,440 | ---- | M] () -- C:\Users\Bames\Documents\Grice - Logic and Conversation.pdf
[2010/04/10 15:18:12 | 001,261,950 | ---- | M] () -- C:\Users\Bames\Documents\Silverstein - Indeterminacy of Contextualization.pdf
[2010/04/10 15:15:50 | 000,050,688 | ---- | M] () -- C:\Users\Bames\Documents\Trads II Syllabus.doc
[2010/04/10 15:12:10 | 000,057,344 | ---- | M] () -- C:\Users\Bames\Documents\Lastname TradsII midterm.doc
[2010/04/10 15:11:12 | 000,559,354 | ---- | M] () -- C:\Users\Bames\Documents\shore & wright.pdf
[2010/04/10 15:11:00 | 000,309,897 | ---- | M] () -- C:\Users\Bames\Documents\rimoldi.pdf
[2010/04/10 15:10:54 | 001,535,533 | ---- | M] () -- C:\Users\Bames\Documents\audit cultures misc.pdf
[2010/04/10 15:10:44 | 003,566,428 | ---- | M] () -- C:\Users\Bames\Documents\american counterinsurgency gonzalez.pdf
[2010/04/10 15:10:06 | 000,209,590 | ---- | M] () -- C:\Users\Bames\Documents\GSGT Application Form 2010-11.pdf
[2010/04/10 15:10:02 | 000,039,936 | ---- | M] () -- C:\Users\Bames\Documents\CICS GSGT Letter HBA.doc
[2010/04/10 15:09:02 | 001,529,670 | ---- | M] () -- C:\Users\Bames\Documents\Lutz.pdf
[2010/04/10 15:09:00 | 000,121,728 | ---- | M] () -- C:\Users\Bames\Documents\Dominic Boyer - The Medium ...pdf
[2010/04/10 15:07:00 | 000,279,918 | ---- | M] () -- C:\Users\Bames\Documents\NSF2010 rating sheets HBA.pdf
[2010/04/10 15:01:40 | 000,123,885 | ---- | M] () -- C:\Users\Bames\Documents\577+syllabus+2010.pdf
[2010/04/10 14:57:20 | 000,031,232 | ---- | M] () -- C:\Users\Bames\Documents\Anth101.Syllabus.Winter.2010.2.doc
[2010/04/10 14:45:02 | 000,050,330 | ---- | M] () -- C:\Users\Bames\Documents\Sublease_agree_print2.pdf
[2010/04/10 14:24:28 | 000,380,778 | ---- | M] () -- C:\Users\Bames\Documents\Sublease_agree.pdf
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/03 08:51:50 | 000,867,892 | ---- | C] () -- C:\Users\Bames\Desktop\SecurityCheck.exe
[2010/05/02 01:49:28 | 000,151,490 | ---- | C] () -- C:\Users\Bames\Desktop\rootrepealerror.jpg
[2010/05/01 22:17:56 | 000,464,491 | ---- | C] () -- C:\Users\Bames\Desktop\RootRepeal.zip
[2010/05/01 15:13:34 | 000,363,520 | ---- | C] () -- C:\Users\Bames\Desktop\rkill.exe
[2010/05/01 15:13:05 | 000,000,345 | ---- | C] () -- C:\Users\Bames\Desktop\rkill.pif.htm
[2010/05/01 15:11:45 | 000,363,520 | ---- | C] () -- C:\Users\Bames\Desktop\rkill.scr
[2010/05/01 14:51:49 | 000,363,520 | ---- | C] () -- C:\Users\Bames\Desktop\rkill.com
[2010/05/01 14:47:37 | 000,000,704 | ---- | C] () -- C:\Users\Bames\Desktop\NTREGOPT.lnk
[2010/05/01 00:42:18 | 003,924,810 | ---- | C] () -- C:\Users\Bames\Desktop\ComboFix.exe
[2010/04/30 08:39:39 | 3211,190,272 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/29 22:32:06 | 000,140,288 | ---- | C] () -- C:\Users\Bames\Desktop\vcleaner.exe
[2010/04/29 11:43:53 | 003,554,031 | ---- | C] () -- C:\Users\Bames\Documents\briggs bauman intertextuality.pdf
[2010/04/29 08:31:15 | 000,000,000 | ---- | C] () -- C:\Users\Bames\AppData\Roaming\extra1.dat
[2010/04/29 01:06:46 | 000,284,915 | ---- | C] () -- C:\Users\Bames\Desktop\gmer.zip
[2010/04/29 00:16:20 | 000,525,824 | ---- | C] () -- C:\Users\Bames\Desktop\dds.scr
[2010/04/28 21:56:41 | 000,000,104 | ---- | C] () -- C:\Users\Bames\Desktop\Recycle Bin - Shortcut.lnk
[2010/04/28 20:31:15 | 000,000,009 | ---- | C] () -- C:\Users\Bames\AppData\Roaming\nuar.old
[2010/04/28 20:31:14 | 000,000,080 | ---- | C] () -- C:\Users\Bames\AppData\Roaming\wp4.dat
[2010/04/28 20:31:14 | 000,000,002 | ---- | C] () -- C:\Users\Bames\AppData\Roaming\wp3.dat
[2010/04/28 20:31:13 | 000,000,036 | ---- | C] () -- C:\Users\Bames\AppData\Roaming\skynet.dat
[2010/04/28 18:41:11 | 000,919,636 | ---- | C] () -- C:\Users\Bames\Documents\Remove Smart Security (Unin...pdf
[2010/04/28 18:14:12 | 000,010,650 | -HS- | C] () -- C:\Users\Bames\AppData\Local\6EUB
[2010/04/28 18:14:12 | 000,010,650 | -HS- | C] () -- C:\ProgramData\6EUB
[2010/04/28 16:49:46 | 000,010,560 | -HS- | C] () -- C:\Users\Bames\AppData\Local\koX6
[2010/04/28 16:49:46 | 000,010,560 | -HS- | C] () -- C:\ProgramData\koX6
[2010/04/28 10:32:18 | 000,018,391 | ---- | C] () -- C:\Users\Bames\Documents\gfh wed amh nyt.pdf
[2010/04/26 19:09:21 | 000,031,744 | ---- | C] () -- C:\Users\Bames\Documents\India Reading list 042610-3.doc
[2010/04/26 10:22:14 | 000,128,512 | ---- | C] () -- C:\Users\Bames\Documents\India Reading list 042610.doc
[2010/04/25 23:16:57 | 003,128,451 | ---- | C] () -- C:\Users\Bames\Documents\stocking whats in a name origins of RAI.pdf
[2010/04/25 22:39:36 | 000,775,875 | ---- | C] () -- C:\Users\Bames\Documents\revolution in ethn time trautmann.pdf
[2010/04/25 21:20:00 | 003,067,886 | ---- | C] () -- C:\Users\Bames\Documents\leach glimpses of unmentionable.pdf
[2010/04/25 15:29:47 | 000,014,336 | ---- | C] () -- C:\Users\Bames\Documents\LastnameII Final.doc
[2010/04/23 21:41:34 | 007,785,019 | ---- | C] () -- C:\Users\Bames\Documents\Bourdieu.pdf
[2010/04/23 11:02:01 | 000,065,909 | ---- | C] () -- C:\Users\Bames\Documents\HBA%20101%20syllabus%20f10.pdf
[2010/04/22 17:33:43 | 000,749,965 | ---- | C] () -- C:\Users\Bames\Documents\midnightsun_partial_draft4.pdf
[2010/04/22 11:21:37 | 003,134,074 | ---- | C] () -- C:\Users\Bames\Documents\Sahlins2.pdf
[2010/04/22 11:21:29 | 002,218,034 | ---- | C] () -- C:\Users\Bames\Documents\Anderson.pdf
[2010/04/22 11:18:12 | 003,332,918 | ---- | C] () -- C:\Users\Bames\Documents\Foucault.pdf
[2010/04/22 11:15:34 | 002,801,463 | ---- | C] () -- C:\Users\Bames\Documents\LatourTechnoligyisSociety.pdf
[2010/04/22 10:45:30 | 000,310,486 | ---- | C] () -- C:\Users\Bames\Documents\Asad.pdf
[2010/04/22 09:43:32 | 000,327,597 | ---- | C] () -- C:\Users\Bames\Documents\style_guide.pdf
[2010/04/20 17:02:34 | 000,010,827 | ---- | C] () -- C:\Users\Bames\Documents\577precis.instrs.09.pdf
[2010/04/20 17:02:24 | 000,022,433 | ---- | C] () -- C:\Users\Bames\Documents\577papersguide.09.pdf
