Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

View previous topic View next topic Go down

Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by yvonneschaffer on 14th January 2010, 11:31 am

Sorry I posted in wrong forum here I go again:
My son-in-law let his Norton AntiVirus expire and so he got a virus he claimed: I started looking at it and suddenly Windows Defender said had trojan FakeSpyPro. So I ran Defender and it found and removed the FakeSpyPro. Then I tried to download updates from windows and 1 minute downloads took hours, it kept increasing the download time so I cancelled, I just updated the critical update and that took hours. So I started research on the trojan, couldn't really find anything from Norton, McAfee, etc. So I decided to download using my computer using flash drive I downloaded "Microsoft Security Essentials" and loaded it and ran into the same problem when it tried to update defintions file. So I did that manually and ran the scan it found two more trojans listed in my subject line it removed those said I was clean. Tried to update again, still took hours for a 1 minute download. So then I followed what I thought was your instructions for posting to the forum but it was Geeks to Go stuff. Anyway, here is what I did: downloaded and ran TFC, Erunt, Malwarebytes Anti-Malware, ran Microsoft Security essentials again (they said run antivirus app), then they said test system , tried to download BitDefender still was taking too long for download, tried to load manually, it never worked, would never scan, so went to next step Gmer a rootkit detection and finally OTC which they say to use instead of HiJackThis. I am posting the history from Defender, Security Essentials, the GMER, MBAM and OTC text reports, these are long so I might have to use another post. You guys helped me last time and I wanted to use you again because you rock. I am sorry I used the other sites cleaning guide, but hopefully you will help me figure out what to do next. Here are the txt file info:
Windows Defender found this Trojan and removed it this is what history showed.
Trojan:Win32/FakeSpyPro
Category:
Trojan
Description:
This program is dangerous and executes commands from an attacker.
Advice:
Remove this software immediately.
Resources:
process:
pid:784
regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\wnfissmn

regkey:
HKCU@S-1-5-21-1446042643-665842434-791521826-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\wnfissmn

runkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\wnfissmn

runkey:
HKCU@S-1-5-21-1446042643-665842434-791521826-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\wnfissmn

file:
C:\Documents and Settings\Administrator\Local Settings\Application Data\unikxe\ggqmsysguard.exe

Windows Security Essentials found these trojan and removed them this is what history showed:

1. TrojanDownloader:win32/Monkif.O
Category: Trojan Downloader
Items:
file:C:\WINDOWS\default32.dll

2. Trojan:Win32/BHO.BO
Category: Trojan
Items:
bho:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
clsid:HKLM\SOFTWARE\CLASSES\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
file:C:\Program Files\Shared\lib.dll
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
regkey:HKLM\SOFTWARE\CLASSES\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
regkey:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0
regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
typelib:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0

3. TrojanDownloader:win32/Monkif.O
Category: Trojan Downloader
Items:
file:C:\WINDOWS\default32.dll

4.Trojan:Win32/BHO.BO
Category: Trojan
Items:
bho:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
clsid:HKLM\SOFTWARE\CLASSES\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
file:C:\Program Files\Shared\lib.dll
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
regkey:HKLM\SOFTWARE\CLASSES\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
regkey:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0
regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
typelib:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0

5.TrojanDownloader:win32/Monkif.O
Category: Trojan Downloader
Items:
clsid:HKCU@S-1-5-21-1446042643-665842434-791521826-500\SOFTWARE\CLASSES\CLSID\{9b019ef8-700d-4bea-be8e-0ebf2ae80806}
clsid:HKCU@S-1-5-21-1446042643-665842434-791521826-500\SOFTWARE\CLASSES\CLSID\{a118e1a2-1fb1-40cf-b0d4-60aeca696728}
file:C:\WINDOWS\default32.dll
More to follow in next post.
Thanks,.
yvonneschaffer

yvonneschaffer
Novice
Novice

Posts Posts : 19
Joined Joined : 2008-12-14
Gender Gender : Female
OS OS : Windows XP Service Pack 3
Protection Protection : Security Essentials
Points Points : 29228
# Likes # Likes : 0

View user profile

Back to top Go down

yvonneschaffer 2nd post Got TrojanWin32:FakeSpyPro

Post by yvonneschaffer on 14th January 2010, 11:36 am

Here is the malwarebytes report.
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/13/2010 2:28:51 AM
mbam-log-2010-01-13 (02-28-31).txt

Scan type: Quick Scan
Objects scanned: 109568
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
more to follow
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IntelinetSecure (Rogue.Intelinet) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Favorites\Free Porn Movies at Cliphunter.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\Administrator\Favorites\Free Porn Tube Movies, Porno Videos & XXX Sex Videos.url (Rogue.Link) -> No action taken.

yvonneschaffer
Novice
Novice

Posts Posts : 19
Joined Joined : 2008-12-14
Gender Gender : Female
OS OS : Windows XP Service Pack 3
Protection Protection : Security Essentials
Points Points : 29228
# Likes # Likes : 0

View user profile

Back to top Go down

yvonneschaffer 3rd postGot TrojanWin32:FakeSpyPro

Post by yvonneschaffer on 14th January 2010, 11:40 am

This is the OTL I ran, but I can run Highjack if you need. The Gmer report is too big, do you need it? Pls let me know.
OTL logfile created on: 1/13/2010 4:23:00 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 525.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.51 Gb Total Space | 45.10 Gb Free Space | 69.92% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 7.50 Gb Free Space | 74.97% Space Free | Partition Type: NTFS
Drive E: | 1.17 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 62.09 Mb Total Space | 1.88 Mb Free Space | 3.02% Space Free | Partition Type: FAT
Drive G: | 3.84 Gb Total Space | 2.43 Gb Free Space | 63.35% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HP19932159792
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/13 00:14:38 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/09/16 15:22:08 | 00,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2009/09/13 18:52:50 | 01,048,392 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/05/21 10:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/12/11 14:01:56 | 00,540,184 | ---- | M] (PDF Complete Inc) -- C:\Program Files\PDF Complete\pdfsvc.exe
PRC - [2007/12/11 14:01:56 | 00,331,800 | ---- | M] (PDF Complete Inc) -- C:\Program Files\PDF Complete\pdfsty.exe
PRC - [2007/08/20 06:38:02 | 16,384,512 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2007/08/08 23:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2007/07/20 10:57:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/05/08 15:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2007/02/10 04:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2007/01/04 18:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/10/30 08:00:00 | 01,116,920 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
PRC - [2006/07/10 10:53:08 | 00,872,448 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe
PRC - [2006/02/19 03:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2006/02/10 06:56:12 | 00,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2002/04/17 12:19:16 | 00,069,632 | ---- | M] (Nova Development.) -- C:\Program Files\Nova Development\Photo Explosion Deluxe\CalCheck.exe


========== Modules (SafeList) ==========

MOD - [2010/01/13 00:14:38 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/09/16 15:22:08 | 00,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/05/21 10:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/01/11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/11 14:01:56 | 00,540,184 | ---- | M] (PDF Complete Inc) [Auto | Running] -- C:\Program Files\PDF Complete\pdfsvc.exe -- (pdfcDispatcher)
SRV - [2007/08/08 23:27:52 | 00,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/07/20 10:57:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2007/05/24 06:08:44 | 00,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2007/02/10 04:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2007/02/10 04:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2007/02/10 04:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/01/04 18:48:52 | 00,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/11/01 10:17:32 | 00,073,728 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2006/10/26 18:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/06/13 16:39:58 | 00,364,544 | ---- | M] (SoftThinks) [Auto | Stopped] -- C:\WINDOWS\SMINST\PCAngel.exe -- (PCA)
SRV - [2005/10/14 01:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1



O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AOL Toolbar BHO) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe (Hewlett-Packard)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe (PDF Complete Inc)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe ()
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Explosion Calendar Checker.lnk = C:\WINDOWS\Installer\{B8F19DA6-0BCD-48FC-9998-C6ACEAEEDEFE}\PhotoExplosionCalendarChecker.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonscripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffscripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonscriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupscriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupscripts = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonscripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffscripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupscripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonscriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupscriptSync = 0
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O12 - Plugin for: .UVR - C:\Program Files\Internet Explorer\Plugins\NPUPano.dll (Ulead Systems, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} [You must be registered and logged in to see this link.] (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} [You must be registered and logged in to see this link.] (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} [You must be registered and logged in to see this link.] (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: )
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/05/21 20:10:13 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16892003295952896)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/13 16:20:34 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/13 14:11:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/01/13 02:19:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/01/13 02:19:47 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/13 02:19:45 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/13 02:19:45 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/13 02:19:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/13 02:17:32 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/13 02:14:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit
[2010/01/13 02:08:00 | 00,000,000 | ---D | C] -- C:\New Folder
[2010/01/11 12:33:01 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\BitDefender
[2010/01/11 12:33:01 | 00,000,000 | ---D | C] -- C:\Program Files\BitDefender
[2010/01/10 23:10:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2010/01/10 00:46:54 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2008/12/07 17:43:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2008/09/06 06:19:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/07/11 09:29:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Intuit
[2008/05/21 20:33:44 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/05/21 20:10:11 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/05/21 20:10:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/02/19 02:28:56 | 00,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll

========== Files - Modified Within 14 Days ==========

[2010/01/13 14:50:49 | 04,194,304 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/01/13 14:18:11 | 00,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/13 14:17:04 | 00,591,454 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/13 14:17:04 | 00,491,066 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/13 14:17:04 | 00,089,630 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/13 14:13:07 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/13 14:12:57 | 00,002,445 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Explosion Calendar Checker.lnk
[2010/01/13 14:12:49 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/01/13 14:12:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/13 14:12:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/13 14:12:45 | 10,730,45504 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/13 14:07:17 | 00,000,132 | ---- | M] () -- C:\WINDOWS\System32\rezumatenoi.dat
[2010/01/13 02:19:49 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/13 02:17:32 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/01/13 02:17:32 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/01/13 02:13:05 | 00,000,121 | ---- | M] () -- C:\WINDOWS\bdagent.INI
[2010/01/13 01:00:00 | 00,000,480 | -H-- | M] () -- C:\WINDOWS\tasks\Crystal Clear Pool & Spas. 1221780534.job
[2010/01/13 00:14:38 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/13 00:13:22 | 00,284,915 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/01/12 12:17:07 | 00,000,422 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2010/01/10 00:46:55 | 00,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/01/10 00:27:39 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/08 23:47:07 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2010/01/08 08:22:18 | 00,000,381 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Crystal Clear Pool & Spas..QBW.nd
[2010/01/08 08:22:17 | 22,999,040 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\Crystal Clear Pool & Spas..QBW
[2010/01/08 08:22:17 | 02,555,904 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\Crystal Clear Pool & Spas..QBW.TLG
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/01/13 15:12:06 | 00,284,915 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/01/13 02:19:49 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/13 02:19:31 | 00,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/13 02:17:32 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/01/13 02:17:32 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/01/13 02:13:05 | 00,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2010/01/11 14:06:12 | 00,000,132 | ---- | C] () -- C:\WINDOWS\System32\rezumatenoi.dat
[2010/01/10 00:46:55 | 00,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/01/10 00:27:19 | 00,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/01/08 23:47:07 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/06/13 17:56:49 | 00,000,420 | ---- | C] () -- C:\WINDOWS\ULead32.ini
[2008/06/10 18:23:19 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2008/06/08 15:36:27 | 00,009,216 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/06/06 09:28:25 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2008/06/06 09:21:50 | 00,001,529 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/05/21 20:40:30 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/21 20:27:13 | 00,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/05/21 20:27:13 | 00,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/05/21 20:26:30 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/05/21 20:26:30 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/05/21 20:26:30 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/05/21 20:26:30 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/05/21 20:26:30 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/05/21 20:26:30 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/02/28 14:30:08 | 00,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/07/20 10:57:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/07/20 10:57:00 | 01,478,656 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/07/20 10:57:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/07/20 10:57:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/07/20 10:57:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/07/03 05:22:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/24 22:02:34 | 00,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/24 22:02:34 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2005/10/18 03:49:40 | 00,006,964 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2001/07/07 02:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2008/06/13 18:01:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nova Development
[2008/12/08 01:29:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
[2008/07/09 12:04:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2008/06/13 18:01:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nova Development
[2008/05/21 20:35:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2010/01/13 01:00:00 | 00,000,480 | -H-- | M] () -- C:\WINDOWS\Tasks\Crystal Clear Pool & Spas. 1221780534.job
[2010/01/13 14:18:11 | 00,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/01/13 14:12:49 | 00,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2006/02/27 23:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2006/02/27 18:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/06 06:09:17 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/06 06:09:17 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: AHCIX86.SYS >
[2007/06/12 02:37:56 | 00,122,880 | ---- | M] (ATI Technologies Inc.) MD5=C59E66D1C4827A9AAFA88AABF01A99FA -- C:\SWSetup\HP Backup and Recovery Manager\update\DRIVERS\Storage\ahcix86.sys
[2007/06/12 02:37:56 | 00,122,880 | ---- | M] (ATI Technologies Inc.) MD5=C59E66D1C4827A9AAFA88AABF01A99FA -- C:\WINDOWS\DRIVERS\Storage\ahcix86.sys

< MD5 for: ATAPI.SYS >
[2006/02/27 23:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2006/02/27 18:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/06 06:09:17 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/06 06:09:17 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 16:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2006/02/27 18:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/07/12 08:35:02 | 00,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\COMPAQ\MISC5\iaStor.sys
[2007/07/12 07:35:02 | 00,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\SWSetup\HP Backup and Recovery Manager\update\DRIVERS\Storage\iaStor.sys
[2007/07/12 07:35:02 | 00,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\DRIVERS\Storage\iaStor.sys
[2007/07/12 08:35:02 | 00,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2006/02/27 18:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/02/27 18:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< >
< End of report >

yvonneschaffer
Novice
Novice

Posts Posts : 19
Joined Joined : 2008-12-14
Gender Gender : Female
OS OS : Windows XP Service Pack 3
Protection Protection : Security Essentials
Points Points : 29228
# Likes # Likes : 0

View user profile

Back to top Go down

4th post yvonneschaffer Got TrojanWin32:FakeSpyPro

Post by yvonneschaffer on 14th January 2010, 11:50 am

This is the second OTL report. The GMER txt is over 718kb , I posted first part in the wrong forum before. Let me know what to do next.



OTL Extras logfile created on: 1/13/2010 4:23:00 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 525.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.51 Gb Total Space | 45.10 Gb Free Space | 69.92% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 7.50 Gb Free Space | 74.97% Space Free | Partition Type: NTFS
Drive E: | 1.17 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 62.09 Mb Total Space | 1.88 Mb Free Space | 3.02% Space Free | Partition Type: FAT
Drive G: | 3.84 Gb Total Space | 2.43 Gb Free Space | 63.35% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HP19932159792
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\WINDOWS\SMINST\Scheduler.exe" = C:\WINDOWS\SMINST\Scheduler.exe:*:Enabled:Scheduler -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 14
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2D5F91BD-BB3D-4E8C-B29C-C5BC42E194F1}" = HP Performance Tuning Framework
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{3248F0A8-6813-11D6-A77B-00B0D0150170}" = J2SE Runtime Environment 5.0 Update 17
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{33D6CC28-9F75-4d1b-A11D-98895B3A3729}" = HP Photosmart 330,380,420,470,7800,8000,8200 Series
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35748B06-FCFC-4700-8285-DAD41689E4FE}" = Broadcom TPM Driver Installer
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{48B3FB4D-CE22-488C-8E9F-24EBB77EAC0F}" = Microsoft Security Essentials
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{57B2281D-A34A-4a48-8C68-169B8873659D}" = c4100_Help
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{755EC5E3-FD51-46bd-A57F-7A2D56FBF061}" = PSTAPlugin
"{769A295C-DCF4-41d6-AFBA-7D9394B23AFE}" = PSPrinters08
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{808E5AB1-E98F-4362-AB10-B5B69CB2301C}" = HP Workstation User Guides
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A0A77CDC-2419-4D5C-AD2C-E09E5926B806}" = Microsoft Antimalware
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3455242-DAE0-4523-8242-FD82706ABF4B}" = CameraDrivers
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP1
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B8F19DA6-0BCD-48FC-9998-C6ACEAEEDEFE}" = Photo Explosion Deluxe
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C871525F-7116-4d26-BA6D-215F59B6F88B}" = C4100
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch
"{E86AA946-5CE2-4C21-B660-D2C186B6FDB3}" = Broadcom Management Programs
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F1670367-C07F-411f-A196-79D2C65CBEC0}" = PS8200
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AOL Toolbar" = AOL Toolbar 5.0
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP1
"CCleaner" = CCleaner (remove only)
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"HP Document Viewer" = HP Document Viewer 7.0
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPExtendedCapabilities" = HP Customer Participation Program 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PDF Complete" = PDF Complete
"Pool Studio1.620" = Pool Studio
"PROHYBRIDR" = 2007 Microsoft Office system
"Ulead COOL 360 1.0" = Ulead COOL 360 1.0
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/27/2009 1:42:49 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:00 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:00 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:00 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:20 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:20 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:20 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:43 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 12/5/2009 10:55:38 AM | Computer Name = HP19932159792 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16915, faulting
module mshtml.dll, version 7.0.6000.16939, fault address 0x000d79b7.

Error - 12/7/2009 12:00:47 PM | Computer Name = HP19932159792 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16915, faulting
module unknown, version 0.0.0.0, fault address 0x0a497118.

[ System Events ]
Error - 1/7/2010 4:15:35 PM | Computer Name = HP19932159792 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.0.11 on
the Network Card with network address 00215A175768.

Error - 1/7/2010 7:42:52 PM | Computer Name = HP19932159792 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.0.11 on
the Network Card with network address 00215A175768.

Error - 1/8/2010 10:55:23 AM | Computer Name = HP19932159792 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.0.11 on
the Network Card with network address 00215A175768.


< End of report >

P.S. I was able to download Housecall and load it, took a long time, but ran quick scan, found nothing..so I am running full scan now. I really need help since I want to solve this now... Annoyed or Unimpress

yvonneschaffer
Novice
Novice

Posts Posts : 19
Joined Joined : 2008-12-14
Gender Gender : Female
OS OS : Windows XP Service Pack 3
Protection Protection : Security Essentials
Points Points : 29228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by Belahzur on 14th January 2010, 7:23 pm

Hello.

Did you remove what MBAM found? it says no action was taken.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by yvonneschaffer on 14th January 2010, 7:33 pm

Hi Belahzur!
Thnaks for helping me. By the way Housecall didn't find anything.

No, I didn't remove anything? I don't know why it didn't remove them Do you want me to run again? Once again, thanks for the response.

yvonneschaffer
Novice
Novice

Posts Posts : 19
Joined Joined : 2008-12-14
Gender Gender : Female
OS OS : Windows XP Service Pack 3
Protection Protection : Security Essentials
Points Points : 29228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by Belahzur on 14th January 2010, 7:53 pm

Yes please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by yvonneschaffer on 14th January 2010, 9:04 pm

Hi!
Well I think I messed up again, I sent the wrong report. Will attach one where it found and quantined files. I did an update which seemed to go ok, ran mbam again. Here we go:
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/13/2010 2:28:59 AM
mbam-log-2010-01-13 (02-28-59).txt

Scan type: Quick Scan
Objects scanned: 109568
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\IntelinetSecure (Rogue.Intelinet) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\\Documents and Settings\\Administrator\\Favorites\\Free Porn Movies at Cliphunter.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\\Documents and Settings\\Administrator\\Favorites\\Free Porn Tube Movies, Porno Videos & XXX Sex Videos.url (Rogue.Link) -> Quarantined and deleted successfully.

After updating MBAM here is next run. Should I do a full system scan?

Malwarebytes' Anti-Malware 1.44
Database version: 3564
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/14/2010 11:58:05 AM
mbam-log-2010-01-14 (11-58-05).txt

Scan type: Quick Scan
Objects scanned: 110787
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks again

yvonneschaffer
Novice
Novice

Posts Posts : 19
Joined Joined : 2008-12-14
Gender Gender : Female
OS OS : Windows XP Service Pack 3
Protection Protection : Security Essentials
Points Points : 29228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by Belahzur on 15th January 2010, 12:19 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 14
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 17

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    [2010/01/13 14:07:17 | 00,000,132 | ---- | M] () -- C:\WINDOWS\System32\rezumatenoi.dat


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by yvonneschaffer on 15th January 2010, 12:56 am

Removed the java, but also I updated to newest version and also updated Adobe Reader. Hope that's not a problem.
Ran OTL here are the results:

========== OTL ==========
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
C:\WINDOWS\system32\rezumatenoi.dat moved successfully.

OTL by OldTimer - Version 3.1.24.0 log created on 01142010_165137
Thanks again,

yvonneschaffer
Novice
Novice

Posts Posts : 19
Joined Joined : 2008-12-14
Gender Gender : Female
OS OS : Windows XP Service Pack 3
Protection Protection : Security Essentials
Points Points : 29228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by Belahzur on 15th January 2010, 12:58 am

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by yvonneschaffer on 15th January 2010, 1:20 am

It seems ok, downloads are working now. You really helped me and it looks like it's working. Do I need to do anything else?
I was wondering if you could advise if Windows Defender and Security Essentials are good enough. And should I buy MBAM? I have Norton Internet Security 2010 that I bought before my son-in-law got his problem, but I didn't install it since their web site didn't know about the trojans he had. Let me know what I need to do next. Once again, you solved the problem and quickly. Thank You! Hooray! You guys really do a great job.
Yvonne

yvonneschaffer
Novice
Novice

Posts Posts : 19
Joined Joined : 2008-12-14
Gender Gender : Female
OS OS : Windows XP Service Pack 3
Protection Protection : Security Essentials
Points Points : 29228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by Belahzur on 15th January 2010, 7:33 pm

This should be fine now if no problems remain.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by yvonneschaffer on 15th January 2010, 9:01 pm

Hi!
Yes, it seems fine now. Just wondering if you could answer my question about AntiVirus and MBAm. I trust your opinion more than other forums. Once again, you guys are great!!!
You can mark this as solved.
Thanks,
Yvonne Hooray!

yvonneschaffer
Novice
Novice

Posts Posts : 19
Joined Joined : 2008-12-14
Gender Gender : Female
OS OS : Windows XP Service Pack 3
Protection Protection : Security Essentials
Points Points : 29228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

Post by Belahzur on 16th January 2010, 12:03 am

If you have security essentials installed, don't install Norton, because having 2 antivirus programs running at the same time can be dangerous.
MBAM goes well with anything in general as it's an antispyware and not an antivirus.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum