Vicious Malware Attack! Ahhhh!

View previous topic View next topic Go down

Vicious Malware Attack! Ahhhh!

Post by Ongie on 4th April 2010, 10:33 pm

Dear GeekPolice,

Thank you for the wonderful service you provide, first off. I have referred to your forums many times in the past to resolve my computing issues.

Unfortunately, my father recently contracted some nasty unknown malware. First, there were pop-ups in Internet Explorer, which froze his system. He then powered down the computer and restarted it to find that it could not reboot into windows (XP, home, service pack 2) normally. It will boot in safe mode (with networking), but it cannot connect to the internet.

There are other wrenches in the gears... I tried to install Malwarebytes via a thumb drive, only to find that upon installation, the .exe file had been deleted! The same goes for Avast. I run the install from the thumb drive, but the .exe files are missing.

I then installed these programs on my laptop, copied the .exe files to the thumb drive, and attempted to copy and paste them into the program files to run them... but discovered that I cannot drag-and-drop or copy-paste anything from the thumb drive to the computer (even in safe mode)! I then tried burning the .exe's to a CD and the same thing happened! Arrrgh!

At that point, I was stumped. I have never manually-deleted malware; I have always relied on MalwareBytes. This is beyond my very limited skill.

System restore is disabled. He doesn't have his original XP disc, either. Help me, Obi-Wan Kenobi... you're my only hope.

I just ran HijackThis, and the log is posted below... Thank you all for your expertise! This is my last-ditch effort at beating this vile thing!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:33 PM, on 4/2/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\02b66a70-0841-4475-a965-6623c1d33f00.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: (no name) - {be9ad57d-d6bb-498b-a6c5-7655bbf90b12} - zewunuda.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Star Wars - Jedi Knight - Jedi Academy no cd crack] C:\Documents and Settings\Jared Ongie\Shared\Star Wars - Jedi Knight - Jedi Academy no cd crack.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ewrgetuj] C:\DOCUME~1\RANDYO~1\LOCALS~1\Temp\geurge.exe
O4 - HKLM\..\Run: [rotesezefa] Rundll32.exe "javukori.dll",s
O4 - HKLM\..\Run: [suhaderus] Rundll32.exe "c:\windows\system32\yelenini.dll",a
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll"
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-MJKGF.exe" /REG
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [autofmtxp.exe] C:\DOCUME~1\RANDYO~1\LOCALS~1\Temp\autofmtxp.exe
O4 - HKUS\S-1-5-21-3065531786-957709814-2953528700-1006\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3065531786-957709814-2953528700-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3065531786-957709814-2953528700-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-3065531786-957709814-2953528700-1006\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User '?')
O4 - HKUS\S-1-5-21-3065531786-957709814-2953528700-1006\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-3065531786-957709814-2953528700-1006\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-21-3065531786-957709814-2953528700-1006\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun (User '?')
O4 - HKUS\S-1-5-21-3065531786-957709814-2953528700-1006\..\Run: [autofmtxp.exe] C:\DOCUME~1\RANDYO~1\LOCALS~1\Temp\autofmtxp.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - [You must be registered and logged in to see this link.]
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ralutelu.dll c:\windows\system32\yelenini.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: vomodivap - {bbcb1b49-7e26-42bb-b343-5cbfcf3cccc5} - c:\windows\system32\yelenini.dll
O22 - SharedTaskScheduler: jugezatag - {bbcb1b49-7e26-42bb-b343-5cbfcf3cccc5} - c:\windows\system32\yelenini.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Download Manager Lite Service (DownloadManagerLite) - NetCableTV - C:\PROGRA~1\NCTV\bin\dm.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: StarOpen - Sonic Solutions - (no file)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 13054 bytes

Ongie
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-04-04
OS OS : Windows XP (Service Pack 2)
Points Points : 24523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Belahzur on 5th April 2010, 12:11 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: (no name) - {be9ad57d-d6bb-498b-a6c5-7655bbf90b12} - zewunuda.dll (file missing)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [ewrgetuj] C:\DOCUME~1\RANDYO~1\LOCALS~1\Temp\geurge.exe
    O4 - HKLM\..\Run: [rotesezefa] Rundll32.exe "javukori.dll",s
    O4 - HKLM\..\Run: [suhaderus] Rundll32.exe "c:\windows\system32\yelenini.dll",a
    O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-MJKGF.exe" /REG
    O4 - HKCU\..\Run: [autofmtxp.exe] C:\DOCUME~1\RANDYO~1\LOCALS~1\Temp\autofmtxp.exe
    O4 - HKUS\S-1-5-21-3065531786-957709814-2953528700-1006\..\Run: [autofmtxp.exe] C:\DOCUME~1\RANDYO~1\LOCALS~1\Temp\autofmtxp.exe (User '?')
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O20 - AppInit_DLLs: ralutelu.dll c:\windows\system32\yelenini.dll
    O21 - SSODL: vomodivap - {bbcb1b49-7e26-42bb-b343-5cbfcf3cccc5} - c:\windows\system32\yelenini.dll
    O22 - SharedTaskScheduler: jugezatag - {bbcb1b49-7e26-42bb-b343-5cbfcf3cccc5} - c:\windows\system32\yelenini.dll


  • Press "Fix Checked"
  • Close Hijack This.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Ongie on 5th April 2010, 1:10 am

Thank you for the incredibly rapid response, Belahzur!

However, attack continues to dig its claws into this system even further...

I followed each instruction to the letter...

I ran HiJackThis, clicked 'fix checked' next to each of the items listed, then closed the program. However, I opened firefox to find that the settings are already set to "No Proxy". Still, it will not connect to the internet.

I tried Internet Explorer as well, but clicking on internet explorer only brings up a window that flashes quickly and then disappears. Errrrgh!

After that, I went back and ran another scan in HijackThis out of curiosity, and found that many of the files I had just checked and "fixed" were still found (mostly the ones ending in "yelenini.dll" and "zewunuda.dll".

This attack seems intricate and complicated. My entire system32 folder (where yelenini.dll is supposedly located) is missing. I am beginning to lose hope. :sad:

So, I still cannot run MalwareBytes because the .exe file is instantly deleted once I install it from a thumb-drive, and I cannot copy-paste or drag-and-drop a copy of the file onto the system.

I have considered a system restore... but each time I attempt a restore a dialog box pops up saying, "System Restore is unable to protect your computer". At this point, I am willing to do anything to just get the system functional again. If only my dad had kept his XP disc.

If you have any other suggestions, I am open to them. I am in full hail-mary mode.

Either way, thank you for taking the time to offer your help, good sir.

Ongie
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-04-04
OS OS : Windows XP (Service Pack 2)
Points Points : 24523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Belahzur on 5th April 2010, 1:10 am

Hello.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Ongie on 5th April 2010, 1:25 am

Hello again, sir!

Here are the logs. First, OTL.txt...

OTL logfile created on: 4/4/2010 8:15:54 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = F:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

758.00 Mb Total Physical Memory | 602.00 Mb Available Physical Memory | 79.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.03 Gb Total Space | 11.71 Gb Free Space | 16.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 1.97 Gb Total Space | 1.95 Gb Free Space | 98.95% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D3NBM771
Current User Name: Randy Ongie
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/04 20:14:02 | 000,561,664 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2099/01/01 12:00:00 | 000,095,744 | -HS- | M] () -- C:\WINDOWS\SYSTEM32\yelenini.dll
MOD - [2010/04/04 20:14:02 | 000,561,664 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/09 05:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 05:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 05:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/09/15 21:29:23 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/09/15 21:29:21 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/02/20 16:42:14 | 000,090,112 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\SnoopFreeSvc.exe -- (SnoopFreeSvc)
SRV - [2008/09/22 14:55:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/06/17 15:00:46 | 000,749,568 | ---- | M] (Wacom Technology, Corp.) [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\Tablet.exe -- (TabletService)
SRV - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)


========== Driver Services (SafeList) ==========

DRV - [2010/03/09 05:12:54 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys -- (aswTdi)
DRV - [2010/03/09 05:12:33 | 000,162,640 | ---- | M] (ALWIL Software) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\aswSP.sys -- (aswSP)
DRV - [2010/03/09 05:09:08 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys -- (aswRdr)
DRV - [2010/03/09 05:08:41 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys -- (aswMon2)
DRV - [2010/03/09 05:08:30 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/03/09 05:08:15 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys -- (Aavmker4)
DRV - [2010/03/05 14:49:07 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/09/15 21:30:17 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/09/15 21:30:16 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/09/15 21:30:15 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/02/20 16:42:14 | 000,009,472 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SnopFree.sys -- (SnoopFree)
DRV - [2009/02/17 11:43:30 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/02/17 11:43:28 | 000,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/02/17 11:43:28 | 000,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/11/02 03:44:10 | 000,056,572 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\scdemu.sys -- (SCDEmu)
DRV - [2007/02/06 22:22:24 | 000,194,304 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\wg111v2.sys -- (RTLWUSB)
DRV - [2006/10/06 15:49:00 | 000,044,224 | R--- | M] (BVRP Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2006/07/10 08:45:28 | 000,002,368 | ---- | M] (AntiCracking) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\SVKP.sys -- (SVKP)
DRV - [2005/11/02 15:47:26 | 000,010,368 | R--- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys -- (pfc)
DRV - [2005/05/09 20:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cledx.sys -- (CLEDX)
DRV - [2004/12/06 01:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 01:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 01:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 01:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 01:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 01:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 01:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 01:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 01:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 03:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 02:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm)
DRV - [2004/08/03 23:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 23:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS -- (nv)
DRV - [2004/08/03 21:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/07/14 11:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 11:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln)
DRV - [2004/03/29 16:28:24 | 000,014,531 | ---- | M] (iRiver, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\ifp800.sys -- (IFP800)
DRV - [2004/03/25 19:37:08 | 000,052,384 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\slabbus.sys -- (slabbus) CP2101 USB Composite Device driver (WDM)
DRV - [2004/03/25 19:36:48 | 000,084,512 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\slabser.sys -- (slabser)
DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2002/11/08 13:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2001/09/20 10:47:38 | 000,025,184 | ---- | M] (Zoran Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\nuvaud2.sys -- (nuvaud2)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/04/09 15:45:00 | 000,008,138 | ---- | M] (Wacom Technology Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\PenClass.sys -- (PenClass)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:0.7.5.5
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.6.4
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:3.2
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/21 10:21:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/29 07:37:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/02 02:21:52 | 000,000,000 | ---D | M]

[2008/06/05 13:44:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Randy Ongie\Application Data\Mozilla\Extensions
[2010/04/04 19:28:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\extensions
[2009/08/16 06:16:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/07/25 17:11:20 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2008/06/28 09:03:37 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2008/07/25 17:11:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\extensions\diggfirefox@mozilla.org
[2009/10/01 17:20:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\extensions\moveplayer@movenetworks.com
[2010/04/04 19:51:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2004/11/12 22:36:20 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll

O1 HOSTS File: ([2010/03/30 18:58:24 | 000,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (no name) - {be9ad57d-d6bb-498b-a6c5-7655bbf90b12} - C:\WINDOWS\System32\zewunuda.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [H2O] C:\Program Files\Syncrosoft\POS\H2O\cledx.exe (Team H2O)
O4 - HKLM..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe (Moodlogic)
O4 - HKLM..\Run: [Lexmark 1200 Series] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [rotesezefa] C:\WINDOWS\System32\javukori.dll ()
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SnoopFreeUI] C:\WINDOWS\SnoopFreeUI.exe (SnoopFree Software)
O4 - HKLM..\Run: [Star Wars - Jedi Knight - Jedi Academy no cd crack] C:\Documents and Settings\Jared Ongie\Shared\Star Wars - Jedi Knight - Jedi Academy no cd crack.exe File not found
O4 - HKLM..\Run: [suhaderus] C:\WINDOWS\System32\yelenini.DLL ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware (registration)] C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe (Wacom Technology, Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [You must be registered and logged in to see this link.] (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} [You must be registered and logged in to see this link.] (Facebook Photo Uploader Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} [You must be registered and logged in to see this link.] (SecureLogin class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} [You must be registered and logged in to see this link.] (mhLabel Class)
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} [You must be registered and logged in to see this link.] (IWinAmpActiveX Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} [You must be registered and logged in to see this link.] (IWinAmpActiveX Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (c:\windows\system32\yelenini.dll) - C:\WINDOWS\SYSTEM32\yelenini.dll ()
O20 - AppInit_DLLs: (ralutelu.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (RtlGina2.dll) - C:\WINDOWS\System32\RtlGina2.dll ()
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: vomodivap - {bbcb1b49-7e26-42bb-b343-5cbfcf3cccc5} - C:\WINDOWS\SYSTEM32\yelenini.dll ()
O22 - SharedTaskScheduler: {bbcb1b49-7e26-42bb-b343-5cbfcf3cccc5} - jugezatag - C:\WINDOWS\SYSTEM32\yelenini.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Randy Ongie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Randy Ongie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O27 - HKLM IFEO\MpCmdRun.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MSASCui.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MsMpEng.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\msseces.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3339ee51-033e-11dc-bcb1-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{3339ee51-033e-11dc-bcb1-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3339ee51-033e-11dc-bcb1-00038a000015}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{f56d2406-2891-11df-9542-0024b242cb6c}\Shell - "" = AutoRun
O33 - MountPoints2\{f56d2406-2891-11df-9542-0024b242cb6c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f56d2406-2891-11df-9542-0024b242cb6c}\Shell\AutoRun\command - "" = G:\Setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk /p \??\C:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/04 19:00:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/04/04 17:54:59 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Randy Ongie\Recent
[2010/04/04 17:53:08 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/02 14:15:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/31 10:43:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Randy Ongie\Desktop\New Folder
[2010/03/31 07:21:32 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/31 07:21:29 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/30 20:42:10 | 000,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/03/30 20:42:10 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/03/30 20:42:08 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/03/30 20:42:06 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/03/30 20:42:04 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/03/30 20:42:04 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/03/30 20:42:03 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/03/30 20:41:23 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/03/30 20:41:23 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/03/30 20:41:18 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/03/30 20:41:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/03/30 19:06:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/03/30 19:05:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/30 19:05:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/03/30 19:04:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/30 19:00:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\_VOIDismqbdriwt
[2010/03/30 18:53:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\EA Games
[2010/03/30 18:52:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Randy Ongie\Desktop\mo-sims2
[2010/03/30 18:39:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Randy Ongie\My Documents\EA Games
[2010/03/30 17:43:45 | 000,000,000 | ---D | C] -- C:\Program Files\EA GAMES
[2010/03/30 13:54:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Randy Ongie\Desktop\rld-vit3
[2010/03/28 04:30:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Randy Ongie\My Documents\NHL09
[2010/03/28 04:03:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/03/23 04:12:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Randy Ongie\My Documents\Max Payne Savegames
[2010/03/21 04:22:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Randy Ongie\Desktop\REST2514
[2010/03/20 01:39:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Randy Ongie\My Documents\GTA San Andreas User Files
[2010/03/19 16:16:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Randy Ongie\My Documents\Activision
[2010/03/19 16:16:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Randy Ongie\Application Data\Activision
[2010/03/19 13:25:04 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2010/03/10 05:27:15 | 003,555,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/03/08 12:23:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2010/03/06 15:24:26 | 000,000,000 | ---D | C] -- C:\Program Files\booddanet
[2010/02/10 19:59:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/02/10 19:54:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/10/01 16:55:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2009/07/23 02:00:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/05/03 05:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2008/05/03 05:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2008/03/09 02:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2007/12/13 20:03:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/11/26 16:16:47 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/11/26 16:16:47 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/11/26 16:16:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/11/28 03:05:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2005/04/12 15:35:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2099/01/01 12:00:00 | 000,207,360 | -HS- | M] () -- C:\WINDOWS\System32\kemehobe.exe
[2099/01/01 12:00:00 | 000,095,744 | -HS- | M] () -- C:\WINDOWS\System32\yelenini.dll
[2099/01/01 12:00:00 | 000,000,709 | -HS- | M] () -- C:\WINDOWS\System32\wunojuti.exe
[2010/04/04 19:31:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/04/04 19:29:50 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Randy Ongie\NTUSER.INI
[2010/04/04 19:29:49 | 007,340,032 | ---- | M] () -- C:\Documents and Settings\Randy Ongie\NTUSER.DAT
[2010/04/04 19:03:08 | 000,000,611 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2010/04/04 19:03:08 | 000,000,227 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2010/04/04 19:03:08 | 000,000,211 | RHS- | M] () -- C:\BOOT.INI
[2010/04/04 17:53:09 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Randy Ongie\Desktop\CCleaner.lnk
[2010/04/02 14:15:18 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Randy Ongie\Desktop\HijackThis.lnk
[2010/03/31 17:17:27 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/03/31 07:21:35 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/30 20:42:11 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/03/30 20:42:05 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/03/30 19:33:56 | 000,699,904 | ---- | M] () -- C:\WINDOWS\is-MJKGF.exe
[2010/03/30 19:33:56 | 000,010,498 | ---- | M] () -- C:\WINDOWS\is-MJKGF.msg
[2010/03/30 19:33:56 | 000,000,302 | ---- | M] () -- C:\WINDOWS\is-MJKGF.lst
[2010/03/30 19:19:12 | 001,998,848 | -H-- | M] () -- C:\Documents and Settings\Randy Ongie\Local Settings\Application Data\IconCache.db
[2010/03/30 19:07:38 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/30 19:07:38 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/03/30 18:52:33 | 004,707,138 | ---- | M] () -- C:\Documents and Settings\Randy Ongie\Desktop\mo-sims2.rar
[2010/03/30 18:41:40 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims 2.lnk
[2010/03/30 18:21:50 | 058,284,552 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/03/30 18:11:07 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/30 13:50:22 | 001,387,344 | ---- | M] () -- C:\Documents and Settings\Randy Ongie\Desktop\rld-vit3.rar
[2010/03/30 02:10:32 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/03/30 01:11:07 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 01:05:02 | 000,012,916 | ---- | M] () -- C:\WINDOWS\System32\tablet.dat
[2010/03/28 01:04:58 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/28 01:01:13 | 000,005,120 | ---- | M] () -- C:\Documents and Settings\Randy Ongie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/26 18:30:00 | 000,000,362 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (D3NBM771-Jared Ongie).job
[2010/03/26 18:30:00 | 000,000,362 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (1) (D3NBM771-Jared Ongie).job
[2010/03/25 20:03:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/23 01:54:33 | 000,000,886 | ---- | M] () -- C:\Documents and Settings\Randy Ongie\Desktop\movielist.rtf
[2010/03/22 21:13:31 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\Randy Ongie\Desktop\bestsolitairetime.rtf
[2010/03/21 01:19:18 | 000,000,038 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2010/03/14 04:01:08 | 000,460,296 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/03/14 04:01:07 | 000,079,416 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/03/14 04:01:05 | 000,550,290 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/09 05:24:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/03/09 05:24:05 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/03/09 05:12:54 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/03/09 05:12:33 | 000,162,640 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/03/09 05:09:08 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/03/09 05:08:41 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/03/09 05:08:38 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/03/09 05:08:30 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/03/09 05:08:15 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,207,360 | -HS- | C] () -- C:\WINDOWS\System32\kemehobe.exe
[2099/01/01 12:00:00 | 000,095,744 | -HS- | C] () -- C:\WINDOWS\System32\yelenini.dll
[2099/01/01 12:00:00 | 000,000,709 | -HS- | C] () -- C:\WINDOWS\System32\wunojuti.exe
[2010/04/04 17:53:09 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\Desktop\CCleaner.lnk
[2010/04/02 14:15:18 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\Desktop\HijackThis.lnk
[2010/03/31 07:21:35 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/30 20:42:11 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/03/30 19:33:56 | 000,699,904 | ---- | C] () -- C:\WINDOWS\is-MJKGF.exe
[2010/03/30 19:33:56 | 000,010,498 | ---- | C] () -- C:\WINDOWS\is-MJKGF.msg
[2010/03/30 19:33:56 | 000,000,302 | ---- | C] () -- C:\WINDOWS\is-MJKGF.lst
[2010/03/30 19:07:38 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/03/30 19:07:37 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/30 18:52:28 | 004,707,138 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\Desktop\mo-sims2.rar
[2010/03/30 18:41:40 | 000,001,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims 2.lnk
[2010/03/30 13:50:12 | 001,387,344 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\Desktop\rld-vit3.rar
[2010/03/21 03:00:19 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\Desktop\bestsolitairetime.rtf
[2010/03/20 05:40:15 | 000,000,038 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2010/03/02 18:06:53 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2010/03/02 18:06:52 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2010/03/02 18:06:52 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2010/03/01 18:47:06 | 000,013,506 | -HS- | C] () -- C:\Documents and Settings\Randy Ongie\Local Settings\Application Data\MYhtd
[2010/02/25 17:50:12 | 000,011,502 | -HS- | C] () -- C:\Documents and Settings\Randy Ongie\Local Settings\Application Data\BnDHfux
[2010/02/18 02:58:59 | 000,012,600 | -HS- | C] () -- C:\Documents and Settings\Randy Ongie\Local Settings\Application Data\N46ig
[2009/11/12 14:35:07 | 000,966,765 | ---- | C] () -- C:\WINDOWS\System32\acAuth.dll
[2009/11/12 14:35:07 | 000,356,352 | ---- | C] () -- C:\WINDOWS\System32\SCMLib.dll
[2009/11/12 14:35:07 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\RtlGina2.dll
[2009/10/21 02:26:24 | 000,000,063 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\jagex_runescape_preferences2.dat
[2009/10/21 02:25:26 | 000,000,038 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\jagex_runescape_preferences.dat
[2009/10/03 01:04:06 | 000,000,031 | ---- | C] () -- C:\WINDOWS\System32\wfwindowp32.dll
[2009/02/20 16:42:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\SnoopFreeDll.dll
[2009/02/20 16:42:14 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\SnopFree.sys
[2009/01/02 08:41:11 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/07/16 14:35:39 | 000,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini
[2007/12/06 06:53:17 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/02/23 10:08:47 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/02/23 10:08:47 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/02/23 10:08:45 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/02/23 10:08:45 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2006/12/15 12:24:30 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\Application Data\PFP120JPR.{PB
[2006/12/15 12:24:30 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\Application Data\PFP120JCM.{PB
[2006/10/10 15:23:37 | 000,015,744 | ---- | C] () -- C:\WINDOWS\System32\Wintab.dll
[2006/07/09 12:59:56 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2006/05/30 21:21:07 | 000,000,100 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2006/05/30 21:18:16 | 000,000,451 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/05/30 21:17:41 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll
[2006/05/30 21:16:58 | 000,000,270 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.ini
[2006/01/26 18:20:41 | 000,000,099 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2006/01/13 06:00:12 | 000,000,025 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.119889580931711767808769176
[2006/01/13 05:57:39 | 000,000,021 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.311018984119889580931149468956
[2006/01/03 21:20:45 | 000,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/10/15 23:38:31 | 000,000,777 | ---- | C] () -- C:\WINDOWS\System32\trial_setup.ini
[2005/10/07 00:44:58 | 000,000,044 | ---- | C] () -- C:\WINDOWS\liveup.ini
[2005/09/11 06:47:39 | 000,003,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/08/21 23:36:21 | 000,001,066 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/08/10 20:06:21 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\Local Settings\Application Data\fusioncache.dat
[2005/08/08 03:36:54 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/04/27 23:22:38 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/04/27 23:22:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/04/14 11:27:28 | 007,340,032 | ---- | C] () -- C:\Documents and Settings\Randy Ongie\NTUSER.DAT
[2005/04/14 11:27:28 | 000,483,328 | -H-- | C] () -- C:\Documents and Settings\Randy Ongie\ntuser.dat.LOG
[2005/04/14 11:27:28 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Randy Ongie\NTUSER.INI
[2005/04/12 21:21:39 | 000,000,070 | ---- | C] () -- C:\WINDOWS\custvoic.ini
[2005/04/12 18:30:27 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2005/04/12 18:30:23 | 000,000,048 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2005/04/12 15:34:12 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2005/04/12 15:34:12 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2005/04/08 01:57:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/04/08 01:55:24 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/04/08 01:18:26 | 000,000,370 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/02/03 01:50:28 | 000,004,224 | ---- | C] () -- C:\WINDOWS\System32\StarOpen.sys
[2005/01/28 08:08:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 13:13:12 | 000,000,780 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/04 05:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2004/04/23 14:17:02 | 000,000,061 | ---- | C] () -- C:\WINDOWS\System32\uninstall.ini
[2002/06/18 07:04:38 | 000,001,783 | ---- | C] () -- C:\Program Files\Enhancements_Import_1_0.dtd
< End of report >