[2010/04/18 13:59:25 | 000,050,984 | ---- | C] () -- C:\Users\Bames\Documents\rackham budget 2010 HBA.pdf
[2010/04/18 13:53:25 | 000,101,851 | ---- | C] () -- C:\Users\Bames\Documents\Rackham_statement_HBA2.pdf
[2010/04/18 11:38:38 | 000,010,240 | ---- | C] () -- C:\Users\Bames\Documents\recipes.doc
[2010/04/14 17:20:53 | 000,059,392 | ---- | C] () -- C:\Users\Bames\Documents\Lastname midterm AL.doc
[2010/04/14 17:10:04 | 000,000,754 | ---- | C] () -- C:\Users\Bames\Desktop\Recovered Files - Shortcut.lnk
[2010/04/14 16:20:53 | 000,375,808 | ---- | C] () -- C:\Users\Bames\Documents\Trads notes.doc
[2010/04/13 13:22:07 | 000,312,320 | ---- | C] () -- C:\Users\Bames\Documents\Ling 577 notes.doc
[2010/04/12 16:09:33 | 000,028,160 | ---- | C] () -- C:\Users\Bames\Documents\fac mtg notes 041210.doc
[2010/04/11 19:12:15 | 000,531,105 | ---- | C] () -- C:\Users\Bames\Documents\Petryna- Biological Citizenship.pdf
[2010/04/11 19:12:14 | 003,566,428 | ---- | C] () -- C:\Users\Bames\Documents\american counterinsurgency gonzalez.pdf
[2010/04/11 19:12:14 | 001,682,440 | ---- | C] () -- C:\Users\Bames\Documents\Grice - Logic and Conversation.pdf
[2010/04/11 19:12:14 | 001,535,533 | ---- | C] () -- C:\Users\Bames\Documents\audit cultures misc.pdf
[2010/04/11 19:12:14 | 001,529,670 | ---- | C] () -- C:\Users\Bames\Documents\Lutz.pdf
[2010/04/11 19:12:14 | 000,279,918 | ---- | C] () -- C:\Users\Bames\Documents\NSF2010 rating sheets HBA.pdf
[2010/04/11 19:12:14 | 000,209,590 | ---- | C] () -- C:\Users\Bames\Documents\GSGT Application Form 2010-11.pdf
[2010/04/11 19:12:14 | 000,196,996 | ---- | C] () -- C:\Users\Bames\Documents\Lastname NSF Final 2009.pdf
[2010/04/11 19:12:14 | 000,123,885 | ---- | C] () -- C:\Users\Bames\Documents\577+syllabus+2010.pdf
[2010/04/11 19:12:14 | 000,121,728 | ---- | C] () -- C:\Users\Bames\Documents\Dominic Boyer - The Medium ...pdf
[2010/04/11 19:12:14 | 000,080,049 | ---- | C] () -- C:\Users\Bames\Documents\Anthro of South Asia Win 2009 syllabus 28 Jan.doc.pdf
[2010/04/11 19:12:14 | 000,057,344 | ---- | C] () -- C:\Users\Bames\Documents\Lastname midterm.doc
[2010/04/11 19:12:14 | 000,039,936 | ---- | C] () -- C:\Users\Bames\Documents\CICS GSGT Letter HBA.doc
[2010/04/11 19:12:14 | 000,031,232 | ---- | C] () -- C:\Users\Bames\Documents\Anth101.Syllabus.Winter.2010.2.doc
[2010/04/11 19:12:14 | 000,025,600 | ---- | C] () -- C:\Users\Bames\Documents\IIIF statement of purpose.doc
[2010/04/11 19:12:14 | 000,018,432 | ---- | C] () -- C:\Users\Bames\Documents\FINAL summer funding 2010.doc
[2010/04/11 19:12:14 | 000,012,288 | ---- | C] () -- C:\Users\Bames\Documents\draft e-mail srinivasan.doc
[2010/04/11 19:12:01 | 001,261,950 | ---- | C] () -- C:\Users\Bames\Documents\Silverstein - Indeterminacy of Contextualization.pdf
[2010/04/11 19:12:01 | 000,559,354 | ---- | C] () -- C:\Users\Bames\Documents\shore & wright.pdf
[2010/04/11 19:12:01 | 000,380,778 | ---- | C] () -- C:\Users\Bames\Documents\Sublease_agree.pdf
[2010/04/11 19:12:01 | 000,309,897 | ---- | C] () -- C:\Users\Bames\Documents\rimoldi.pdf
[2010/04/11 19:12:01 | 000,050,688 | ---- | C] () -- C:\Users\Bames\Documents\Trads II Syllabus.doc
[2010/04/11 19:12:01 | 000,050,330 | ---- | C] () -- C:\Users\Bames\Documents\Sublease_agree_print2.pdf
[2010/04/11 19:12:01 | 000,036,864 | ---- | C] () -- C:\Users\Bames\Documents\Rackham_statement_HBA.doc
[2010/04/11 18:15:15 | 000,221,339 | ---- | C] () -- C:\Users\Bames\Documents\PDF+4.11HISTORY_OF_ANTHROPOLOGY_IN_INDIA01.pdf
[2010/04/11 16:24:06 | 000,001,594 | ---- | C] () -- C:\Windows\VPNInstall.MIF
[2010/04/11 16:21:13 | 000,001,982 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
[2010/02/27 19:02:20 | 000,051,716 | ---- | C] () -- C:\Windows\System32\pdf995mon.dll
[2010/02/27 19:02:20 | 000,000,060 | ---- | C] () -- C:\Windows\wpd99.drv
[2009/11/17 12:08:34 | 000,197,424 | ---- | C] () -- C:\Windows\System32\vpnapi.dll
[2009/09/17 08:42:48 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/03/07 16:53:06 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2009/01/30 14:52:11 | 000,000,280 | ---- | C] () -- C:\Windows\System32\epoPGPsdk.dll.sig
[2008/08/20 17:23:40 | 000,000,021 | ---- | C] () -- C:\Windows\atid.ini
[2008/06/11 03:20:29 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/06/11 03:20:29 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2008/06/11 03:20:29 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/06/11 03:20:29 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2008/06/11 03:18:24 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/04/28 13:13:33 | 000,000,310 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/02/11 20:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2008/12/16 00:57:29 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\EasyJob Resume Builder
[2010/04/10 22:46:16 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\EndNote
[2009/12/03 20:12:49 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\gtk-2.0
[2009/01/30 14:30:11 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\OpenOffice.org
[2010/02/27 19:07:15 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\pdf995
[2008/08/20 17:29:06 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\QQ Games Plugin
[2009/01/22 20:22:34 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\SampleView
[2010/05/01 16:22:06 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\scdata
[2008/08/25 21:34:46 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\Template
[2010/01/25 14:47:09 | 000,000,000 | ---D | M] -- C:\Users\Bames\AppData\Roaming\uTorrent
[2010/05/03 08:55:08 | 000,032,638 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/05/03 09:05:49 | 000,000,422 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{824C22FA-78C1-492F-B927-1B11838D9F20}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:24051EFF
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >

______________________________________________________


Extras.txt:


OTL Extras logfile created on: 5/3/2010 8:59:42 AM - Run 1
OTL by OldTimer - Version 3.2.4.0 Folder = C:\Users\Bames\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 63.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 137.12 Gb Total Space | 83.82 Gb Free Space | 61.13% Space Free | Partition Type: NTFS
Drive D: | 11.93 Gb Total Space | 5.19 Gb Free Space | 43.52% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NBA-LAPTOP
Current User Name: Bames
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00BE2719-A029-4EB5-A783-32B92D7675FE}" = rport=139 | protocol=6 | dir=out | app=system |
"{1D128F95-E12C-442C-A203-AC727DCFC744}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{1D2614E2-6122-44EC-84E4-5B57AE0B2EDC}" = rport=137 | protocol=17 | dir=out | app=system |
"{3C270835-4F13-4687-83E6-7124F30EDDEC}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{4DD14ED5-17DF-4932-894A-6D5619B6A142}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{519FAFCD-B176-47D6-A195-C411D1901349}" = lport=137 | protocol=17 | dir=in | app=system |
"{5A18385E-95AA-42FE-9AEC-1E37D94C00B2}" = lport=445 | protocol=6 | dir=in | app=system |
"{8031E31F-D244-4794-AE28-19E46224E314}" = rport=138 | protocol=17 | dir=out | app=system |
"{8A2C720E-6524-44A5-AA5E-1E430F7FCDC4}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{9001E97F-2841-4451-AEA8-DA39AFD273DF}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{A7834EC4-83FA-497A-94FA-5FA8D08FF59F}" = lport=138 | protocol=17 | dir=in | app=system |
"{A961DBF3-B9F4-4734-8221-E45E1681DEB4}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{AEFB878C-500F-46A3-BBD7-39503128F1D0}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{AFC1557D-7053-47D8-98A4-6FBC166FB4E1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{BA006A53-A29F-48EE-8AA8-6B22019E1F23}" = rport=445 | protocol=6 | dir=out | app=system |
"{D9A5E2CD-B08E-4281-A253-CC22570F433B}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{DEBAA1EA-4E1C-4444-B858-817B08590132}" = lport=139 | protocol=6 | dir=in | app=system |
"{E5F48CBE-0ADF-4CE6-9704-A9C140CDA253}" = lport=2869 | protocol=6 | dir=in | app=system |
"{EA91706C-9322-4C71-B4D6-80FBE76D1CC9}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{EBBA81AD-68A5-4E32-A7A5-1BBDBDA1A8A6}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0E4A55B1-82F5-4212-BA01-ADDEE3A2930D}" = dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"{169433CC-0042-4012-BD82-A08FC00AF433}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{21BCF5C3-FA15-4168-878A-7A44C121EB0B}" = protocol=6 | dir=in | app=c:\windows\system32\wininit.exe |
"{30549A18-557E-452A-A953-6102293D0CB8}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{338697F9-31DD-4ED4-B6AE-5533577DD1D5}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{3E4A16E5-1BFD-4D7D-9A32-12E65444CBDC}" = protocol=6 | dir=in | app=c:\program files\aim6\aim6.exe |
"{458AC404-6F01-42AF-BE60-CA8095DA31EE}" = protocol=17 | dir=in | app=c:\windows\system32\wininit.exe |
"{4ABEDED2-00F7-4231-BB7E-B020486DF364}" = protocol=6 | dir=in | app=c:\windows\system32\logonui.exe |
"{4CC01E55-6921-44A0-A20D-2A4282473236}" = protocol=17 | dir=in | app=c:\program files\aim6\aim6.exe |
"{52A050BC-3655-4A4F-AFA5-9C47BC5CA95C}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{540E6F59-0506-4584-84ED-396BB8D50EEE}" = protocol=6 | dir=in | app=c:\program files\mcafee\common framework\frameworkservice.exe |
"{5AB68DAA-988D-4055-91A2-2B56BE9C3239}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{62801760-CF76-48C1-8910-752E1F3ACCE0}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{674B40AB-6023-4B7D-AD6A-0FBB9E6209BD}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{6E6FB3FA-5568-4BC0-850A-BDFDEBD34A37}" = protocol=17 | dir=in | app=c:\program files\mcafee\common framework\frameworkservice.exe |
"{6F84B85F-256D-42E7-BB1F-BE694DA58240}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{80EF6BD1-DF7E-460A-BF70-CDCD78E435ED}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{82C8B402-E242-418A-B594-0621629C40B2}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{862E22DD-7A27-4F59-BBC2-11A67CEEA34E}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{880BE75E-9ACA-4C72-899E-472C7F2E4A8D}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{8BF75EDB-C2B5-4F85-8759-13B222FD4FB1}" = protocol=6 | dir=in | app=c:\windows\system32\wininit.exe |
"{92048084-B3B3-47D1-B1A7-2FDCF1832B58}" = dir=in | app=c:\program files\msn messenger\livecall.exe |
"{A88228A5-C77D-4B12-B18E-9B880AA4EB31}" = protocol=6 | dir=in | app=c:\windows\system32\winlogon.exe |
"{ADB85EE3-BE10-4BC4-9F9C-F531B8D9519F}" = protocol=17 | dir=in | app=c:\windows\system32\logonui.exe |
"{B400D97B-396A-437F-A395-B33927B83CA8}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{B834EAF5-2D77-4C74-A04A-683D52A142C4}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{C0E529D4-D101-4341-B013-E4A526735FA5}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{C1008155-B1F2-4FE0-880F-97ABA09EFF9D}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{C3875408-6C1D-4458-85E9-8D3E5390F306}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{DA021597-C3A6-4715-9E3D-FA3405148AC1}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{EAD0A717-FF9B-4409-A233-46FC8FDC83F1}" = protocol=17 | dir=in | app=c:\windows\system32\logonui.exe |
"{F7F34E43-7B82-4F21-B63A-E23F647FDA74}" = protocol=17 | dir=in | app=c:\windows\system32\wininit.exe |
"{FAE1B40D-5EEF-41F7-847D-6F6B441DB3FB}" = protocol=17 | dir=in | app=c:\windows\system32\winlogon.exe |
"{FCE6A1FC-C97E-423C-8AFD-09D124EB4E6D}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"TCP Query User{A891D8FD-C248-44EA-8BE7-924899CAA507}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{C8F265C4-CFC1-4B3D-87E7-98EB283A8DDA}C:\program files\videolan\vlc\vlc.exe" = protocol=6 | dir=in | app=c:\program files\videolan\vlc\vlc.exe |
"UDP Query User{D1CC1E8C-2771-497E-A1B8-59B26EF31B32}C:\program files\videolan\vlc\vlc.exe" = protocol=17 | dir=in | app=c:\program files\videolan\vlc\vlc.exe |
"UDP Query User{E10B6BBF-DC5D-4F36-9544-FB26ED2035F1}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002B1E90-3241-4D45-8831-E89020F8E7E6}" = EndNote X2
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{035E680E-B668-472F-91F3-E850BCC5051F}_is1" = Crawler Desktop Notes
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{07D8511D-C9FE-4A93-933F-EAA5C8F20095}" = IDT Audio
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}" = Cisco Systems VPN Client 5.0.06.0160
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 18
"{2931F734-260D-4E83-87B3-A9FE8E873192}_is1" = PDF-XChange Shell Extentions
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{34FF0741-EC67-4C05-AC2A-6D257123DF2E}" = BigFix
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{39098402-3F7A-4257-A4AE-FC1181D1B40B}" = Camera Assistant Software for Gateway
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}" = Microsoft Money Shared Libraries
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}" = Gateway Recovery Center Installer
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D273DE5-ABFA-4BD0-A9D7-EE9C971438C4}_is1" = PDF-Viewer
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"{F0E2B312-D7FD-4349-A9B6-E90B36DB1BD0}" = Paint.NET v3.5.5
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"ACommander" = ACommander
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adolix Split and Merge PDF_is1" = Adolix Split and Merge PDF v1.5
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"CCleaner" = CCleaner
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"File Recover_is1" = File Recover 7.5
"HDMI" = Intel® Graphics Media Accelerator Driver
"ISI ResearchSoft - Export Helper" = ISI ResearchSoft - Export Helper
"jZip" = jZip
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2007b" = Microsoft Money Essentials
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"My Lockbox_is1" = My Lockbox 1.4 for Windows 2000/XP
"Picasa 3" = Picasa 3
"PrimoPDF4.1.0.9" = PrimoPDF
"RealPlayer 6.0" = RealPlayer
"Recuva" = Recuva
"SecureW2 EAP Suite" = SecureW2 EAP Suite 2.0.4 for Windows
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.0.5

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
"PhotoFiltre" = PhotoFiltre
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/2/2010 4:35:58 AM | Computer Name = NBA-Laptop | Source = System Restore | ID = 8210
Description =

Error - 5/2/2010 5:54:21 AM | Computer Name = NBA-Laptop | Source = Microsoft-Windows-CAPI2 | ID = 131077
Description =

Error - 5/2/2010 5:54:21 AM | Computer Name = NBA-Laptop | Source = Microsoft-Windows-CAPI2 | ID = 131077
Description =

Error - 5/2/2010 5:55:51 AM | Computer Name = NBA-Laptop | Source = Microsoft-Windows-CAPI2 | ID = 131077
Description =

Error - 5/2/2010 5:55:52 AM | Computer Name = NBA-Laptop | Source = Microsoft-Windows-CAPI2 | ID = 131077
Description =

Error - 5/3/2010 12:20:32 AM | Computer Name = NBA-Laptop | Source = SPP | ID = 16387
Description =

Error - 5/3/2010 12:20:32 AM | Computer Name = NBA-Laptop | Source = System Restore | ID = 8193
Description =

Error - 5/3/2010 12:20:32 AM | Computer Name = NBA-Laptop | Source = System Restore | ID = 8210
Description =

Error - 5/3/2010 8:56:23 AM | Computer Name = NBA-Laptop | Source = WinMgmt | ID = 10
Description =

Error - 5/3/2010 9:04:01 AM | Computer Name = NBA-Laptop | Source = LoadPerf | ID = 3002
Description =

[ Media Center Events ]
Error - 10/7/2009 4:25:27 PM | Computer Name = NBA-Laptop | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 5/1/2010 3:06:51 PM | Computer Name = NBA-Laptop | Source = ACPI | ID = 327693
Description = : The embedded controller (EC) did not respond within the specified
timeout period. This may indicate that there is an error in the EC hardware or
firmware or that the BIOS is accessing the EC incorrectly. You should check with
your computer manufacturer for an upgraded BIOS. In some situations, this error
may cause the computer to function incorrectly.

Error - 5/1/2010 3:07:29 PM | Computer Name = NBA-Laptop | Source = Service Control Manager | ID = 7000
Description =

Error - 5/1/2010 3:17:11 PM | Computer Name = NBA-Laptop | Source = Service Control Manager | ID = 7034
Description =

Error - 5/1/2010 3:18:54 PM | Computer Name = NBA-Laptop | Source = Service Control Manager | ID = 7000
Description =

Error - 5/1/2010 6:41:10 PM | Computer Name = NBA-Laptop | Source = Service Control Manager | ID = 7032
Description =

Error - 5/1/2010 11:12:36 PM | Computer Name = NBA-Laptop | Source = DCOM | ID = 10010
Description =

Error - 5/2/2010 2:38:22 AM | Computer Name = NBA-Laptop | Source = Service Control Manager | ID = 7000
Description =

Error - 5/2/2010 4:00:15 AM | Computer Name = NBA-Laptop | Source = Service Control Manager | ID = 7032
Description =

Error - 5/3/2010 12:08:39 AM | Computer Name = NBA-Laptop | Source = ACPI | ID = 327693
Description = : The embedded controller (EC) did not respond within the specified
timeout period. This may indicate that there is an error in the EC hardware or
firmware or that the BIOS is accessing the EC incorrectly. You should check with
your computer manufacturer for an upgraded BIOS. In some situations, this error
may cause the computer to function incorrectly.

Error - 5/3/2010 8:56:23 AM | Computer Name = NBA-Laptop | Source = Service Control Manager | ID = 7000
Description =


< End of report >

__________________________________________________


checkup.txt:


Results of screen317's Security Check version 0.99.4
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
McAfee VirusScan Enterprise
McAfee AntiSpyware Enterprise Module
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 18
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.0.45.2
Adobe Reader 8.1.4
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSASCui.exe
Spybot Teatimer.exe is disabled!
McAfee VirusScan Enterprise mcshield.exe
McAfee VirusScan Enterprise vstskmgr.exe
Windows Defender MSASCui.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:34 PM

Posted 03 May 2010 - 11:43 AM

The malware rogue keeps re-appearing. Do not do any websurfing of any kind, nor any web searches.
  • Please RIGHT-click OTL.exe and choose Run As Administrator to start it.
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    *****************************************************************
    :files
    C:\ProgramData\ratifuya\ratifuya.DLL
    C:\AKM Antivirus 2010 Pro
    C:\ProgramData\leheliyo
    C:\ProgramData\pazewaju
    C:\ProgramData\humopase
    C:\ProgramData\famuheno
    C:\ProgramData\nemirapu
    C:\ProgramData\nepuse
    c:\program files\utorrent\utorrent.exe
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "yabajuyosa"=-

    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]

    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.
Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

Reply with a copy of the OTL MovedFiles log, and the C:\Combofix.txt log


~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 danthro

danthro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 03 May 2010 - 11:50 AM

Quick question before I follow the instructions. If I close my browser, I can't download the programs directly to the desktop (or to anywhere directly). I have a flash drive I can download them onto from another computer. Is that what I should do, or open the browser just to download?

#8 danthro

danthro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 03 May 2010 - 01:20 PM

Dear Maurice Naggar,

Sorry, you can disregard my previous reply. The flash drive didn't even turn out to be an option because the computer wouldn't allow me to open it. I had to open my browser between steps, but I set this page as my homepage so the browser wouldn't go to any other pages (I'm checking email from another computer for now).

There were a couple weird things that happened during the combofix run I thought I should mention just in case. First, before it ran it gave me a message that VirusScan was still on and I should turn it off before running the scan. I wasn't aware it was on because I had disabled it from starting on start up. I opened McAfee VirusScan console and saw some "tasks" were listed as "enabled" and I clicked to "disable" all of them. Then I got a message on the right side of the taskbar from windows security center saying that my antivirus program had been turned off, so I assume that worked. I also right-clicked on that message and clicked to exit the security center just in case as well. The other odd thing that happened was that combofix asked me if i wanted to update the program, I clicked No, because that wasn't in the instructions and the instructions seemed to emphasize using the combofix version that I was downloading now from those links. Finally, part way through the scan it said it had detected a rootkit and needed to reboot to get rid of it. It restarted and I got a message saying that the computer wasn't able to restart properly and windows was fixing something and to click Finish to retsart again, this time it seemed to restart relatively normally, but after I logged it, there was a black screen and combofix was running on it, so I just left it alone. Then combofix rebooted on its own again, and finished running a while after I logged in.

In any case, the logs are below. Thanks!


All processes killed
========== FILES ==========
File\Folder C:\ProgramData\ratifuya\ratifuya.DLL not found.
C:\AKM Antivirus 2010 Pro folder moved successfully.
C:\ProgramData\leheliyo folder moved successfully.
C:\ProgramData\pazewaju folder moved successfully.
C:\ProgramData\humopase folder moved successfully.
C:\ProgramData\famuheno folder moved successfully.
C:\ProgramData\nemirapu folder moved successfully.
File\Folder C:\ProgramData\nepuse not found.
c:\program files\utorrent\uTorrent.exe moved successfully.
File\Folder C:\recycler not found.
File\Folder D:\recycler not found.
File\Folder e:\recycler not found.
File\Folder f:\recycler not found.
File\Folder g:\recycler not found.
File\Folder h:\recycler not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yabajuyosa deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bames
->Temp folder emptied: 3734708 bytes
->Temporary Internet Files folder emptied: 754003 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 34479480 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 2711 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 57389324 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 92.00 mb



OTL by OldTimer - Version 3.2.4.0 log created on 05032010_130330

Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\WFVFF54.tmp not found!

Registry entries deleted on Reboot...


--------------------------------------------------------------------------

ComboFix 10-05-02.03 - Bames 05/03/2010 13:31:27.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2116 [GMT -4:00]
Running from: c:\users\Bames\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: VirusScan Enterprise + AntiSpyware Enterprise *disabled* (Updated) {24E45799-D058-4314-AC5D-1B2EE5C3151F}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-771374111-2616422062-1020362605-500
C:\install.exe
c:\windows\system32\%appdata%
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-03 17:47 . 2010-05-03 17:52 -------- d-----w- c:\users\Bames\AppData\Local\temp
2010-05-03 17:47 . 2010-05-03 17:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-02 04:14 . 2010-05-02 04:14 -------- d-----w- c:\windows\Sun
2010-05-01 19:28 . 2010-05-01 19:28 -------- d-----w- c:\program files\ESET
2010-05-01 19:17 . 2010-05-01 19:17 -------- d-----w- C:\_OTL
2010-05-01 18:47 . 2010-05-01 18:48 -------- d-----w- c:\program files\ERUNT
2010-04-29 12:30 . 2010-04-29 12:30 -------- d-----w- c:\programdata\nepusenu
2010-04-29 05:55 . 2010-04-29 05:57 -------- d-----w- c:\users\Bames\AppData\Local\jZip
2010-04-29 05:55 . 2010-04-29 05:55 -------- d-----w- c:\program files\jZip
2010-04-29 00:35 . 2010-05-01 20:22 -------- d-----w- c:\users\Bames\AppData\Roaming\scdata
2010-04-28 23:15 . 2010-04-28 23:15 -------- d-----w- c:\users\Bames\AppData\Roaming\Malwarebytes
2010-04-28 23:12 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 23:12 . 2010-04-28 23:12 -------- d-----w- c:\programdata\Malwarebytes
2010-04-28 23:12 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 23:12 . 2010-04-29 05:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 22:16 . 2010-04-28 22:16 -------- d-----w- c:\users\Bames\AppData\Local\rlxnwjokg
2010-04-28 21:32 . 2010-04-30 17:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-28 21:32 . 2010-04-28 21:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-26 18:37 . 2010-04-26 18:37 -------- d-----w- c:\program files\JRE
2010-04-25 03:34 . 2010-04-28 00:52 -------- d-----w- c:\users\Bames\AppData\Roaming\vlc
2010-04-15 01:58 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 01:57 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 01:57 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 01:57 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 01:57 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 01:57 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 01:57 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 01:57 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-15 01:57 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 08:29 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 08:29 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-11 20:21 . 2010-04-11 20:21 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-04-11 20:21 . 2010-04-11 20:21 -------- d-----w- c:\program files\Cisco Systems
2010-04-11 07:00 . 2010-04-11 07:00 -------- d-----w- c:\program files\MSXML 4.0
2010-04-10 23:49 . 2010-04-10 23:49 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-10 23:48 . 2010-04-10 23:48 -------- d-----w- c:\program files\MSECACHE
2010-04-10 17:27 . 2010-04-10 17:27 -------- d-----w- c:\program files\Recuva
2010-04-10 14:02 . 2009-07-17 03:12 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-04-10 14:02 . 2009-07-17 03:12 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-04-10 14:02 . 2010-04-10 14:04 -------- d-----w- c:\program files\File Recover

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 17:03 . 2009-03-10 03:39 -------- d-----w- c:\program files\uTorrent
2010-05-03 02:59 . 2009-01-30 18:30 1 ----a-w- c:\users\Bames\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-02 05:51 . 2009-12-04 00:29 -------- d-----w- c:\program files\Paint.NET
2010-05-01 19:58 . 2009-06-09 02:20 -------- d-----w- c:\program files\My Lockbox
2010-04-30 02:33 . 2010-04-29 00:31 80 ----a-w- c:\users\Bames\AppData\Roaming\wp4.dat
2010-04-30 02:33 . 2010-04-29 00:31 2 ----a-w- c:\users\Bames\AppData\Roaming\wp3.dat
2010-04-29 15:32 . 2008-08-26 01:34 9156 ----a-w- c:\users\Bames\AppData\Roaming\wklnhst.dat
2010-04-29 12:31 . 2010-04-29 12:31 119808 ----a-w- c:\users\Bames\AppData\Roaming\Microsoft\Internet Explorer\novavapps.exe
2010-04-29 12:31 . 2010-04-29 12:31 0 ----a-w- c:\users\Bames\AppData\Roaming\extra1.dat
2010-04-29 02:34 . 2010-04-29 02:34 388096 ----a-r- c:\users\Bames\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-29 00:31 . 2010-04-29 00:31 36 ----a-w- c:\users\Bames\AppData\Roaming\skynet.dat
2010-04-27 19:43 . 2008-08-20 02:17 80704 ----a-w- c:\users\Bames\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-26 18:37 . 2009-01-30 18:27 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-23 01:12 . 2010-04-23 01:12 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-22 16:47 . 2010-04-22 16:47 143976 ----a-w- c:\users\Bames\AppData\Roaming\Move Networks\uninstall.exe
2010-04-22 16:47 . 2009-04-09 05:27 -------- d-----w- c:\users\Bames\AppData\Roaming\Move Networks
2010-04-22 16:47 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Bames\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2010-04-15 07:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-11 02:59 . 2008-06-11 08:00 -------- d-----w- c:\programdata\Microsoft Help
2010-04-11 02:46 . 2009-01-28 06:23 -------- d-----w- c:\users\Bames\AppData\Roaming\EndNote
2010-04-10 23:49 . 2010-04-10 23:49 3584 ----a-r- c:\users\Bames\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-03-12 15:31 . 2010-03-12 15:31 -------- d-----w- c:\programdata\Driver Whiz
2010-02-28 13:19 . 2010-02-28 13:19 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-02-28 02:58 . 2010-02-27 23:02 60 ----a-w- c:\windows\wpd99.drv
2010-02-27 23:02 . 2010-02-27 23:02 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-02-27 23:02 . 2010-02-27 23:02 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-02-24 14:16 . 2009-10-03 13:30 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 08:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 08:07 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-03-31 08:07 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-03-31 08:07 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 08:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 08:01 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 08:01 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab
2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi
2009-08-19 08:31 . 2009-08-19 08:31 336 ----a-w- c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2010-4-11 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:0e,5d,cf,95,55,38,ca,01

R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [2008-06-06 43792]
S2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-05-03 73392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\User_Feed_Synchronization-{824C22FA-78C1-492F-B927-1B11838D9F20}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6843
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Bames\AppData\Roaming\Mozilla\Firefox\Profiles\xaxowqkp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bleepingcomputer.com/forums/topic313471.html
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Bames\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{cd7d3f30-7359-407e-b6bf-9ad1ea7241e6} - c:\programdata\sohibesi\sohibesi.dll
HKLM-Run-mylbx - c:\program files\My Lockbox\mylbx.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*U%*%R*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*U%*%R*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%%i%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%%i%\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%%i%\OpenWithProgids]
"++-_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*[%6**%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*[%6**%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*X%%i%]
@Allowed: (Read) (RestrictedCode)
"0"=hex:3b,00,13,00,44,00,1a,00,71,00,66,25,f1,00,54,00,2e,00,58,25,18,25,69,
25,00,00,62,00,36,00,00,00,00,00,00,00,00,00,00,00,3b,00,44,00,71,00,66,25,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000_Classes\.*X%%i%]
@Allowed: (Read) (RestrictedCode)
@="++-_auto_file"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000_Classes\X%%i%_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000_Classes\X%%i%_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\sttray.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Camera Assistant Software for Gateway\CEC_MAIN.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-05-03 14:00:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-03 18:00

Pre-Run: 90,756,816,896 bytes free
Post-Run: 90,679,382,016 bytes free

- - End Of File - - 74C2A65FEA194C3B42AE2E33960FF11F




#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:34 PM

Posted 03 May 2010 - 02:12 PM

I am still quite concerned about the rogue showing up again.
While we do these next procedures, recheck to insure McAfee Virusscan is OFF (not active).
After you are all done with the below, turn on McAfee antivirus.

Step 1
See this topic in the AumHa Security forum and get the latest Java run-time
http://aumha.net/viewtopic.php?f=26&t=43792

Step 2
  • After the Java install is complete, some Java cache clearing & tweaking.
    Go to Start button > in Start menu -- Control Panel > and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:
Click Advanced Tab. Expand the Miscellaneous item.
UN-check the line Java quick starter

If you want to also un-check the "Check for updates automatically" you may:
Click the Update tab. un-check the line if it is checked.
Press Apply then OK. Close the applet when done.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml
When all is well, you should see Java Version: 1.6.0_20 from Sun Microsystems Inc.

Step 3
Close all open browsers at this point.

Temporarily disable your antivirus app (but NOT the firewall). Use this as a guide
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start Internet Explorer (fresh) by pressing Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

Go to this website to scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement
2) The necessary files will be downloaded and installed. Please have plenty of patience.
3) After Kaspersky AntiVirus Database is updated, look at the Scan box.
4) Click the My Computer line
5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.
How is your system now


~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 danthro

danthro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 03 May 2010 - 10:07 PM

Dear Maurice Naggar,

Thanks once again for all of your help. The system seems mainly back to normal. The main things that I still notice are that my recycle bin still does not show up on my desktop even though it is in the desktop folder. Also, when I try to open the program I use to read pdf files and underline in them, pdf x-change viewer, I get a message asking for my approval as an administrator (but regardless whether I say OK or cancel the program opens). I don't know if the latter might be the result of some kind of security measure because of a scan we ran, or if it is virus-related. But I know the recycle bin disappearing was virus related--from before we ran scans.

I did accidentally open another page in the browser, without thinking I started googling for instructions on how to make sure McAfee VirusScan was closed. I clicked on a link from google, and then I remembered I wasn't supposed to websurf, so I closed the browser before the page could open. I think I found a setting in McAfee VirusScan console that turned it off even further. Before I had just gone to windows ddefender's software explorer and the list of programs enabled to start at start up, and disabled mcafee. Then I also tried opening the VirusScan console and disabling the "tasks" that were listed as "enabled". This time I also opened one task that was relisted as enabled on reboot and unchecked a box that told it to run on start up. I think that might have been a problem before. I also found a check box in one of the other tasks that said to prevent mcafee processes from being stopped, I unchecked that. I think this might've totally turned it off this time. I haven't found any other boxes to uncheck or things to disable. And when I rebooted before the scan, they were all still disabled. (I've re-enabled them now that the scan's over.)

The Kraspersky scan log is pasted below.

smile.gifThanks!!

danthro



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, May 3, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, May 03, 2010 16:59:46
Records in database: 4038720
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 150845
Threats found: 7
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 02:54:58


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\volsnap.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LFHW5RQ\geticon[1].pdf Infected: Exploit.JS.Pdfka.bzr 1
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ML5Q4AYN\geticon[1].pdf Infected: Exploit.JS.Pdfka.bzr 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\720b4111-1c853e6c Infected: Exploit.Java.CVE-2009-3867.gen 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\720b4111-1c853e6c Infected: Trojan-Downloader.Java.Agent.cd 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\720b4111-1c853e6c Infected: Trojan-Downloader.Java.OpenStream.al 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\784fe349-6f635409 Infected: Exploit.Java.CVE-2009-3867.gen 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\784fe349-6f635409 Infected: Trojan-Downloader.Java.Agent.cd 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\784fe349-6f635409 Infected: Trojan-Downloader.Java.OpenStream.al 1
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\ccmain.exe Infected: Trojan-Downloader.Win32.NSIS.dl 1
C:\_OTL\MovedFiles\05032010_130330\C_ProgramData\humopase\humopase.exe Infected: Trojan-Dropper.Win32.TDSS.my 1

Selected area has been scanned.


#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:34 PM

Posted 04 May 2010 - 05:38 AM

The Recycle Bin issue will need to wait for later.
As to turning off temporarily your antivirus, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


Step 1
Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
Step 2
Please re-run RKILL as you did the last time.

Step 3
  • Please RIGHT-click OTL.exe and choose Run As Administrator to start it.
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    *****************************************************************
    :files
    C:\AKM Antivirus 2010 Pro
    c:\users\bames\appdata\roaming\alggui.exe
    c:\users\bames\appdata\roaming\wp4.dat
    c:\users\bames\appdata\roaming\wp3.dat
    c:\users\bames\appdata\roaming\skynet.dat
    c:\users\bames\appdata\roaming\wpp.exe

    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]

    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 4
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 5
Download this file & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller:

Start NOTEPAD and copy/paste the text in the quotebox below into it:

CODE
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Right- click on fix.bat on your Desktop and select "Run as Administrator". allow it to run.

Please post back with the result.

Step 6
If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.
Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

Reply with a copy of the OTL MovedFiles log
MBAM scan log
Logit.txt,
and the C:\Combofix.txt log

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 04 May 2010 - 06:39 AM.
added other steps

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 danthro

danthro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 04 May 2010 - 01:52 PM

Dear Maurice Naggar,

Regarding the directions for disabling antivirus software, that page does not have directions for the particular McAfee program that I have installed, which I got free from my university. However, I think I have now been successful in disabling it. I'm attaching three successive screenshots showing the menus I have (but you can ignore the screenshots if you want).

I am pasting the logs below. I was not able to complete the TDSSKiller step -- I followed the instructions exactly as listed, but when I right-clicked the fix.bat file and ran as an administrator, I kept getting two successive error messages that it couldn't find TDSSkiller.exe or logit.txt. Specifically, I did the following: I right-clicked on the link and told it to save to my desktop. I right-clicked the zip file and told it to extract all, and when it asked for a location, I selected the desktop. I then opened notepad and copied in the text inside the instructions (starting from "@ECHO" and ending with "%0"). Then I went to File > Save. Then I named it "fix.bat" and changed the file type to save as to all files. Then I right-clicked the file.bat file on the desktop and said run as administrator. A DOS window opened, and then I got the error messages I already described. Let me know if I did something wrong and I can try again.

Also, when I ran MalwareBytes' Anti-Malware, it gave me an error message when I said to update. I found this unacceptable so I just downloaded it from the same bleepingcomputer link I had downloaded it from before and reinstalled, and then it updated.

After Combofix was finished I got error messages that I was doing an illegal operation with a registry file(?) marked for deletion everytime I tried to open anything, including notepad and firefox. But it seems back to normal now that I've restarted.

Again the logs are below, and again,
Thanks VERY Much for your continued assistance!

danthro



OTL MovedFiles log:

All processes killed
========== FILES ==========
File\Folder C:\AKM Antivirus 2010 Pro not found.
File\Folder c:\users\bames\appdata\roaming\alggui.exe not found.
c:\users\bames\appdata\roaming\wp4.dat moved successfully.
c:\users\bames\appdata\roaming\wp3.dat moved successfully.
c:\users\bames\appdata\roaming\skynet.dat moved successfully.
File\Folder c:\users\bames\appdata\roaming\wpp.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bames
->Temp folder emptied: 106344600 bytes
->Temporary Internet Files folder emptied: 635386 bytes
->Java cache emptied: 200768 bytes
->FireFox cache emptied: 34648123 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 589 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2242 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 135.00 mb



OTL by OldTimer - Version 3.2.4.0 log created on 05042010_112703

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

________________________________________________________________________


MBAM Scan Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4065

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/4/2010 1:10:01 PM
mbam-log-2010-05-04 (13-10-01).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 258546
Time elapsed: 1 hour(s), 17 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{90f62ef7-58d1-4e8e-bb3e-cfb10ba9e47b} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b2b92bc9-e149-4ee8-a93e-0b8cfb329808} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79b1445-dfea-4bef-a786-e0c0f33c863b} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AKM Antivirus 2010 Pro (Rogue.AKMAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\faq (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\faq\images (Rogue.ACommander) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\ccmain.exe (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\uninstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\05032010_130330\C_ProgramData\humopase\humopase.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\settings.ini (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\faq\guide.html (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\faq\images\05.png (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\faq\images\06.png (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\faq\images\07.png (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\faq\images\08.png (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\faq\images\09.png (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander\faq\images\10.png (Rogue.ACommander) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\Desktop\ACommander.lnk (Rogue.ACommander) -> Quarantined and deleted successfully.

_______________________________________

Combofix log:

ComboFix 10-05-03.06 - Bames 05/04/2010 13:30:51.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1938 [GMT -4:00]
Running from: c:\users\Bames\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: VirusScan Enterprise + AntiSpyware Enterprise *disabled* (Updated) {24E45799-D058-4314-AC5D-1B2EE5C3151F}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-04 17:41 . 2010-05-04 17:41 -------- d-----w- c:\users\Bames\AppData\Local\temp
2010-05-04 17:41 . 2010-05-04 17:41 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-04 17:41 . 2010-05-04 17:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-03 20:41 . 2010-05-03 20:41 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-02 04:14 . 2010-05-02 04:14 -------- d-----w- c:\windows\Sun
2010-05-01 19:28 . 2010-05-01 19:28 -------- d-----w- c:\program files\ESET
2010-05-01 19:17 . 2010-05-01 19:17 -------- d-----w- C:\_OTL
2010-05-01 18:47 . 2010-05-01 18:48 -------- d-----w- c:\program files\ERUNT
2010-04-29 12:31 . 2010-04-29 12:31 119808 ----a-w- c:\users\Bames\AppData\Roaming\Microsoft\Internet Explorer\novavapps.exe
2010-04-29 12:30 . 2010-04-29 12:30 -------- d-----w- c:\programdata\nepusenu
2010-04-29 05:55 . 2010-04-29 05:57 -------- d-----w- c:\users\Bames\AppData\Local\jZip
2010-04-29 05:55 . 2010-04-29 05:55 -------- d-----w- c:\program files\jZip
2010-04-29 02:34 . 2010-04-29 02:34 388096 ----a-r- c:\users\Bames\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-29 00:35 . 2010-05-01 20:22 -------- d-----w- c:\users\Bames\AppData\Roaming\scdata
2010-04-28 23:15 . 2010-04-28 23:15 -------- d-----w- c:\users\Bames\AppData\Roaming\Malwarebytes
2010-04-28 23:12 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 23:12 . 2010-04-28 23:12 -------- d-----w- c:\programdata\Malwarebytes
2010-04-28 23:12 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 23:12 . 2010-05-04 15:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 22:16 . 2010-04-28 22:16 -------- d-----w- c:\users\Bames\AppData\Local\rlxnwjokg
2010-04-28 21:32 . 2010-04-30 17:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-28 21:32 . 2010-04-28 21:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-26 18:37 . 2010-04-26 18:37 -------- d-----w- c:\program files\JRE
2010-04-25 03:34 . 2010-04-28 00:52 -------- d-----w- c:\users\Bames\AppData\Roaming\vlc
2010-04-23 01:12 . 2010-04-23 01:12 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-22 16:47 . 2010-04-22 16:47 143976 ----a-w- c:\users\Bames\AppData\Roaming\Move Networks\uninstall.exe
2010-04-15 01:58 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 01:57 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 01:57 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 01:57 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 01:57 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 01:57 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 01:57 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 01:57 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-15 01:57 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 08:29 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 08:29 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-11 20:21 . 2010-04-11 20:21 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-04-11 20:21 . 2010-04-11 20:21 -------- d-----w- c:\program files\Cisco Systems
2010-04-11 07:00 . 2010-04-11 07:00 -------- d-----w- c:\program files\MSXML 4.0
2010-04-10 23:49 . 2010-04-10 23:49 3584 ----a-r- c:\users\Bames\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-10 23:49 . 2010-04-10 23:49 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-10 23:48 . 2010-04-10 23:48 -------- d-----w- c:\program files\MSECACHE
2010-04-10 17:27 . 2010-04-10 17:27 -------- d-----w- c:\program files\Recuva
2010-04-10 14:02 . 2009-07-17 03:12 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-04-10 14:02 . 2009-07-17 03:12 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-04-10 14:02 . 2010-04-10 14:04 -------- d-----w- c:\program files\File Recover

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 17:10 . 2009-01-30 18:30 1 ----a-w- c:\users\Bames\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-03 20:53 . 2008-06-11 08:04 -------- d-----w- c:\program files\Java
2010-05-03 20:53 . 2008-06-11 08:04 -------- d-----w- c:\program files\Common Files\Java
2010-05-03 17:03 . 2009-03-10 03:39 -------- d-----w- c:\program files\uTorrent
2010-05-02 05:51 . 2009-12-04 00:29 -------- d-----w- c:\program files\Paint.NET
2010-05-01 19:58 . 2009-06-09 02:20 -------- d-----w- c:\program files\My Lockbox
2010-04-29 15:32 . 2008-08-26 01:34 9156 ----a-w- c:\users\Bames\AppData\Roaming\wklnhst.dat
2010-04-29 12:31 . 2010-04-29 12:31 0 ----a-w- c:\users\Bames\AppData\Roaming\extra1.dat
2010-04-27 19:43 . 2008-08-20 02:17 80704 ----a-w- c:\users\Bames\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-26 18:37 . 2009-01-30 18:27 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-22 16:47 . 2009-04-09 05:27 -------- d-----w- c:\users\Bames\AppData\Roaming\Move Networks
2010-04-22 16:47 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Bames\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2010-04-15 07:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-11 02:59 . 2008-06-11 08:00 -------- d-----w- c:\programdata\Microsoft Help
2010-04-11 02:46 . 2009-01-28 06:23 -------- d-----w- c:\users\Bames\AppData\Roaming\EndNote
2010-03-12 15:31 . 2010-03-12 15:31 -------- d-----w- c:\programdata\Driver Whiz
2010-02-28 13:19 . 2010-02-28 13:19 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-02-28 02:58 . 2010-02-27 23:02 60 ----a-w- c:\windows\wpd99.drv
2010-02-27 23:02 . 2010-02-27 23:02 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-02-27 23:02 . 2010-02-27 23:02 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-02-24 14:16 . 2009-10-03 13:30 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 08:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 08:07 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-03-31 08:07 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-03-31 08:07 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 08:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 08:01 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 08:01 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab
2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi
2009-08-19 08:31 . 2009-08-19 08:31 336 ----a-w- c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2010-4-11 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:0e,5d,cf,95,55,38,ca,01

R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [2008-06-06 43792]
S2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-05-03 73392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\User_Feed_Synchronization-{824C22FA-78C1-492F-B927-1B11838D9F20}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6843
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Bames\AppData\Roaming\Mozilla\Firefox\Profiles\xaxowqkp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bleepingcomputer.com/forums/topic313471.html
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Bames\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 13:41
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*U%*%R*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*U%*%R*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%%i%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%%i%\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%%i%\OpenWithProgids]
"++-_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*[%6**%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*[%6**%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*X%%i%]
@Allowed: (Read) (RestrictedCode)
"0"=hex:3b,00,13,00,44,00,1a,00,71,00,66,25,f1,00,54,00,2e,00,58,25,18,25,69,
25,00,00,62,00,36,00,00,00,00,00,00,00,00,00,00,00,3b,00,44,00,71,00,66,25,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000_Classes\.*X%%i%]
@Allowed: (Read) (RestrictedCode)
@="++-_auto_file"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000_Classes\X%%i%_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000_Classes\X%%i%_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-05-04 13:46:40
ComboFix-quarantined-files.txt 2010-05-04 17:46
ComboFix2.txt 2010-05-03 18:00

Pre-Run: 90,754,600,960 bytes free
Post-Run: 90,716,778,496 bytes free

- - End Of File - - D1547057C9266C1F2B41827469814EDD

Attached Files



#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:34 PM

Posted 04 May 2010 - 06:48 PM

MBAM did a super job of cleaning out some other malware, such as the rogue ACommander. And it got the last of AKM Antivirus. Combofix did not find anything new; however, I will have you use it to do an additional cleanup and a look-see.

I will rely on you to sort out how to set or rest your antivirus program.

You will want to print out or copy these instructions to Notepad for offline reference!
If you are a casual viewer, do NOT try this on your system!
If you are not danthro and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Folder::
C:\Windows\System32\config\systemprofile\AppData\Roaming\ACommander

DirLook::
c:\programdata\nepusenu
c:\users\Bames\AppData\Roaming\scdata
c:\users\Bames\AppData\Local\rlxnwjokg


Save this as CFScript.txt, in the same location as ComboFix.exe on your Desktop.





Refering to the picture above, drag CFScript and drop onto ComboFix.exe (red lion icon)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#14 danthro

danthro
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 04 May 2010 - 08:35 PM

Dear Maurice Naggar,

The latest Combofix log is pasted below. Let me know what's next.

Thank you!

danthro


ComboFix 10-05-04.03 - Bames 05/04/2010 20:28:36.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1925 [GMT -4:00]
Running from: c:\users\Bames\Desktop\ComboFix.exe
Command switches used :: c:\users\Bames\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: VirusScan Enterprise + AntiSpyware Enterprise *disabled* (Updated) {24E45799-D058-4314-AC5D-1B2EE5C3151F}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-05 00:39 . 2010-05-05 00:39 -------- d-----w- c:\users\Bames\AppData\Local\temp
2010-05-05 00:39 . 2010-05-05 00:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-05 00:39 . 2010-05-05 00:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-03 20:41 . 2010-05-03 20:41 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-02 04:14 . 2010-05-02 04:14 -------- d-----w- c:\windows\Sun
2010-05-01 19:28 . 2010-05-01 19:28 -------- d-----w- c:\program files\ESET
2010-05-01 19:17 . 2010-05-01 19:17 -------- d-----w- C:\_OTL
2010-05-01 18:47 . 2010-05-01 18:48 -------- d-----w- c:\program files\ERUNT
2010-04-29 12:31 . 2010-04-29 12:31 119808 ----a-w- c:\users\Bames\AppData\Roaming\Microsoft\Internet Explorer\novavapps.exe
2010-04-29 12:30 . 2010-04-29 12:30 -------- d-----w- c:\programdata\nepusenu
2010-04-29 05:55 . 2010-04-29 05:57 -------- d-----w- c:\users\Bames\AppData\Local\jZip
2010-04-29 05:55 . 2010-04-29 05:55 -------- d-----w- c:\program files\jZip
2010-04-29 02:34 . 2010-04-29 02:34 388096 ----a-r- c:\users\Bames\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-29 00:35 . 2010-05-01 20:22 -------- d-----w- c:\users\Bames\AppData\Roaming\scdata
2010-04-28 23:15 . 2010-04-28 23:15 -------- d-----w- c:\users\Bames\AppData\Roaming\Malwarebytes
2010-04-28 23:12 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 23:12 . 2010-04-28 23:12 -------- d-----w- c:\programdata\Malwarebytes
2010-04-28 23:12 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 23:12 . 2010-05-04 15:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 22:16 . 2010-04-28 22:16 -------- d-----w- c:\users\Bames\AppData\Local\rlxnwjokg
2010-04-28 21:32 . 2010-04-30 17:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-28 21:32 . 2010-04-28 21:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-26 18:37 . 2010-04-26 18:37 -------- d-----w- c:\program files\JRE
2010-04-25 03:34 . 2010-04-28 00:52 -------- d-----w- c:\users\Bames\AppData\Roaming\vlc
2010-04-23 01:12 . 2010-04-23 01:12 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-22 16:47 . 2010-04-22 16:47 143976 ----a-w- c:\users\Bames\AppData\Roaming\Move Networks\uninstall.exe
2010-04-15 01:58 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 01:57 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 01:57 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 01:57 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 01:57 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 01:57 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 01:57 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 01:57 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-15 01:57 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 08:29 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 08:29 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-11 20:21 . 2010-04-11 20:21 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-04-11 20:21 . 2010-04-11 20:21 -------- d-----w- c:\program files\Cisco Systems
2010-04-11 07:00 . 2010-04-11 07:00 -------- d-----w- c:\program files\MSXML 4.0
2010-04-10 23:49 . 2010-04-10 23:49 3584 ----a-r- c:\users\Bames\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-10 23:49 . 2010-04-10 23:49 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-10 23:48 . 2010-04-10 23:48 -------- d-----w- c:\program files\MSECACHE
2010-04-10 17:27 . 2010-04-10 17:27 -------- d-----w- c:\program files\Recuva
2010-04-10 14:02 . 2009-07-17 03:12 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-04-10 14:02 . 2009-07-17 03:12 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-04-10 14:02 . 2010-04-10 14:04 -------- d-----w- c:\program files\File Recover

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 18:34 . 2009-01-30 18:30 1 ----a-w- c:\users\Bames\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-03 20:53 . 2008-06-11 08:04 -------- d-----w- c:\program files\Java
2010-05-03 20:53 . 2008-06-11 08:04 -------- d-----w- c:\program files\Common Files\Java
2010-05-03 17:03 . 2009-03-10 03:39 -------- d-----w- c:\program files\uTorrent
2010-05-02 05:51 . 2009-12-04 00:29 -------- d-----w- c:\program files\Paint.NET
2010-05-01 19:58 . 2009-06-09 02:20 -------- d-----w- c:\program files\My Lockbox
2010-04-29 15:32 . 2008-08-26 01:34 9156 ----a-w- c:\users\Bames\AppData\Roaming\wklnhst.dat
2010-04-29 12:31 . 2010-04-29 12:31 0 ----a-w- c:\users\Bames\AppData\Roaming\extra1.dat
2010-04-27 19:43 . 2008-08-20 02:17 80704 ----a-w- c:\users\Bames\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-26 18:37 . 2009-01-30 18:27 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-22 16:47 . 2009-04-09 05:27 -------- d-----w- c:\users\Bames\AppData\Roaming\Move Networks
2010-04-22 16:47 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Bames\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2010-04-15 07:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-11 02:59 . 2008-06-11 08:00 -------- d-----w- c:\programdata\Microsoft Help
2010-04-11 02:46 . 2009-01-28 06:23 -------- d-----w- c:\users\Bames\AppData\Roaming\EndNote
2010-03-12 15:31 . 2010-03-12 15:31 -------- d-----w- c:\programdata\Driver Whiz
2010-02-28 13:19 . 2010-02-28 13:19 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-02-28 02:58 . 2010-02-27 23:02 60 ----a-w- c:\windows\wpd99.drv
2010-02-27 23:02 . 2010-02-27 23:02 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-02-27 23:02 . 2010-02-27 23:02 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-02-24 14:16 . 2009-10-03 13:30 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 08:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 08:07 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-03-31 08:07 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-03-31 08:07 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 08:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 08:01 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 08:01 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab
2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi
2009-08-19 08:31 . 2009-08-19 08:31 336 ----a-w- c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\nepusenu ----


---- Directory of c:\users\Bames\AppData\Local\rlxnwjokg ----


---- Directory of c:\users\Bames\AppData\Roaming\scdata ----

2010-04-30 00:35 . 2008-11-21 18:57 119 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\wt3.gif
2010-04-30 00:35 . 2008-11-21 18:57 51 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\wt2.gif
2010-04-30 00:35 . 2008-11-21 18:57 176 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\wt1.gif
2010-04-30 00:35 . 2009-10-09 17:19 27136 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\word.doc
2010-04-30 00:35 . 2008-11-27 20:34 1912 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\w3.jpg
2010-04-30 00:35 . 2008-11-21 18:56 47 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\w2.gif
2010-04-30 00:35 . 2008-11-21 19:08 3431 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\w11.gif
2010-04-30 00:35 . 2008-11-21 18:56 3028 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\w1.gif
2010-04-30 00:35 . 2008-11-21 18:29 696 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\up2.gif
2010-04-30 00:35 . 2008-11-21 18:28 5568 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\up1.gif
2010-04-30 00:35 . 2009-10-19 18:02 36864 --sha-w- c:\users\Bames\AppData\Roaming\scdata\images\Thumbs.db
2010-04-30 00:35 . 2008-11-21 19:17 1015 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\t2.gif
2010-04-30 00:35 . 2008-11-21 18:47 621 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\t1.gif
2010-04-30 00:35 . 2008-11-21 19:44 70 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\pix.gif
2010-04-30 00:35 . 2008-11-21 18:40 468 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\l3.gif
2010-04-30 00:35 . 2008-11-21 18:39 92 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\l2.gif
2010-04-30 00:35 . 2008-11-21 18:39 3749 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\l1.gif
2010-04-30 00:35 . 2008-11-21 19:40 105 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\jj3.gif
2010-04-30 00:35 . 2008-11-21 19:14 48 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\jj2.gif
2010-04-30 00:35 . 2008-11-21 19:14 114 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\jj1.gif
2010-04-30 00:35 . 2008-11-27 20:33 3857 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\j3.gif
2010-04-30 00:35 . 2008-11-21 19:12 47 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\j2.gif
2010-04-30 00:35 . 2008-11-21 19:12 3957 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\j1.gif
2010-04-30 00:35 . 2008-11-21 19:17 1689 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\i3.gif
2010-04-30 00:35 . 2008-11-21 19:17 1663 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\i2.gif
2010-04-30 00:35 . 2008-11-21 19:17 1744 ----a-w- c:\users\Bames\AppData\Roaming\scdata\images\i1.gif


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2010-4-11 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:0e,5d,cf,95,55,38,ca,01

R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [2008-06-06 43792]
S2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-05-03 73392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\User_Feed_Synchronization-{824C22FA-78C1-492F-B927-1B11838D9F20}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6843
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Bames\AppData\Roaming\Mozilla\Firefox\Profiles\xaxowqkp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bleepingcomputer.com/forums/topic313471.html
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Bames\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 20:39
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*U%*%R*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*U%*%R*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%%i%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%%i%\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%%i%\OpenWithProgids]
"++-_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*[%6**%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*[%6**%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*X%%i%]
@Allowed: (Read) (RestrictedCode)
"0"=hex:3b,00,13,00,44,00,1a,00,71,00,66,25,f1,00,54,00,2e,00,58,25,18,25,69,
25,00,00,62,00,36,00,00,00,00,00,00,00,00,00,00,00,3b,00,44,00,71,00,66,25,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000_Classes\.*X%%i%]
@Allowed: (Read) (RestrictedCode)
@="++-_auto_file"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000_Classes\X%%i%_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_USERS\S-1-5-21-771374111-2616422062-1020362605-1000_Classes\X%%i%_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-05-04 20:44:06
ComboFix-quarantined-files.txt 2010-05-05 00:44
ComboFix2.txt 2010-05-04 17:46
ComboFix3.txt 2010-05-03 18:00

Pre-Run: 91,495,829,504 bytes free
Post-Run: 91,452,710,912 bytes free

- - End Of File - - AF91D971EA851A4371E2D5273E836B66


#15 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:34 PM

Posted 04 May 2010 - 10:44 PM

There are 2 folders that need removal. I'll have you use OTL to do that.
  • Please Right-click OTL.exe and choose Run As Administrator to start it.
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    *****************************************************************
    :files
    c:\programdata\nepusenu
    c:\users\Bames\AppData\Local\rlxnwjokg

    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • I do not need to see this log
Your Adobe Reader is out of date and poses a security risk. De-install your Adobe Reader and
Get the latest version from http://get.adobe.com/reader/

If you have a problem with these steps, or something does not quite work here, do let me know.
We are done hunting for and removing malwares.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( combofix.exe ), put that name in the RUN box stated just below.
The "/uninstall" in the command line below is to start Combofix for it's cleanup & removal function.
Note the space after exe and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

    In the command box that opens, type or copy/paste
    c:\users\Bames\Desktop\ComboFix.exe /uninstall
    and then press ENTER key.
  • Please RIGHT-click OTL.exe and select Run As Administrator to start it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs).
{In Classic view, double click Program and features}.

Look for ESET Online Scanner
Select Change/Remove to de-install it.
Un-install Eset online scan.

Also un-install Kaspersky Online
OK & Exit out of Control PanelWe are finished here. Best regards.

Edited by Maurice Naggar, 04 May 2010 - 10:46 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users