Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

COPYRIGHT VIOLATION NOTICE VIRUS - OTL.TXT File


  • This topic is locked This topic is locked
55 replies to this topic

#1 hoorock89

hoorock89

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 29 April 2010 - 01:29 PM

Follow-Up post from the topic below:

http://www.bleepingcomputer.com/forums/ind...p;#entry1736531

I have run the solution and have the contents of the OTL.txt file attached. I'm looking for help with the next step in clearing this virus from my system. thanks in advance for helping.

After a little work, I was able to boot Malwarebytes' Anti-Malware and run a fulls system scan. The results are attached below. I still am not able to remove some of the spyware that was loaded on my PC. I'm getting something called AntiMalwareDoctor and AKM AntiVirus 2010 Pro and these programs continue to display popups from my system tray. Please help! Thank you.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/30/2010 4:07:47 PM
mbam-log-2010-04-30 (16-07-47).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 161994
Time elapsed: 12 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRuntunoyaseji (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:Documents and SettingsbhooperDesktopnudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:Documents and SettingsbhooperDesktoppornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:Documents and SettingsbhooperDesktopyouporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.

Attached Files

  • Attached File  OTL.Txt   84.46KB   15 downloads

Edited by Budapest, 30 April 2010 - 04:06 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:39 AM

Posted 03 May 2010 - 03:14 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#3 hoorock89

hoorock89
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 03 May 2010 - 06:07 PM

Thanks for the response, m0le. I ran another OTL log since my issue is a little bit different looking now. I am currently not able to access the desktop because a "Control Center" pops up that looks like an anti-virus program and blocks access to anything, including my Task Manager. The new log is below.

OTL logfile created on: 5/3/2010 7:00:25 PM - Run
OTLPE by OldTimer - Version 3.1.38.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 86.37 Gb Free Space | 88.43% Space Free | Partition Type: NTFS
Drive D: | 1.89 Gb Total Space | 0.00 Gb Free Space | 0.19% Space Free | Partition Type: FAT32
Drive E: | 200.43 Gb Total Space | 196.86 Gb Free Space | 98.22% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 429.27 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet002

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (COMServer)
SRV - [2009/08/06 13:23:13 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | Boot] -- -- (dgvbo)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/04/27 18:30:10 | 000,061,440 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 12:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/09/02 18:08:28 | 004,812,288 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 17:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/05 19:54:42 | 000,020,400 | ---- | M] (Cisco Systems) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\Ndiscdp.sys -- (Ndiscdp)
DRV - [2007/05/09 17:28:26 | 000,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/05/09 17:22:32 | 001,075,360 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)
DRV - [2007/04/16 22:16:26 | 005,760,096 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/04/13 21:33:34 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2004/08/22 17:31:48 | 000,005,248 | ---- | M] ( ) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\d347prt.sys -- (d347prt)
DRV - [2004/08/22 17:31:10 | 000,155,136 | ---- | M] ( ) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\d347bus.sys -- (d347bus)
DRV - [2001/08/23 07:00:00 | 000,008,832 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\rasacd.sys -- (RasAcd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator.UNIFIEDCONCEPTS_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\Administrator.UNIFIEDCONCEPTS_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Administrator.UNIFIEDCONCEPTS_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C0 96 D5 9E 59 14 CA 01 [binary data]
IE - HKU\Administrator.UNIFIEDCONCEPTS_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\bhooper_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\bhooper_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\bhooper_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C9 F7 CD 8C C3 D5 CA 01 [binary data]
IE - HKU\bhooper_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\bhooper_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\bhooper_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



IE - HKU\pc_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/30 16:51:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/05 11:07:34 | 000,000,000 | ---D | M]

[2010/04/27 12:43:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/09/08 12:24:02 | 000,028,488 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2009/09/08 12:24:02 | 000,185,232 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2009/11/03 16:57:58 | 000,046,408 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\atmccli.dll
[2009/11/03 16:58:00 | 000,099,216 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
[2009/09/08 12:24:01 | 000,061,840 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll

O1 HOSTS File: ([2007/08/11 02:58:33 | 000,000,768 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (no name) - {c8cc92c5-1a60-4916-8247-acd38dc2cf55} - File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\bhooper_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [asam] C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe ()
O4 - HKLM..\Run: [DAEMON Tools-1033] D:\D-Tools\daemon.exe File not found
O4 - HKLM..\Run: [klxmhmqu] C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf\fwbqqlbtssd.exe ()
O4 - HKLM..\Run: [RNmail] C:\Program Files\RNmail\rn.exe (ReadNotify.com Limited)
O4 - HKLM..\Run: [tunoyaseji] File not found
O4 - HKU\bhooper_ON_C..\Run: [ccagent.exe] C:\Documents and Settings\bhooper\Application Data\ACommander\ccagent.exe ()
O4 - HKU\bhooper_ON_C..\Run: [Cisco Unified Personal Communicator] C:\Program Files\Cisco Systems\Cisco Unified Personal Communicator\CUPCK9.EXE (Cisco Systems, Inc.)
O4 - HKU\bhooper_ON_C..\Run: [klxmhmqu] C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf\fwbqqlbtssd.exe ()
O4 - HKU\bhooper_ON_C..\Run: [sysmon64x.exe] C:\Documents and Settings\bhooper\Local Settings\Temp\sysmon64x.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_C..\Run: [tunoyaseji] File not found
O4 - HKU\NetworkService_ON_C..\Run: [tunoyaseji] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Unified Video Advantage.lnk = C:\Program Files\Cisco Systems\Cisco Unified Video Advantage\VideoAdvantage.exe (Cisco Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\bhooper\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator.UNIFIEDCONCEPTS_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\bhooper_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\bhooper_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\pc_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Active Tracker - {217CCFE3-21DE-4559-B11A-BC8840EB15DD} - C:\Program Files\RNmail\RN_IE_Add_On.dll ()
O9 - Extra 'Tools' menuitem : Active Tracker... - {217CCFE3-21DE-4559-B11A-BC8840EB15DD} - C:\Program Files\RNmail\RN_IE_Add_On.dll ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1249313118671 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://ciscosales.webex.com/client/T27L10N...ent/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = UnifiedConcepts.com
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (pijisebo.dll) - C:\WINDOWS\System32\pijisebo.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe) - C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe ()
O20 - HKU\bhooper_ON_C Winlogon: Shell - (C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe) - C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe ()
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/03 10:56:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/08/03 10:55:51 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EC95C0F5-626F-EDA7-DA29-0F59893A4D7A} - Java (Sun)
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\lvcodec2.dll (Logitech Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/01 01:12:43 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\IETldCache
[2010/04/30 22:36:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/30 22:36:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/30 18:14:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/30 18:14:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/30 18:10:15 | 000,000,000 | ---D | C] -- C:\Program Files\AKM Antivirus 2010 Pro
[2010/04/30 17:46:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Application Data\SUPERAntiSpyware.com
[2010/04/30 17:46:57 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/30 17:45:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/30 16:35:42 | 000,000,000 | ---D | C] -- C:\Program Files\MalwareBytes
[2010/04/30 16:32:58 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\PrivacIE
[2010/04/30 16:32:58 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\IETldCache
[2010/04/30 13:31:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/30 12:20:09 | 000,000,000 | ---D | C] -- C:\Malwarebytes' Anti-Malware
[2010/04/28 19:18:58 | 000,000,000 | ---D | C] -- C:\Program Files\MBAM
[2010/04/28 19:02:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Application Data\Malwarebytes
[2010/04/28 19:02:05 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/28 19:02:00 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 18:36:32 | 005,918,776 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\bhooper\Desktop\mbam-setup-1.45.exe
[2010/04/28 18:35:04 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LocalService\Favorites
[2010/04/28 18:35:01 | 000,000,000 | ---D | C] -- C:\Program Files\scdata
[2010/04/28 18:23:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Application Data\ACommander
[2010/04/28 17:19:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf
[2010/04/28 17:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Local Settings\Application Data\Windows Server
[2010/04/28 17:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Local Settings\Application Data\avG
[2010/04/28 17:17:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\msapps
[2010/04/28 17:17:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Application Data\9A7C423F80C763273AAF58614959014F
[2010/04/26 18:36:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Application Data\Media Player Classic
[2010/04/26 18:36:34 | 000,000,000 | ---D | C] -- C:\Program Files\MPC HomeCinema
[2009/08/03 12:05:44 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2009/08/03 12:05:44 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/03 12:22:03 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/05/03 12:22:03 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/05/03 12:22:03 | 000,004,100 | -H-- | M] () -- C:\WINDOWS\System32\fusoyeno
[2010/05/03 12:22:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/03 12:21:58 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\bhooper\NTUSER.DAT
[2010/05/03 12:21:58 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\bhooper\ntuser.ini
[2010/05/03 12:19:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/03 11:57:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/03 11:57:11 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\yusayena.exe
[2010/05/03 11:57:11 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\dusayamo.exe
[2010/04/30 22:23:00 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{231F506A-DC09-4364-9F98-EC4BD08849D0}.job
[2010/04/30 18:17:38 | 003,184,656 | -H-- | M] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\IconCache.db
[2010/04/30 18:10:37 | 000,000,980 | ---- | M] () -- C:\Documents and Settings\bhooper\Desktop\ACommander.lnk
[2010/04/30 16:58:26 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/30 15:31:01 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/04/28 18:58:29 | 000,000,000 | ---- | M] () -- C:\Program Files\extra1.dat
[2010/04/28 18:34:14 | 005,918,776 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\bhooper\Desktop\mbam-setup-1.45.exe
[2010/04/28 17:21:27 | 000,060,160 | ---- | M] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\syssvc.exe
[2010/04/28 17:21:27 | 000,060,160 | ---- | M] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe
[2010/04/28 17:18:54 | 000,002,978 | -HS- | M] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\erTd
[2010/04/28 17:17:05 | 000,159,232 | ---- | M] () -- C:\WINDOWS\Tcixea.exe
[2010/04/27 15:52:23 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\bhooper\My Documents\AMEX Expense report 04 2010.xls
[2010/04/26 12:28:30 | 000,016,136 | ---- | M] () -- C:\Documents and Settings\bhooper\My Documents\ORLAND PARK SOFTBALL SCHEDULE 2010.docx
[2010/04/22 11:25:46 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\bhooper\Desktop\Microsoft Office Outlook 2007.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/03 11:57:11 | 000,002,713 | -HS- | C] () -- C:\WINDOWS\System32\yusayena.exe
[2010/05/03 11:57:11 | 000,002,713 | -HS- | C] () -- C:\WINDOWS\System32\dusayamo.exe
[2010/04/30 18:10:37 | 000,000,980 | ---- | C] () -- C:\Documents and Settings\bhooper\Desktop\ACommander.lnk
[2010/04/28 18:58:29 | 000,000,000 | ---- | C] () -- C:\Program Files\extra1.dat
[2010/04/28 17:22:27 | 000,060,160 | ---- | C] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe
[2010/04/28 17:21:26 | 000,060,160 | ---- | C] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\syssvc.exe
[2010/04/28 17:17:18 | 000,002,978 | -HS- | C] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\erTd
[2010/04/28 17:17:10 | 000,159,232 | ---- | C] () -- C:\WINDOWS\Tcixea.exe
[2010/04/27 15:52:23 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\bhooper\My Documents\AMEX Expense report 04 2010.xls
[2010/04/26 12:28:30 | 000,016,136 | ---- | C] () -- C:\Documents and Settings\bhooper\My Documents\ORLAND PARK SOFTBALL SCHEDULE 2010.docx
[2010/01/28 17:17:23 | 000,076,288 | -HS- | C] () -- C:\WINDOWS\System32\pijisebo.dll
[2009/11/05 16:46:17 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/12 11:57:04 | 000,001,058 | ---- | C] () -- C:\Documents and Settings\bhooper\XrxWm.ini
[2009/09/23 15:00:39 | 000,060,744 | ---- | C] () -- C:\Documents and Settings\bhooper\g2mdlhlpx.exe
[2009/08/05 15:50:48 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/04 16:45:49 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/08/04 11:55:48 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\bhooper\ntuser.ini
[2009/08/04 11:55:47 | 000,012,288 | -H-- | C] () -- C:\Documents and Settings\bhooper\ntuser.dat.LOG
[2009/08/04 11:55:46 | 003,670,016 | -H-- | C] () -- C:\Documents and Settings\bhooper\NTUSER.DAT
[2009/08/03 12:38:53 | 002,070,206 | ---- | C] () -- C:\Program Files\Common Files\UnifiedClientInstall.log
[2009/08/03 12:37:13 | 000,051,370 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/08/03 12:06:53 | 000,001,068 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2009/08/03 12:00:29 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator.UNIFIEDCONCEPTS\ntuser.ini
[2009/08/03 12:00:28 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\Administrator.UNIFIEDCONCEPTS\NTUSER.DAT
[2009/08/03 12:00:28 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Administrator.UNIFIEDCONCEPTS\ntuser.dat.LOG
[2009/08/03 11:23:19 | 000,020,480 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2009/08/03 11:23:19 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2009/08/03 11:23:18 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2009/08/03 11:19:46 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2009/08/03 10:59:44 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\pc\ntuser.dat.LOG
[2009/08/03 10:59:44 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\pc\ntuser.ini
[2009/08/03 10:59:43 | 000,524,288 | -H-- | C] () -- C:\Documents and Settings\pc\NTUSER.DAT
[2009/08/03 10:58:59 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2009/08/03 10:58:59 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2009/08/03 10:58:59 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2009/08/03 10:58:15 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2009/08/03 10:58:15 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2009/08/03 10:58:15 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2004/08/22 18:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2001/08/23 07:00:00 | 000,008,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\rasacd.sys

========== LOP Check ==========

[2009/08/03 12:39:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.UNIFIEDCONCEPTS\Application Data\Cisco
[2009/08/03 12:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.UNIFIEDCONCEPTS\Application Data\Windows Desktop Search
[2010/04/30 18:17:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\9A7C423F80C763273AAF58614959014F
[2010/04/30 18:10:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\ACommander
[2009/08/04 11:58:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\Cisco
[2009/08/10 17:52:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\OpenOffice.org
[2009/10/16 17:09:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\ReadNotify.com
[2009/11/24 13:45:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\stardevelop.com
[2009/11/03 16:58:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\webex
[2009/08/04 11:56:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\Windows Desktop Search
[2010/01/21 20:35:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\Windows Search
[2010/04/30 22:23:00 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{231F506A-DC09-4364-9F98-EC4BD08849D0}.job

========== Purity Check ==========



========== Custom Scans ==========


Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.

Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.exe

Invalid Environment Variable: %APPDATA%\*.

Invalid Environment Variable: %APPDATA%\*.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 00:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 00:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/13 19:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 00:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 00:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 00:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 00:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 00:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 00:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/06/20 13:46:57 | 000,147,968 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dnsapi.dll
[2009/07/19 19:48:58 | 011,067,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ieframe.dll
[2009/07/03 13:09:24 | 001,985,536 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iertutil.dll
[2008/04/14 00:42:02 | 000,274,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\mstask.dll
[2008/04/14 00:42:04 | 000,067,072 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ntdsapi.dll
[2008/06/17 15:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\shell32.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< End of report >

Edited by hoorock89, 03 May 2010 - 06:08 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:39 AM

Posted 03 May 2010 - 07:33 PM

Please download Combofix as I posted previously but we will run the tool through the Run command.

Disable your antivirus before running ComboFix, as it will prevent ComboFix from working.

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combo-fix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.


Posted Image
m0le is a proud member of UNITE

#5 hoorock89

hoorock89
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 04 May 2010 - 08:55 AM

How should I run combofix if I do not have access to my desktop or command prompt, even in safe mode? I'm currently booted off the Reatogo-x-pe disc.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:39 AM

Posted 04 May 2010 - 11:51 AM

Sorry, didn't know you had no command prompt as well.


I don't know if you have downloaded OTLPE or you just have REATOGO-X-PE booted.

Please follow these instructions ignoring any parts which you already have completed.


In order to resolve your problem we will need to to download a program called OTLPE. This program is quite large, at 292MB, so it will take a while to download. In order to get this program setup properly, please print out these instructions so you can follow them when you are at the computer we will be working on.

First

Please download ISOBurner, which will allow you to burn the OTLPE ISO image to a CD and make it bootable. Just download and install the program and follow all the default questions.


Second
  • Download the OTLPE.iso to your computer and burn it to the CD using ISOBurner. Information on how to burn an ISO image using ISOBurner can be found here.

    NOTE: This file is 292Mb in size so it may take some time to download.

  • When the file has finished downloading, double-click on it and ISOBurner will automatically open and prompt you to burn the ISO image to a CD.

  • Once it has finished creating the CD, reboot your system using the boot CD you just created.

    Note:If you do not know how to set your computer to boot from CD, please follow the steps here.

  • When the CD has finished booting your computer, you should now see a REATOGO-X-PE desktop.

  • Double-click on the OTLPE icon that is on the desktop.

  • When asked Do you wish to load the remote registry, select Yes.

  • When asked Do you wish to load remote user profile(s) for scanning, select Yes.

  • Ensure the box Automatically Load All Remaining Users is checked and press OK.

  • OTL should now start. Change the following settings
    • Change Drivers to Use SafeList
    • Under the Custom Scan box paste the following commands:

      /md5start
      iaStor.sys
      nvstor.sys
      atapi.sys
      nvata.sys
      iastorv.sys
      /md5stop
  • Press the Run Scan button to start the scan.

  • When finished, the OTL.txt log file will be saved in the folder C:\.

  • If you do not have an Internet connection to the post the contents of the OTL.txt file, then copy this file to a USB drive.

  • Then post the contents of the OTL.txt file in your next reply.

Posted Image
m0le is a proud member of UNITE

#7 hoorock89

hoorock89
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 04 May 2010 - 12:11 PM

OK...attached are the contents of the OTL Scan.

OTL logfile created on: 5/4/2010 2:06:49 PM - Run
OTLPE by OldTimer - Version 3.1.38.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 86.37 Gb Free Space | 88.43% Space Free | Partition Type: NTFS
Drive D: | 200.43 Gb Total Space | 196.86 Gb Free Space | 98.22% Space Free | Partition Type: NTFS
Drive E: | 983.22 Mb Total Space | 497.17 Mb Free Space | 50.57% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 429.27 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet002

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (COMServer)
SRV - [2009/08/06 13:23:13 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | Boot] -- -- (dgvbo)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/04/27 18:30:10 | 000,061,440 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 12:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/09/02 18:08:28 | 004,812,288 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 17:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/05 19:54:42 | 000,020,400 | ---- | M] (Cisco Systems) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\Ndiscdp.sys -- (Ndiscdp)
DRV - [2007/05/09 17:28:26 | 000,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/05/09 17:22:32 | 001,075,360 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)
DRV - [2007/04/16 22:16:26 | 005,760,096 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/04/13 21:33:34 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2004/08/22 17:31:48 | 000,005,248 | ---- | M] ( ) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\d347prt.sys -- (d347prt)
DRV - [2004/08/22 17:31:10 | 000,155,136 | ---- | M] ( ) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\d347bus.sys -- (d347bus)
DRV - [2001/08/23 07:00:00 | 000,008,832 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\rasacd.sys -- (RasAcd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator.UNIFIEDCONCEPTS_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\Administrator.UNIFIEDCONCEPTS_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Administrator.UNIFIEDCONCEPTS_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C0 96 D5 9E 59 14 CA 01 [binary data]
IE - HKU\Administrator.UNIFIEDCONCEPTS_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\bhooper_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\bhooper_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\bhooper_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C9 F7 CD 8C C3 D5 CA 01 [binary data]
IE - HKU\bhooper_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\bhooper_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\bhooper_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



IE - HKU\pc_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/30 16:51:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/05 11:07:34 | 000,000,000 | ---D | M]

[2010/04/27 12:43:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/09/08 12:24:02 | 000,028,488 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2009/09/08 12:24:02 | 000,185,232 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2009/11/03 16:57:58 | 000,046,408 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\atmccli.dll
[2009/11/03 16:58:00 | 000,099,216 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
[2009/09/08 12:24:01 | 000,061,840 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll

O1 HOSTS File: ([2007/08/11 02:58:33 | 000,000,768 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (no name) - {c8cc92c5-1a60-4916-8247-acd38dc2cf55} - File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\bhooper_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [asam] C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe ()
O4 - HKLM..\Run: [DAEMON Tools-1033] D:\D-Tools\daemon.exe (DAEMON'S HOME)
O4 - HKLM..\Run: [klxmhmqu] C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf\fwbqqlbtssd.exe ()
O4 - HKLM..\Run: [RNmail] C:\Program Files\RNmail\rn.exe (ReadNotify.com Limited)
O4 - HKLM..\Run: [tunoyaseji] File not found
O4 - HKU\bhooper_ON_C..\Run: [ccagent.exe] C:\Documents and Settings\bhooper\Application Data\ACommander\ccagent.exe ()
O4 - HKU\bhooper_ON_C..\Run: [Cisco Unified Personal Communicator] C:\Program Files\Cisco Systems\Cisco Unified Personal Communicator\CUPCK9.EXE (Cisco Systems, Inc.)
O4 - HKU\bhooper_ON_C..\Run: [klxmhmqu] C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf\fwbqqlbtssd.exe ()
O4 - HKU\bhooper_ON_C..\Run: [sysmon64x.exe] C:\Documents and Settings\bhooper\Local Settings\Temp\sysmon64x.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_C..\Run: [tunoyaseji] File not found
O4 - HKU\NetworkService_ON_C..\Run: [tunoyaseji] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Unified Video Advantage.lnk = C:\Program Files\Cisco Systems\Cisco Unified Video Advantage\VideoAdvantage.exe (Cisco Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\bhooper\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator.UNIFIEDCONCEPTS_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\bhooper_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\bhooper_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\pc_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Active Tracker - {217CCFE3-21DE-4559-B11A-BC8840EB15DD} - C:\Program Files\RNmail\RN_IE_Add_On.dll ()
O9 - Extra 'Tools' menuitem : Active Tracker... - {217CCFE3-21DE-4559-B11A-BC8840EB15DD} - C:\Program Files\RNmail\RN_IE_Add_On.dll ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1249313118671 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://ciscosales.webex.com/client/T27L10N...ent/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = UnifiedConcepts.com
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (pijisebo.dll) - C:\WINDOWS\System32\pijisebo.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe) - C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe ()
O20 - HKU\bhooper_ON_C Winlogon: Shell - (C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe) - C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe ()
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/03 10:56:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/07/12 23:38:18 | 000,000,090 | ---- | M] () - E:\AUTORUN.INF -- [ FAT ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/01 01:12:43 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\IETldCache
[2010/04/30 22:36:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/30 22:36:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/30 18:14:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/30 18:14:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/30 18:10:15 | 000,000,000 | ---D | C] -- C:\Program Files\AKM Antivirus 2010 Pro
[2010/04/30 17:46:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Application Data\SUPERAntiSpyware.com
[2010/04/30 17:46:57 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/30 17:45:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/30 16:35:42 | 000,000,000 | ---D | C] -- C:\Program Files\MalwareBytes
[2010/04/30 16:32:58 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\PrivacIE
[2010/04/30 16:32:58 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\IETldCache
[2010/04/30 13:31:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/30 12:20:09 | 000,000,000 | ---D | C] -- C:\Malwarebytes' Anti-Malware
[2010/04/28 19:18:58 | 000,000,000 | ---D | C] -- C:\Program Files\MBAM
[2010/04/28 19:02:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Application Data\Malwarebytes
[2010/04/28 19:02:05 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/28 19:02:00 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 18:36:32 | 005,918,776 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\bhooper\Desktop\mbam-setup-1.45.exe
[2010/04/28 18:35:04 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LocalService\Favorites
[2010/04/28 18:35:01 | 000,000,000 | ---D | C] -- C:\Program Files\scdata
[2010/04/28 18:23:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Application Data\ACommander
[2010/04/28 17:19:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf
[2010/04/28 17:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Local Settings\Application Data\Windows Server
[2010/04/28 17:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Local Settings\Application Data\avG
[2010/04/28 17:17:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\msapps
[2010/04/28 17:17:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Application Data\9A7C423F80C763273AAF58614959014F
[2010/04/26 18:36:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bhooper\Application Data\Media Player Classic
[2010/04/26 18:36:34 | 000,000,000 | ---D | C] -- C:\Program Files\MPC HomeCinema
[2009/08/03 12:05:44 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2009/08/03 12:05:44 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/04 10:19:25 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/05/04 10:19:25 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/05/04 10:19:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/04 10:19:22 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\bhooper\NTUSER.DAT
[2010/05/04 10:19:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/04 10:19:20 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\bhooper\ntuser.ini
[2010/05/04 10:18:58 | 000,004,100 | -H-- | M] () -- C:\WINDOWS\System32\fusoyeno
[2010/05/04 10:18:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/03 11:57:11 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\yusayena.exe
[2010/05/03 11:57:11 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\dusayamo.exe
[2010/04/30 22:23:00 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{231F506A-DC09-4364-9F98-EC4BD08849D0}.job
[2010/04/30 18:17:38 | 003,184,656 | -H-- | M] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\IconCache.db
[2010/04/30 18:10:37 | 000,000,980 | ---- | M] () -- C:\Documents and Settings\bhooper\Desktop\ACommander.lnk
[2010/04/30 16:58:26 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/30 15:31:01 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/04/28 18:58:29 | 000,000,000 | ---- | M] () -- C:\Program Files\extra1.dat
[2010/04/28 18:34:14 | 005,918,776 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\bhooper\Desktop\mbam-setup-1.45.exe
[2010/04/28 17:21:27 | 000,060,160 | ---- | M] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\syssvc.exe
[2010/04/28 17:21:27 | 000,060,160 | ---- | M] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe
[2010/04/28 17:18:54 | 000,002,978 | -HS- | M] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\erTd
[2010/04/28 17:17:05 | 000,159,232 | ---- | M] () -- C:\WINDOWS\Tcixea.exe
[2010/04/27 15:52:23 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\bhooper\My Documents\AMEX Expense report 04 2010.xls
[2010/04/26 12:28:30 | 000,016,136 | ---- | M] () -- C:\Documents and Settings\bhooper\My Documents\ORLAND PARK SOFTBALL SCHEDULE 2010.docx
[2010/04/22 11:25:46 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\bhooper\Desktop\Microsoft Office Outlook 2007.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/03 11:57:11 | 000,002,713 | -HS- | C] () -- C:\WINDOWS\System32\yusayena.exe
[2010/05/03 11:57:11 | 000,002,713 | -HS- | C] () -- C:\WINDOWS\System32\dusayamo.exe
[2010/04/30 18:10:37 | 000,000,980 | ---- | C] () -- C:\Documents and Settings\bhooper\Desktop\ACommander.lnk
[2010/04/28 18:58:29 | 000,000,000 | ---- | C] () -- C:\Program Files\extra1.dat
[2010/04/28 17:22:27 | 000,060,160 | ---- | C] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe
[2010/04/28 17:21:26 | 000,060,160 | ---- | C] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\syssvc.exe
[2010/04/28 17:17:18 | 000,002,978 | -HS- | C] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\erTd
[2010/04/28 17:17:10 | 000,159,232 | ---- | C] () -- C:\WINDOWS\Tcixea.exe
[2010/04/27 15:52:23 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\bhooper\My Documents\AMEX Expense report 04 2010.xls
[2010/04/26 12:28:30 | 000,016,136 | ---- | C] () -- C:\Documents and Settings\bhooper\My Documents\ORLAND PARK SOFTBALL SCHEDULE 2010.docx
[2010/01/28 17:17:23 | 000,076,288 | -HS- | C] () -- C:\WINDOWS\System32\pijisebo.dll
[2009/11/05 16:46:17 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\bhooper\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/12 11:57:04 | 000,001,058 | ---- | C] () -- C:\Documents and Settings\bhooper\XrxWm.ini
[2009/09/23 15:00:39 | 000,060,744 | ---- | C] () -- C:\Documents and Settings\bhooper\g2mdlhlpx.exe
[2009/08/05 15:50:48 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/04 16:45:49 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/08/04 11:55:48 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\bhooper\ntuser.ini
[2009/08/04 11:55:47 | 000,012,288 | -H-- | C] () -- C:\Documents and Settings\bhooper\ntuser.dat.LOG
[2009/08/04 11:55:46 | 003,670,016 | -H-- | C] () -- C:\Documents and Settings\bhooper\NTUSER.DAT
[2009/08/03 12:38:53 | 002,070,206 | ---- | C] () -- C:\Program Files\Common Files\UnifiedClientInstall.log
[2009/08/03 12:37:13 | 000,051,370 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/08/03 12:06:53 | 000,001,068 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2009/08/03 12:00:29 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator.UNIFIEDCONCEPTS\ntuser.ini
[2009/08/03 12:00:28 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\Administrator.UNIFIEDCONCEPTS\NTUSER.DAT
[2009/08/03 12:00:28 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Administrator.UNIFIEDCONCEPTS\ntuser.dat.LOG
[2009/08/03 11:23:19 | 000,020,480 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2009/08/03 11:23:19 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2009/08/03 11:23:18 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2009/08/03 11:19:46 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2009/08/03 10:59:44 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\pc\ntuser.dat.LOG
[2009/08/03 10:59:44 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\pc\ntuser.ini
[2009/08/03 10:59:43 | 000,524,288 | -H-- | C] () -- C:\Documents and Settings\pc\NTUSER.DAT
[2009/08/03 10:58:59 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2009/08/03 10:58:59 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2009/08/03 10:58:59 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2009/08/03 10:58:15 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2009/08/03 10:58:15 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2009/08/03 10:58:15 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2004/08/22 18:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2001/08/23 07:00:00 | 000,008,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\rasacd.sys

========== LOP Check ==========

[2009/08/03 12:39:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.UNIFIEDCONCEPTS\Application Data\Cisco
[2009/08/03 12:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.UNIFIEDCONCEPTS\Application Data\Windows Desktop Search
[2010/04/30 18:17:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\9A7C423F80C763273AAF58614959014F
[2010/04/30 18:10:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\ACommander
[2009/08/04 11:58:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\Cisco
[2009/08/10 17:52:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\OpenOffice.org
[2009/10/16 17:09:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\ReadNotify.com
[2009/11/24 13:45:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\stardevelop.com
[2009/11/03 16:58:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\webex
[2009/08/04 11:56:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\Windows Desktop Search
[2010/01/21 20:35:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bhooper\Application Data\Windows Search
[2010/04/30 22:23:00 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{231F506A-DC09-4364-9F98-EC4BD08849D0}.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: ATAPI.SYS >
[2008/04/14 00:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/13 19:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
< End of report >


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:39 AM

Posted 04 May 2010 - 04:05 PM

Okay, from a clean computer copy and paste the contents of the following codebox into a Notepad file. Do not include the word "Code"

CODE
:OTL
O4 - HKLM..\Run: [klxmhmqu] C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf\fwbqqlbtssd.exe
O4 - HKLM..\Run: [tunoyaseji] File not found
O4 - HKU\bhooper_ON_C..\Run: [klxmhmqu] C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf\fwbqqlbtssd.exe
O4 - HKU\LocalService_ON_C..\Run: [tunoyaseji] File not found
O4 - HKLM..\Run: [asam] C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\bhooper_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O20 - AppInit_DLLs: (pijisebo.dll) - C:\WINDOWS\System32\pijisebo.dll
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe) - C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe
O20 - HKU\bhooper_ON_C Winlogon: Shell - (C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe) - C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe

:Files
C:\Program Files\AKM Antivirus 2010 Pro
C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf
C:\Documents and Settings\bhooper\Application Data\ACommander
C:\WINDOWS\System32\fusoyeno
C:\WINDOWS\System32\yusayena.exe
C:\WINDOWS\System32\dusayamo.exe
C:\Documents and Settings\bhooper\Desktop\ACommander.lnk
C:\Documents and Settings\bhooper\Local Settings\Application Data\syssvc.exe
C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe
C:\Documents and Settings\bhooper\Local Settings\Application Data\erTd

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000


NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"
[/code]

Save this notepad file to your flash drive, and move the flash drive over to your infected machine. Boot the machine using the OTLPE disk you created earlier.

From the OTLPE Environment
  • Please reopen OTLPE on your desktop.
  • Copy and Paste the contents of the notepad file saved to your Flash Drive into the textbox.
  • Push Run Fix
  • When the fix is complete a report will open. Use a Flash drive to move the report over to your clean computer and Copy and Paste that report in your next reply.

At this point, please reboot your infected machine and attempt to boot into normal Windows. Do you get a desktop? is Task manager available?
Posted Image
m0le is a proud member of UNITE

#9 hoorock89

hoorock89
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 04 May 2010 - 04:42 PM

m0le...I was not able to locate the fixit.reg file on my pc. I searched everything and came up with 4 other files (see word doc attachment). Is there something I'm missing or an easier way to find/download the file you specified?

hoorock

Attached Files


Edited by hoorock89, 04 May 2010 - 04:42 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:39 AM

Posted 04 May 2010 - 06:38 PM

I apologise, hoorock, somehow some text was added in to the last post which shouldn't have been.

Try the edited version below.

----------------------------------------------------------------------

From a clean computer copy and paste the contents of the following codebox into a Notepad file. Do not include the word "Code"

CODE
:OTL
O4 - HKLM..\Run: [klxmhmqu] C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf\fwbqqlbtssd.exe
O4 - HKLM..\Run: [tunoyaseji] File not found
O4 - HKU\bhooper_ON_C..\Run: [klxmhmqu] C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf\fwbqqlbtssd.exe
O4 - HKU\LocalService_ON_C..\Run: [tunoyaseji] File not found
O4 - HKLM..\Run: [asam] C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\bhooper_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O20 - AppInit_DLLs: (pijisebo.dll) - C:\WINDOWS\System32\pijisebo.dll
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe) - C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe
O20 - HKU\bhooper_ON_C Winlogon: Shell - (C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe) - C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe

:Files
C:\Program Files\AKM Antivirus 2010 Pro
C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf
C:\Documents and Settings\bhooper\Application Data\ACommander
C:\WINDOWS\System32\fusoyeno
C:\WINDOWS\System32\yusayena.exe
C:\WINDOWS\System32\dusayamo.exe
C:\Documents and Settings\bhooper\Desktop\ACommander.lnk
C:\Documents and Settings\bhooper\Local Settings\Application Data\syssvc.exe
C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe
C:\Documents and Settings\bhooper\Local Settings\Application Data\erTd

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000



Save this notepad file to your flash drive, and move the flash drive over to your infected machine. Boot the machine using the OTLPE disk you created earlier.

From the OTLPE Environment
  • Please reopen OTLPE on your desktop.
  • Copy and Paste the contents of the notepad file saved to your Flash Drive into the textbox.
  • Push Run Fix
  • When the fix is complete a report will open. Use a Flash drive to move the report over to your clean computer and Copy and Paste that report in your next reply.
At this point, please reboot your infected machine and attempt to boot into normal Windows. Do you get a desktop? is Task manager available?

Again, apologies for that error sad.gif

Edited by m0le, 04 May 2010 - 06:38 PM.

Posted Image
m0le is a proud member of UNITE

#11 hoorock89

hoorock89
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 05 May 2010 - 02:11 PM

Progress!

I now have a desktop again. However, there still appears to be something lingering on the machine. I'm getting pop-ups from the taskbar with phony windows security alerts. My OTLPE log is below. Thanks again for all the help, m0le.

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\klxmhmqu deleted successfully.
C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf\fwbqqlbtssd.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tunoyaseji deleted successfully.
Registry value HKEY_USERS\bhooper_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\klxmhmqu deleted successfully.
File C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf\fwbqqlbtssd.exe not found.
Registry value HKEY_USERS\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\tunoyaseji deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\asam deleted successfully.
C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_USERS\bhooper_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:pijisebo.dll deleted successfully.
C:\WINDOWS\system32\pijisebo.dll moved successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe deleted successfully.
Registry value HKEY_USERS\bhooper_ON_C\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\bhooper\Application Data\ACommander\ccmain.exe deleted successfully.
========== FILES ==========
C:\Program Files\AKM Antivirus 2010 Pro folder moved successfully.
C:\Documents and Settings\bhooper\Local Settings\Application Data\cqkyhkdwf folder moved successfully.
C:\Documents and Settings\bhooper\Application Data\ACommander\faq\images folder moved successfully.
C:\Documents and Settings\bhooper\Application Data\ACommander\faq folder moved successfully.
C:\Documents and Settings\bhooper\Application Data\ACommander folder moved successfully.
C:\WINDOWS\System32\fusoyeno moved successfully.
C:\WINDOWS\System32\yusayena.exe moved successfully.
C:\WINDOWS\System32\dusayamo.exe moved successfully.
C:\Documents and Settings\bhooper\Desktop\ACommander.lnk moved successfully.
C:\Documents and Settings\bhooper\Local Settings\Application Data\syssvc.exe moved successfully.
File\Folder C:\Documents and Settings\bhooper\Local Settings\Application Data\asam.exe not found.
C:\Documents and Settings\bhooper\Local Settings\Application Data\erTd moved successfully.
========== REGISTRY ==========
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\"DisableTaskMgr"|dword:00000000 /E : value set successfully!

OTLPE by OldTimer - Version 3.1.38.0 log created on 05052010_160125






#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:39 AM

Posted 05 May 2010 - 04:12 PM

Okay, that's the whole point of OTLPE, it gives us something to work with.

Can you now run Combofix? (run the program as in the above instructions)

If not, please run OTLPE to get us a new OTL log. thumbup2.gif


Posted Image
m0le is a proud member of UNITE

#13 hoorock89

hoorock89
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 05 May 2010 - 04:50 PM

OK...Combofix log is attached. I accidentally ran it direct from the desktop and not from the command line. Thanks again for all the help, m0le!

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:39 AM

Posted 05 May 2010 - 05:11 PM

Now we should be able to clear up the machine.

Please rerun Combofix as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\kapekabo.exe
c:\windows\system32\msapps\comsrvr.exe

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A2BA40A0-74F1-52BD-F411-00B15A2C8953}\InProcServer32]

Driver::
COMServer


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 hoorock89

hoorock89
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 06 May 2010 - 02:06 PM

OK...attached is the latest combofix log.

Attached Files

  • Attached File  log2.txt   17.14KB   6 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users