Ongie
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-04-04
OS OS : Windows XP (Service Pack 2)
Points Points : 24523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Ongie on 5th April 2010, 1:26 am

And now... Extras.txt...

OTL Extras logfile created on: 4/4/2010 8:15:54 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = F:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

758.00 Mb Total Physical Memory | 602.00 Mb Available Physical Memory | 79.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.03 Gb Total Space | 11.71 Gb Free Space | 16.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 1.97 Gb Total Space | 1.95 Gb Free Space | 98.95% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D3NBM771
Current User Name: Randy Ongie
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" %*
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\Program Files\Common Files\AOL\1136341367\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1136341367\ee\aolsoftware.exe:*:Enabled:AOL Services -- File not found
"C:\Program Files\Common Files\AOL\1136341367\ee\aim6.exe" = C:\Program Files\Common Files\AOL\1136341367\ee\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe" = C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:Torrent -- ()
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\WINDOWS\SYSTEM32\DPVSETUP.EXE" = C:\WINDOWS\SYSTEM32\DPVSETUP.EXE:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\WINDOWS\SYSTEM32\a.exe" = C:\WINDOWS\SYSTEM32\a.exe:*:Disabled:a -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"C:\Documents and Settings\Randy Ongie\Desktop\hl2-steam.exe" = C:\Documents and Settings\Randy Ongie\Desktop\hl2-steam.exe:*:Enabled:hl2-steam -- File not found
"C:\Program Files\Counter-Strike 1.6\hl.exe" = C:\Program Files\Counter-Strike 1.6\hl.exe:*:Enabled:Half-Life Launcher -- File not found
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- ([You must be registered and logged in to see this link.]
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- ([You must be registered and logged in to see this link.]
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\StreamTorrent 1.0\StreamTorrent.exe" = C:\Program Files\StreamTorrent 1.0\StreamTorrent.exe:*:Enabled:StreamTorrent P2P Media Player -- (StreamTorrent Team)
"C:\WINDOWS\Explorer.EXE" = C:\WINDOWS\Explorer.EXE:*:enabled:@shell32.dll,-1 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0F6A7971-0F11-4A79-A0E9-133D0963A570}" = ISO Recorder
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel(R) PROSet for Wired Connections
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.1
"{1ADE23D7-7A1E-4AEC-BA5D-EB8A01BED943}" = DeepBurner Pro v1.8.0.225
"{1F1F35A7-8EA0-43B5-AEAF-B0B9AB1BEF97}" = iRiver Manager
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}" = Star Wars: Knights of the Old Republic (TM)
"{2ADE2157-7A5E-122C-B51D-EB8A01B15943}" = DeepBurner v1.9.0.228
"{2B5A75F0-FD85-4094-AB00-94902398D192}" = Sony Media Manager 2.2
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}" = Adobe Photoshop CS3
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4102037D-E8E0-48E0-B203-E521D194FB71}" = NETGEAR WG111v2 wireless USB 2.0 adapter
"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}" = Roxio Media Manager
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.3
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6E179C77-7335-458D-9537-4F4EAC0181ED}" = Photo Click
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6E7DD182-9FC6-4651-0095-2E666CC6AF35}" = The Sims 2
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
"{78D62D17-D970-42DA-B8CF-5E5576293B33}" = Final Draft 7
"{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{80FD852F-5AAC-4129-B931-06AAFFA43138}" = iTunes
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E150A29-46F7-4CD6-A085-A0158CA9DF5E}" = Ocean
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{901D1286-529B-48A9-8DDD-4A60CF9E9BF1}" = H&R Block Tax Offer
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9AB77E48-5BAF-4EBA-A88B-40CAF43F237E}" = VirtuallyJenna-2.017.002 (Cracked)
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AD13BFB0-FDD2-4AFA-A8AF-9F4A950D56B7}" = ArcSoft Camera Suite 1.3
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BCE46757-7674-4416-BEDB-68205A60409E}" = Canon CanoScan Toolbox 4.1
"{BFD96B89-B769-4CD6-B11E-E79FFD46F067}" = QuickTime
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe Extendscript Toolkit 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC8B19D1-91D2-4D5B-B331-F885F432745E}" = Final Draft 6
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype 4.1
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DB3C800B-081B-4146-B4E3-EFB5B77AA913}" = TES Construction Set
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{F20D2884-D854-48A7-B0F0-2921F3A23F81}" = BlackBerry Desktop Software 4.3
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{FC550484-2862-49C3-A85A-802457F9AABA}" = MGTEK dopisp
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}" = Adobe Setup
"7-Zip" = 7-Zip 4.65
"82A44D22-9452-49FB-00FB-CEC7DCAF7E23" = EA SPORTS online 2004
"Abdio WMV Video Converter v6.62 (Try)" = Abdio WMV Video Converter v6.62 (Try)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1" = Adobe Photoshop CS3
"AdobeESD" = Adobe Download Manager 2.0 (Remove Only)
"afreeCodecVT2" = afreeCodecVT
"Allok QuickTime to AVI MPEG DVD Converter_is1" = Allok QuickTime to AVI MPEG DVD Converter 1.1.2
"AOL Instant Messenger" = AOL Instant Messenger
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AOLCoach" = AOL Coach Version 1.0(Build:20040229.1 en)
"ASCII Art Generator_is1" = ASCII Art Generator 3.2.4.2
"Audacity_is1" = Audacity 1.2.6
"avast5" = avast! Free Antivirus
"AVG8Uninstall" = AVG Free 8.5
"BlackBerry_{F20D2884-D854-48A7-B0F0-2921F3A23F81}" = BlackBerry Desktop Software 4.3
"CCleaner" = CCleaner
"CDisplay_is1" = CDisplay 1.8
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DellSupport" = Dell Support 5.0.0 (630)
"DivX Content Uploader" = DivX Content Uploader
"E3TV Player_is1" = NetCableTV E3TV Player 2.6
"EPSON Printer and Utilities" = EPSON Printer Software
"ffdshow_is1" = ffdshow [rev 3089] [2009-09-26]
"FLVPlayer" = FLV Player 1.3.3
"GameSpy Arcade" = GameSpy Arcade
"GSpot" = GSpot Codec Information Appliance
"HentaII3D-019.003" = HentaII3D-019.003
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IsoBuster_is1" = IsoBuster 1.8
"KLiteCodecPack_is1" = K-Lite Codec Pack 2.84 Full
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Last.fm Player_is1" = Last.fm Player 1.0.4
"LastFM_is1" = Last.fm 1.5.4.24567
"Lexmark 1200 Series" = Lexmark 1200 Series
"LimeWire" = LimeWire 4.16.3
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Magic ISO Maker v5.5 (build 0276)" = Magic ISO Maker v5.5 (build 0276)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MLUpdater" = iRiver Updater
"Mozilla Firefox (3.0.18)" = Mozilla Firefox (3.0.18)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyWaySearchAssistantDE" = My Way Search Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OpenAL" = OpenAL
"PowerISO" = PowerISO
"PROSet" = Intel(R) PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer
"RNCompiler 6.0" = Advanced RealMedia Export Plug-in for Premiere 6.0
"SLABCOMM" = CP2101 USB to UART Bridge Controller
"SnoopFreePrivacyShield" = SnoopFree Privacy Shield
"SopCast" = SopCast 3.2.4
"StreamTorrent 1.0" = Stream Torrent 1.0
"SyncroSoft Emu" = SyncroSoft Emu (Remove only)
"Syncrosoft's License Control" = Syncrosoft's License Control
"Tablet Driver" = Tablet
"VCDEasy_is1" = VCDEasy
"Veetle TV" = Veetle TV 0.9.15
"VLC media player" = VideoLAN VLC media player 0.8.6a
"WIC" = Windows Imaging Component
"WinAce Archiver" = WinAce Archiver
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Networks_Cache_Cleaner 5.5.0" = Juniper Networks Cache Cleaner 5.5.0
"Move Media Player" = Move Media Player
"uTorrent" = Torrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/28/2010 12:11:05 AM | Computer Name = D3NBM771 | Source = Google Update | ID = 20
Description =

Error - 3/28/2010 1:11:29 AM | Computer Name = D3NBM771 | Source = Google Update | ID = 20
Description =

Error - 3/30/2010 2:33:24 PM | Computer Name = D3NBM771 | Source = Application Error | ID = 1000
Description = Faulting application vt3.exe, version 0.0.0.0, faulting module vt3.exe,
version 0.0.0.0, fault address 0x0000482a.

Error - 3/30/2010 2:46:33 PM | Computer Name = D3NBM771 | Source = Application Error | ID = 1000
Description = Faulting application vt3.exe, version 0.0.0.0, faulting module vt3.exe,
version 0.0.0.0, fault address 0x0000482a.

Error - 3/30/2010 2:47:30 PM | Computer Name = D3NBM771 | Source = Application Error | ID = 1000
Description = Faulting application vt3.exe, version 0.0.0.0, faulting module vt3.exe,
version 0.0.0.0, fault address 0x0000482a.

Error - 3/30/2010 2:55:32 PM | Computer Name = D3NBM771 | Source = Application Error | ID = 1000
Description = Faulting application vt3.exe, version 0.0.0.0, faulting module vt3.exe,
version 0.0.0.0, fault address 0x0000482a.

Error - 3/30/2010 2:57:16 PM | Computer Name = D3NBM771 | Source = Application Error | ID = 1000
Description = Faulting application vt3.exe, version 0.0.0.0, faulting module vt3.exe,
version 0.0.0.0, fault address 0x0000482a.

Error - 3/30/2010 7:18:33 PM | Computer Name = D3NBM771 | Source = Application Hang | ID = 1002
Description = Hanging application AutoRun.exe, version 1.1.0.307, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/30/2010 7:49:55 PM | Computer Name = D3NBM771 | Source = Application Error | ID = 1000
Description = Faulting application sims2.exe, version 1.0.0.932, faulting module
~df394b.tmp, version 0.0.0.0, fault address 0x0008e86b.

Error - 3/31/2010 11:52:34 AM | Computer Name = D3NBM771 | Source = MBAMService | ID = 131073
Description =

[ System Events ]
Error - 4/4/2010 7:58:51 PM | Computer Name = D3NBM771 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/4/2010 7:58:51 PM | Computer Name = D3NBM771 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/4/2010 8:04:53 PM | Computer Name = D3NBM771 | Source = sptd | ID = 262148
Description = Driver detected an internal error in its data structures for .

Error - 4/4/2010 8:04:53 PM | Computer Name = D3NBM771 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000034'
while processing the file '_filelst.cfg' on the volume 'HarddiskVolume2'. It has
stopped monitoring the volume.

Error - 4/4/2010 8:04:53 PM | Computer Name = D3NBM771 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/4/2010 8:04:53 PM | Computer Name = D3NBM771 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/4/2010 8:31:24 PM | Computer Name = D3NBM771 | Source = sptd | ID = 262148
Description = Driver detected an internal error in its data structures for .

Error - 4/4/2010 8:31:24 PM | Computer Name = D3NBM771 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000034'
while processing the file '_filelst.cfg' on the volume 'HarddiskVolume2'. It has
stopped monitoring the volume.

Error - 4/4/2010 8:31:24 PM | Computer Name = D3NBM771 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/4/2010 8:31:24 PM | Computer Name = D3NBM771 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >

Thank you so much for your time, again. Thank You!

Ongie
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-04-04
OS OS : Windows XP (Service Pack 2)
Points Points : 24523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Ongie on 5th April 2010, 4:26 pm

UPDATE!

After some extensive fiddling, the computer (miraculously) began to allow copy and pasting. I don't know how or why this happened, but the first thing I did was copy and run MalwareBytes. Lots of malware was located! Here is the mbam log...


Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 3930

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.5730.11

4/5/2010 4:14:54 AM
mbam-log-2010-04-05 (04-14-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 212491
Time elapsed: 53 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\SYSTEM32\yelenini.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suhaderus (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rotesezefa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\yelenini.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\yelenini.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Randy Ongie\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\_VOIDismqbdriwt (Rootkit.TDSS) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\javukori.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yelenini.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\zewunuda.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Randy Ongie\My Documents\Downloads\TS2_ISOS\EA_Keygen.exe (Trojan.Orsam) -> Quarantined and deleted successfully.
C:\I386\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP635\A0119335.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP683\A0126356.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

NOTE: Upon restart, the system is still unable to boot normally (a blue screen of death is displayed). It still only boots in safe mode. HijackThis also confirms that there are still a couple of rogue .dlls running. Internet is still disabled, even with the correct proxy settings checked.

Another interesting side note... System restore no longer displays the dialog box when I click on it. It allows me to select a restore point, but when I click the "NEXT" button to begin the restore, nothing happens!

Anyway... This feels like progress. If you need any more logs/etc. to resolve this, let me know. Thank you.

Ongie
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-04-04
OS OS : Windows XP (Service Pack 2)
Points Points : 24523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Belahzur on 5th April 2010, 7:21 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Ongie on 5th April 2010, 10:44 pm

Hello!

I downloaded ComboFix, renamed it during the download, etc...

But the trouble is, it cannot download the recovery console. The infected computer is still unable to connect to the internet, so cannot be downloaded.

Is there any way to download the recovery console to a different system and transfer it over via thumb-drive? I have tried repairing the connection, changing the proxy settings over and over again, but it simply won't connect. Sad tearing

It would seem I have hit another snag.

Thank you for your patience.

Ongie
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-04-04
OS OS : Windows XP (Service Pack 2)
Points Points : 24523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Belahzur on 5th April 2010, 11:05 pm

Hello.
Select no to the RC prompt, let it continue without the RC.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Ongie on 6th April 2010, 12:40 am

UPDATE!!!!

I am happy to report that I am typing this on the infected system. It is now connected to the internet! You are an absoƖute lifesaver, Belahzur! I will be sending GeekPolice a donation; thank you so much for helping me get this far!

As for the ComboFix log... Here it is...

ComboFix 10-04-04.01 - Randy Ongie 04/05/2010 18:47:42.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.758.358 [GMT -5:00]
Running from: F:\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat
c:\windows\system32\ralutelu.dll
c:\windows\system32\tmp.reg
c:\windows\system32\uninstall.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_ZESOFT
-------\Legacy__VOIDismqbdriwt
-------\Service__VOIDismqbdriwt


((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 10:20 . 2010-04-05 10:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-05 10:20 . 2010-04-05 10:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-05 10:03 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-05 10:03 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-05 10:03 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-31 01:41 . 2010-03-31 01:41 -------- d-----w- c:\program files\Alwil Software
2010-03-31 00:33 . 2010-03-31 00:33 699904 ----a-w- c:\windows\is-MJKGF.exe
2010-03-31 00:07 . 2010-03-31 00:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-31 00:07 . 2010-04-05 10:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 00:05 . 2010-03-31 00:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 22:43 . 2010-03-30 22:43 -------- d-----w- c:\program files\EA GAMES
2010-03-20 10:40 . 2010-03-21 06:19 38 ----a-w- c:\windows\popcinfot.dat
2010-03-19 21:16 . 2010-03-19 21:16 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\Activision
2010-03-19 18:25 . 2010-03-19 18:25 -------- d-----w- c:\program files\7-Zip
2010-03-10 10:27 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 00:04 . 2009-10-17 03:07 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\Skype
2010-04-06 00:04 . 2009-10-17 03:13 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\skypePM
2010-04-05 23:58 . 2006-10-10 20:23 12916 ----a-w- c:\windows\system32\tablet.dat
2010-04-05 14:55 . 2009-03-05 07:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 10:03 . 2010-03-31 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-05 06:30 . 2008-09-05 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 23:24 . 2006-12-16 01:09 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-04 23:21 . 2006-01-04 02:30 -------- d-----w- c:\program files\Plaxo
2010-04-04 22:53 . 2010-04-04 22:53 -------- d-----w- c:\program files\CCleaner
2010-04-04 22:52 . 2005-04-08 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-02 19:15 . 2010-04-02 19:15 -------- d-----w- c:\program files\Trend Micro
2010-03-30 22:30 . 2007-12-07 08:49 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\uTorrent
2010-03-30 18:58 . 2005-04-08 06:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-29 20:24 . 2010-03-31 12:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 20:24 . 2010-03-31 12:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 12:29 . 2010-02-23 11:39 -------- d-----w- c:\program files\EA SPORTS
2010-03-28 05:57 . 2008-12-29 22:42 -------- d-----w- c:\program files\Rockstar Games
2010-03-09 10:24 . 2010-04-05 10:03 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 10:24 . 2010-04-05 10:03 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 10:12 . 2010-04-05 10:03 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 10:08 . 2010-04-05 10:03 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 10:08 . 2010-04-05 10:03 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 10:08 . 2010-04-05 10:03 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-07 07:24 . 2009-11-08 04:30 -------- d-----w- c:\program files\LucasArts
2010-03-06 20:24 . 2010-03-06 20:24 -------- d-----w- c:\program files\booddanet
2010-03-05 21:21 . 2009-01-02 13:41 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-03-05 20:07 . 2010-03-05 19:48 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\DAEMON Tools Lite
2010-03-05 19:58 . 2010-03-05 19:48 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-05 19:49 . 2010-03-05 19:49 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-05 19:48 . 2010-03-05 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-03-05 04:42 . 2010-03-05 04:42 -------- d-----w- c:\program files\Activision
2010-03-04 04:28 . 2010-03-02 22:49 -------- d-----w- c:\program files\Diablo II
2010-03-02 23:06 . 2010-03-02 23:06 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2010-03-02 23:06 . 2010-03-02 23:06 17212 ----a-w- c:\windows\system32\SIntf32.dll
2010-03-02 23:06 . 2010-03-02 23:06 12067 ----a-w- c:\windows\system32\SIntf16.dll
2010-03-02 20:16 . 2010-03-02 20:16 -------- d-----w- c:\program files\Sega
2010-03-02 07:08 . 2010-03-02 06:47 -------- d-----w- c:\program files\Counter-Strike 1.6
2010-03-02 05:51 . 2010-03-02 05:51 -------- d-----w- c:\program files\Bethesda Softworks
2010-03-01 22:35 . 2010-02-27 23:48 -------- d-----w- c:\program files\Infogrames
2010-02-27 23:48 . 2010-02-27 23:48 0 ----a-w- c:\windows\PowerReg.dat
2010-02-27 23:47 . 2005-04-08 06:43 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-27 06:46 . 2010-02-27 06:45 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-27 05:12 . 2010-02-24 22:45 -------- d-----w- c:\program files\Metal Gear Solid
2010-02-25 03:21 . 2005-05-20 23:40 76072 ----a-w- c:\documents and settings\Randy Ongie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 15:16 . 2009-10-02 17:27 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 12:57 . 2009-11-06 01:33 -------- d-----w- c:\program files\JEOPARDY! 2
2010-02-23 11:39 . 2010-02-23 11:39 478 ----a-w- c:\windows\eReg.dat
2010-02-11 00:54 . 2005-09-11 20:49 -------- d-----w- c:\program files\Google
2002-06-18 12:04 . 2002-06-18 12:04 1783 ----a-w- c:\program files\Enhancements_Import_1_0.dtd
2006-05-24 21:38 . 2006-11-16 18:23 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 22:00 . 2006-11-16 18:23 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 19:41 . 2006-11-16 18:23 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 21:59 . 2006-11-16 18:23 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 17:19 . 2006-11-16 18:22 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 23:35 . 2006-11-16 18:23 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 16:10 . 2006-11-16 18:22 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 16:42 . 2006-11-16 18:22 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 16:22 . 2006-11-16 18:22 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 16:21 . 2006-11-16 18:22 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
1601-01-01 00:03 . 1601-01-01 00:03 207360 --sha-w- c:\windows\SYSTEM32\kemehobe.exe
1601-01-01 00:03 . 1601-01-01 00:03 709 --sha-w- c:\windows\SYSTEM32\wunojuti.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-05 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"iRiver Updater"="c:\program files\iRiver\iRiver Manager\Updater\Updater.exe" [2004-03-10 204800]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-25 180269]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 57344]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"SnoopFreeUI"="SnoopFreeUI.exe" [2009-02-20 221184]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-05 2756488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-4-8 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-4-8 24576]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-11-12 1261568]
TabUserW.exe.lnk - c:\windows\SYSTEM32\WTablet\TabUserW.exe [2006-10-10 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-16 02:30 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [4/5/2010 5:03 AM 162640]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/15/2009 9:30 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/15/2009 9:30 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [4/5/2010 5:03 AM 19024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/15/2009 9:29 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/15/2009 9:29 PM 297752]
R2 SVKP;SVKP;c:\windows\SYSTEM32\SVKP.sys [7/10/2006 8:45 AM 2368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 CLEDX;Team H2O CLEDX service;c:\windows\SYSTEM32\DRIVERS\cledx.sys [1/21/2009 5:57 AM 33792]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\SYSTEM32\DRIVERS\wg111v2.sys [11/12/2009 2:35 PM 194304]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S0 toseew;toseew; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 7:54 PM 135664]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [3/5/2010 2:49 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 00:54]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 00:54]

2010-04-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Randy Ongie\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
- - - - ORPHANS REMOVED - - - -

BHO-{be9ad57d-d6bb-498b-a6c5-7655bbf90b12} - zewunuda.dll
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKLM-Run-Star Wars - Jedi Knight - Jedi Academy no cd crack - c:\documents and settings\Jared Ongie\Shared\Star Wars - Jedi Knight - Jedi Academy no cd crack.exe
AddRemove-E3TV Player_is1 - c:\program files\NCTV\unins000.exe
AddRemove-HentaII3D-019.003 - c:\program files\thriXXX\HentaII 3D\Binaries\Uninstall-HentaII3D-019.003.exe
AddRemove-SLABCOMM - c:\windows\system32\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-05 18:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32]
@DACL=(02 0000)
@="c:\\Program Files\\MyWaySA\\SrchAsDe\\1.bin\\deSrcAs.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\RtlGina2.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2872)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\SnoopFreeSvc.exe
c:\windows\system32\Tablet.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\windows\SnoopFreeUI.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-05 19:18:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 00:18

Pre-Run: 11,543,961,600 bytes free
Post-Run: 11,647,463,424 bytes free

- - End Of File - - F9E0C3C6B18B4FCD261C51B7A110462D

Thank You! Thank You! Thank You! Thank You! Thank You!

Ongie
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-04-04
OS OS : Windows XP (Service Pack 2)
Points Points : 24523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Belahzur on 6th April 2010, 12:46 am

Hello.

I see that you are running Limewire and Torrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

You are also running two antivirus', I see from the uninstall list you have Avast installed, along with AVG. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Avast to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Torrent
    Adobe Reader 9
    avast! Free Antivirus
    Java 2 Runtime Environment, SE v1.4.2_03
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 10
    Java(TM) 6 Update 3
    LimeWire 4.16.3
    My Way Search Assistant

Next,

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KILLALL::

    Driver::
    toseew

    File::
    c:\windows\SYSTEM32\kemehobe.exe
    c:\windows\SYSTEM32\wunojuti.exe
    c:\windows\is-MJKGF.exe

    DDS::
    uInternet Settings,ProxyOverride =

    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\Programmable]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Ongie on 6th April 2010, 1:44 am

I followed the instructions. There were problems uninstalling "Adobe Reader 9" and "MyWay Search Assistant", but other than that it went off without a hitch. Here is the log per your request...

ComboFix 10-04-04.01 - Randy Ongie 04/05/2010 20:13:06.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.758.406 [GMT -5:00]
Running from: F:\Combo-Fix.exe
Command switches used :: F:\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\is-MJKGF.exe"
"c:\windows\SYSTEM32\kemehobe.exe"
"c:\windows\SYSTEM32\wunojuti.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\is-MJKGF.exe
c:\windows\SYSTEM32\kemehobe.exe
c:\windows\SYSTEM32\wunojuti.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_toseew


((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-05 10:20 . 2010-04-05 10:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-05 10:20 . 2010-04-05 10:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-04 22:53 . 2010-04-04 22:53 -------- d-----w- c:\program files\CCleaner
2010-04-02 19:15 . 2010-04-02 19:15 -------- d-----w- c:\program files\Trend Micro
2010-03-31 12:21 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 12:21 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 01:41 . 2010-04-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-31 01:41 . 2010-03-31 01:41 -------- d-----w- c:\program files\Alwil Software
2010-03-31 00:07 . 2010-03-31 00:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-31 00:07 . 2010-04-05 10:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 00:05 . 2010-03-31 00:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 22:43 . 2010-03-30 22:43 -------- d-----w- c:\program files\EA GAMES
2010-03-20 10:40 . 2010-03-21 06:19 38 ----a-w- c:\windows\popcinfot.dat
2010-03-19 21:16 . 2010-03-19 21:16 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\Activision
2010-03-19 18:25 . 2010-03-19 18:25 -------- d-----w- c:\program files\7-Zip
2010-03-10 10:27 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 01:29 . 2009-10-17 03:07 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\Skype
2010-04-06 01:25 . 2006-10-10 20:23 12916 ----a-w- c:\windows\system32\tablet.dat
2010-04-06 01:02 . 2005-10-26 18:47 -------- d-----w- c:\program files\LimeWire
2010-04-06 01:00 . 2005-04-08 06:42 -------- d-----w- c:\program files\Java
2010-04-06 00:04 . 2009-10-17 03:13 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\skypePM
2010-04-05 14:55 . 2009-03-05 07:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 06:30 . 2008-09-05 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 23:24 . 2006-12-16 01:09 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-04 23:21 . 2006-01-04 02:30 -------- d-----w- c:\program files\Plaxo
2010-04-04 22:52 . 2005-04-08 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-03-30 22:30 . 2007-12-07 08:49 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\uTorrent
2010-03-30 18:58 . 2005-04-08 06:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-28 12:29 . 2010-02-23 11:39 -------- d-----w- c:\program files\EA SPORTS
2010-03-28 05:57 . 2008-12-29 22:42 -------- d-----w- c:\program files\Rockstar Games
2010-03-11 12:38 . 2004-08-04 10:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-07 07:24 . 2009-11-08 04:30 -------- d-----w- c:\program files\LucasArts
2010-03-06 20:24 . 2010-03-06 20:24 -------- d-----w- c:\program files\booddanet
2010-03-05 21:21 . 2009-01-02 13:41 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-03-05 20:07 . 2010-03-05 19:48 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\DAEMON Tools Lite
2010-03-05 19:58 . 2010-03-05 19:48 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-05 19:49 . 2010-03-05 19:49 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-05 19:48 . 2010-03-05 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-03-05 04:42 . 2010-03-05 04:42 -------- d-----w- c:\program files\Activision
2010-03-04 04:28 . 2010-03-02 22:49 -------- d-----w- c:\program files\Diablo II
2010-03-02 23:06 . 2010-03-02 23:06 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2010-03-02 23:06 . 2010-03-02 23:06 17212 ----a-w- c:\windows\system32\SIntf32.dll
2010-03-02 23:06 . 2010-03-02 23:06 12067 ----a-w- c:\windows\system32\SIntf16.dll
2010-03-02 20:16 . 2010-03-02 20:16 -------- d-----w- c:\program files\Sega
2010-03-02 07:08 . 2010-03-02 06:47 -------- d-----w- c:\program files\Counter-Strike 1.6
2010-03-02 05:51 . 2010-03-02 05:51 -------- d-----w- c:\program files\Bethesda Softworks
2010-03-01 22:35 . 2010-02-27 23:48 -------- d-----w- c:\program files\Infogrames
2010-02-27 23:48 . 2010-02-27 23:48 0 ----a-w- c:\windows\PowerReg.dat
2010-02-27 23:47 . 2005-04-08 06:43 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-27 06:46 . 2010-02-27 06:45 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-27 05:12 . 2010-02-24 22:45 -------- d-----w- c:\program files\Metal Gear Solid
2010-02-25 03:21 . 2005-05-20 23:40 76072 ----a-w- c:\documents and settings\Randy Ongie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 15:16 . 2009-10-02 17:27 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 12:57 . 2009-11-06 01:33 -------- d-----w- c:\program files\JEOPARDY! 2
2010-02-23 11:39 . 2010-02-23 11:39 478 ----a-w- c:\windows\eReg.dat
2010-02-11 00:54 . 2005-09-11 20:49 -------- d-----w- c:\program files\Google
2002-06-18 12:04 . 2002-06-18 12:04 1783 ----a-w- c:\program files\Enhancements_Import_1_0.dtd
2006-05-24 21:38 . 2006-11-16 18:23 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 22:00 . 2006-11-16 18:23 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 19:41 . 2006-11-16 18:23 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 21:59 . 2006-11-16 18:23 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 17:19 . 2006-11-16 18:22 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 23:35 . 2006-11-16 18:23 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 16:10 . 2006-11-16 18:22 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 16:42 . 2006-11-16 18:22 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 16:22 . 2006-11-16 18:22 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 16:21 . 2006-11-16 18:22 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-05 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"iRiver Updater"="c:\program files\iRiver\iRiver Manager\Updater\Updater.exe" [2004-03-10 204800]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-25 180269]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 57344]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"SnoopFreeUI"="SnoopFreeUI.exe" [2009-02-20 221184]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-4-8 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-4-8 24576]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-11-12 1261568]
TabUserW.exe.lnk - c:\windows\SYSTEM32\WTablet\TabUserW.exe [2006-10-10 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-16 02:30 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/15/2009 9:30 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/15/2009 9:30 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/15/2009 9:29 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/15/2009 9:29 PM 297752]
R2 SVKP;SVKP;c:\windows\SYSTEM32\SVKP.sys [7/10/2006 8:45 AM 2368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 CLEDX;Team H2O CLEDX service;c:\windows\SYSTEM32\DRIVERS\cledx.sys [1/21/2009 5:57 AM 33792]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\SYSTEM32\DRIVERS\wg111v2.sys [11/12/2009 2:35 PM 194304]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 7:54 PM 135664]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [3/5/2010 2:49 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 00:54]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 00:54]

2010-04-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Randy Ongie\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-05 20:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\RtlGina2.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\SnoopFreeSvc.exe
c:\windows\system32\Tablet.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\windows\SnoopFreeUI.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-05 20:34:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 01:34
ComboFix2.txt 2010-04-06 00:18

Pre-Run: 12,180,193,280 bytes free
Post-Run: 12,302,778,368 bytes free

- - End Of File - - CE6F71FE98F8FF2096BAF78B16D1E991

Ongie
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-04-04
OS OS : Windows XP (Service Pack 2)
Points Points : 24523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Belahzur on 6th April 2010, 5:19 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Ongie on 6th April 2010, 9:25 pm

The scan just finished. Here is the log.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cc4359170640e14da00e072b64004737
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-06 09:05:20
# local_time=2010-04-06 04:05:20 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 257091 257091 0 0
# compatibility_mode=1024 16777175 100 0 16589449 16589449 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=108855
# found=2
# cleaned=2
# scan_time=8714
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\EnsignGames\DreamStripper\DreamStripper-start.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

The computer seems to be performing normally now! Thank You! Thank You! Thank You!

If you have any other suggestions on safeguarding future attacks, I would appreciate it. Thank you so much for guiding me through this, Belahzur! You are a gentleman and a scholar!

Ongie
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-04-04
OS OS : Windows XP (Service Pack 2)
Points Points : 24523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Malware Attack! Ahhhh!

Post by Belahzur on 7th April 2010, 12:56 am

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum