Need help removing BankerFox.A virus

View previous topic View next topic Go down

Need help removing BankerFox.A virus

Post by ramirez3 on Sat May 29, 2010 6:04 pm

Here's the OTL logs...

OTL Extras logfile created on: 5/29/2010 1:05:40 PM - Run 1
OTL by OldTimer - Version 3.2.5.1 Folder = C:\Documents and Settings\Stephen\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 79.63 Gb Free Space | 53.43% Space Free | Partition Type: NTFS
Drive D: | 4.19 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-5EA1FE514
Current User Name: Stephen
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- File not found
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- File not found
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe" = C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server -- (PeeringPortal)
"C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe" = C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server -- (PeeringPortal)
"C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22AA6B16-C6D2-4378-A700-AB6E48501F0A}" = Futuremark SystemInfo
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 19
"{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox
"{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint
"{30C2FCD0-FF7B-4FFA-8DDE-43A22E01A1E7}" = Rhapsody Player Engine
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7
"{3248F0A8-6813-11D6-A77B-00B0D0150080}" = J2SE Runtime Environment 5.0 Update 8
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AD483998-2E9A-4405-83FF-6E503AF49CBB}" = Microsoft Virtual PC 2007 SP1
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D777D80E-13AE-4E6C-BCB2-9AEE10D9DEF1}" = Driver Updater
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"{FF70513F-E3A7-402F-84FB-B7810A064BE2}" = Zune
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM Toolbar" = AIM Toolbar
"AIM_7" = AIM 7
"AlienGUIse" = AlienGUIse
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"CSCLIB" = Canon Camera Support Core Library
"EfntSSDSL" = Efficient Networks SpeedStream DSL
"EOS Utility" = Canon Utilities EOS Utility
"GameSpy Arcade" = GameSpy Arcade
"Halo" = Microsoft Halo
"Halo3" = Halo3 Screen Saver
"HijackThis" = HijackThis 1.99.1
"Hijackthis_is1" = Hijackthis 1.99.1
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InCD!UninstallKey" = InCD
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mIRC" = mIRC
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"MySpaceIM" = MySpaceIM
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NeroVision!UninstallKey" = Nero Digital
"net" = Advertisement Service
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVEContent!UninstallKey" = NeroVision Express Content
"NVIDIA Drivers" = NVIDIA Drivers
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel(R) PRO Network Connections Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"SAMSUNG Mobile Modem V2" = SAMSUNG Mobile Modem V2 Software
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.3.1
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"Stellarium_is1" = Stellarium 0.10.2
"Theme Manager" = Theme Manager
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VideoLAN VLC media player 0.8.6c
"Wdf01001" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility
"Zune" = Zune

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/19/2010 2:06:31 AM | Computer Name = OWNER-5EA1FE514 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 5/19/2010 2:11:32 AM | Computer Name = OWNER-5EA1FE514 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 5/19/2010 2:11:32 AM | Computer Name = OWNER-5EA1FE514 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 5/19/2010 2:11:32 AM | Computer Name = OWNER-5EA1FE514 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 5/28/2010 1:24:40 AM | Computer Name = OWNER-5EA1FE514 | Source = Application Hang | ID = 1002
Description = Hanging application MySpaceIM.exe, version 1.0.756.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/28/2010 5:17:56 PM | Computer Name = OWNER-5EA1FE514 | Source = Application Hang | ID = 1002
Description = Hanging application aim.exe, version 7.2.7.2, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/29/2010 12:16:46 PM | Computer Name = OWNER-5EA1FE514 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

Error - 5/29/2010 12:16:53 PM | Computer Name = OWNER-5EA1FE514 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

Error - 5/29/2010 12:24:23 PM | Computer Name = OWNER-5EA1FE514 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

Error - 5/29/2010 12:31:12 PM | Computer Name = OWNER-5EA1FE514 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

[ System Events ]
Error - 5/29/2010 11:49:55 AM | Computer Name = OWNER-5EA1FE514 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.254.1 for the Network Card with network
address 0015F2A623B6 has been denied by the DHCP server 192.168.254.254 (The DHCP
Server sent a DHCPNACK message).

Error - 5/29/2010 12:06:09 PM | Computer Name = OWNER-5EA1FE514 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/29/2010 12:07:21 PM | Computer Name = OWNER-5EA1FE514 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm vmm

Error - 5/29/2010 12:16:19 PM | Computer Name = OWNER-5EA1FE514 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service MSIServer with
arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

Error - 5/29/2010 12:17:01 PM | Computer Name = OWNER-5EA1FE514 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/29/2010 12:18:28 PM | Computer Name = OWNER-5EA1FE514 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/29/2010 12:19:40 PM | Computer Name = OWNER-5EA1FE514 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm vmm

Error - 5/29/2010 12:39:16 PM | Computer Name = OWNER-5EA1FE514 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 5/29/2010 1:06:07 PM | Computer Name = OWNER-5EA1FE514 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 5/29/2010 1:06:07 PM | Computer Name = OWNER-5EA1FE514 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >




OTL logfile created on: 5/29/2010 1:05:40 PM - Run 1
OTL by OldTimer - Version 3.2.5.1 Folder = C:\Documents and Settings\Stephen\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 79.63 Gb Free Space | 53.43% Space Free | Partition Type: NTFS
Drive D: | 4.19 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-5EA1FE514
Current User Name: Stephen
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/29 13:04:55 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stephen\My Documents\Downloads\OTL.exe
PRC - [2010/04/03 02:45:12 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/05/29 13:04:55 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stephen\My Documents\Downloads\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2008/12/12 13:41:18 | 005,117,568 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2008/12/12 13:41:08 | 000,243,840 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2008/12/12 13:41:02 | 000,060,032 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Stopped] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/04/12 11:15:04 | 000,869,376 | ---- | M] (Nero AG) [Auto | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2004/08/04 08:00:00 | 000,051,200 | ---- | M] (FTD2XX Software Technology) [Auto | Stopped] -- C:\WINDOWS\system32\BtwSrv.dll -- (BtwSrv)
SRV - [2004/08/04 08:00:00 | 000,043,008 | ---- | M] (Netopsystems AG) [Auto | Stopped] -- C:\WINDOWS\system32\FastNetSrv.exe -- (fastnetsrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Disabled | Running] -- -- (PCTCore)
DRV - [2010/01/18 22:41:16 | 000,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwfd)
DRV - [2010/01/18 22:41:16 | 000,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwdx)
DRV - [2009/07/16 18:59:01 | 000,229,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\VMM.sys -- (vmm)
DRV - [2009/05/13 12:41:02 | 000,121,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscemdm.sys -- (sscemdm)
DRV - [2009/05/13 12:41:02 | 000,090,240 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscebus.sys -- (sscebus) SAMSUNG USB Composite Device V2 driver (WDM)
DRV - [2009/05/13 12:41:02 | 000,014,976 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscemdfl.sys -- (sscemdfl)
DRV - [2008/11/10 13:09:32 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2008/04/13 20:11:56 | 000,002,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\winsts.sys -- (winsts)
DRV - [2008/04/13 20:11:56 | 000,002,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ndisdrv.sys -- (ndisdrv)
DRV - [2008/03/20 04:45:24 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/02/05 02:50:44 | 000,059,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2007/11/16 21:34:21 | 000,019,712 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2007/11/16 21:34:21 | 000,018,304 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2007/02/17 02:22:30 | 000,052,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/03/09 16:29:00 | 003,650,368 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/07/26 08:01:56 | 000,415,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA(R) nForce(TM)
DRV - [2005/07/26 07:58:30 | 000,053,376 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA(R) nForce(TM)
DRV - [2005/05/26 13:06:00 | 000,092,800 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/05/26 13:06:00 | 000,092,800 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2005/05/20 16:01:32 | 000,025,600 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)
DRV - [2005/05/20 16:01:26 | 000,068,352 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2005/05/20 16:01:00 | 000,036,480 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidUsbK.sys -- (LHidUsbK)
DRV - [2005/05/20 16:00:48 | 000,054,528 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2005/05/20 16:00:36 | 000,013,056 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Kbd.SYS -- (L8042Kbd)
DRV - [2005/04/12 11:07:50 | 000,099,456 | ---- | M] (Nero AG) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2005/04/12 11:07:30 | 000,029,056 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2005/04/12 05:07:25 | 000,028,160 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDrm.sys -- (incdrm)
DRV - [2005/04/06 03:22:00 | 000,033,536 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/04/06 03:22:00 | 000,012,928 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/01/20 06:30:52 | 000,067,200 | R--- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SI3132.sys -- (SI3132)
DRV - [2004/11/02 03:21:32 | 000,010,368 | R--- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter)
DRV - [2004/08/13 10:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2003/05/14 05:16:36 | 000,028,005 | ---- | M] (Efficient Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\enethusb.sys -- (ENETHUSB)
DRV - [2002/11/20 19:45:50 | 000,002,218 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vncdrv.sys -- (vncdrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]
IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AOL Search"
FF - prefs.js..browser.search.defaulturl: "http://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=25-05-2010&tb_mrud=25-05-2010"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "neogaf.com"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0.0.071301000019
FF - prefs.js..extensions.enabledItems: {c2f863cd-0429-48c7-bb54-db756a951760}:5.96.10.5491
FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=25-05-2010&tb_mrud=25-05-2010&query="


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/02/12 17:16:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/11 17:08:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/25 00:44:20 | 000,000,000 | ---D | M]

[2008/09/06 00:07:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stephen\Application Data\Mozilla\Extensions
[2010/05/27 18:42:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\extensions
[2009/09/06 15:36:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/25 00:44:41 | 000,000,000 | ---D | M] (AIM Toolbar) -- C:\Documents and Settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2009/06/02 16:23:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\extensions\moveplayer@movenetworks.com
[2008/11/27 21:33:49 | 000,001,739 | ---- | M] () -- C:\Documents and Settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\searchplugins\aim-search.xml
[2010/05/25 00:45:05 | 000,002,343 | ---- | M] () -- C:\Documents and Settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\searchplugins\aol-search.xml
[2010/05/15 22:41:06 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\searchplugins\bing.xml
[2010/05/27 18:42:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/19 05:16:24 | 000,118,784 | ---- | M] (CANON INC.) -- C:\Program Files\Mozilla Firefox\plugins\MyCamera.dll
[2008/06/19 05:16:24 | 000,053,248 | ---- | M] (CANON INC.) -- C:\Program Files\Mozilla Firefox\plugins\NPCIG.dll
[2006/11/23 19:00:42 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2009/12/30 19:58:22 | 000,371,235 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12798 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O2 - BHO: (no name) - {C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - No CLSID value found.
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O4 - HKLM..\Run: [jqrmnodu] C:\Documents and Settings\Stephen\Local Settings\Application Data\hoqlqcrfs\xfampfjtssd.exe ()
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [notepad] C:\WINDOWS\System32\notepad.DLL ()
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Aim] C:\Program Files\AIM\aim.exe (AOL Inc.)
O4 - HKCU..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe File not found
O4 - HKCU..\Run: [Driver Updater] C:\Program Files\Carambis\Driver Updater\dupdater.exe (Media Fog Ltd.)
O4 - HKCU..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe File not found
O4 - HKCU..\Run: [gadcom] C:\Documents and Settings\Stephen\Application Data\gadcom\gadcom.exe File not found
O4 - HKCU..\Run: [jqrmnodu] C:\Documents and Settings\Stephen\Local Settings\Application Data\hoqlqcrfs\xfampfjtssd.exe ()
O4 - HKCU..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()
O4 - HKCU..\Run: [notepad] C:\Documents and Settings\Stephen\ntload.dll ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe File not found
O4 - HKLM..\RunOnce: [NoIE4StubProcessing] File not found
O4 - HKCU..\RunOnce: [SpybotDeletingB5425] C:\WINDOWS\System32\command.com ()
O4 - HKCU..\RunOnce: [SpybotDeletingD3758] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Meet MINITAB.lnk = C:\Program Files\MINITAB 14 Student\MeetMinitab.pdf File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MINITAB 14 Student.lnk = C:\Program Files\MINITAB 14 Student\mtb14.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MINITAB Help.lnk = C:\Program Files\MINITAB 14 Student\mtb14.chm File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MINITAB Session Command Help.lnk = C:\Program Files\MINITAB 14 Student\Mtb14sc.chm File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MINITAB Tutorials.lnk = C:\Program Files\MINITAB 14 Student\Mtb14tut.chm File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ReadMe.lnk = C:\Program Files\MINITAB 14 Student\ReadMe.wri File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\StatGuide.lnk = C:\Program Files\MINITAB 14 Student\MTB14SG.HLP File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} [You must be registered and logged in to see this link.] (Checkers Class)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} [You must be registered and logged in to see this link.] (Checkers Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} [You must be registered and logged in to see this link.] (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} [You must be registered and logged in to see this link.] (UnoCtrl Class)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} [You must be registered and logged in to see this link.] (Windows Live Safety Center Base Module)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} [You must be registered and logged in to see this link.] (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} [You must be registered and logged in to see this link.] (MessengerStatsClient Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} [You must be registered and logged in to see this link.] (MSN Games - Installer)
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} [You must be registered and logged in to see this link.] (CBreakshotControl Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} [You must be registered and logged in to see this link.] (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} [You must be registered and logged in to see this link.] (Solitaire Showdown Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254 192.168.254.254
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/html - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\khfGxuRk: DllName - khfGxuRk.dll - File not found
O20 - Winlogon\Notify\WB: DllName - C:\Program Files\AlienGUIse\fastload.dll - C:\Program Files\AlienGUIse\fastload.dll (Stardock)
O24 - Desktop WallPaper: C:\WINDOWS\Darkstar.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Darkstar.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/07/20 02:11:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/09/28 11:08:52 | 000,000,029 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{8b3453d0-07c9-11df-b84a-0015f2a623b6}\Shell - "" = AutoRun
O33 - MountPoints2\{8b3453d0-07c9-11df-b84a-0015f2a623b6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8b3453d0-07c9-11df-b84a-0015f2a623b6}\Shell\AutoRun\command - "" = E:\NPSAI.exe -- File not found
O33 - MountPoints2\{97286997-b9bf-11de-b818-000b23502787}\Shell - "" = AutoRun
O33 - MountPoints2\{97286997-b9bf-11de-b818-000b23502787}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{97286997-b9bf-11de-b818-000b23502787}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\cd_splash.exe -- [2009/09/28 11:08:53 | 004,313,320 | R--- | M] (Adobe Systems, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: BtwSrv - C:\WINDOWS\system32\BtwSrv.dll (FTD2XX Software Technology)
NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/07/19 18:53:24 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found


SafeBootMin: aawservice - Reg Error: Value error.
SafeBootMin: Base - Reg Error: Value error.
SafeBootMin: Boot Bus Extender - Reg Error: Value error.
SafeBootMin: Boot file system - Reg Error: Value error.
SafeBootMin: File system - Reg Error: Value error.
SafeBootMin: Filter - Reg Error: Value error.
SafeBootMin: PCI Configuration - Reg Error: Value error.
SafeBootMin: PNP Filter - Reg Error: Value error.
SafeBootMin: Primary disk - Reg Error: Value error.
SafeBootMin: SCSI Class - Reg Error: Value error.
SafeBootMin: sermouse.sys - Reg Error: Value error.
SafeBootMin: System Bus Extender - Reg Error: Value error.
SafeBootMin: vds - Reg Error: Value error.
SafeBootMin: vga.sys - Reg Error: Value error.
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Reg Error: Value error.
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Reg Error: Value error.
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Reg Error: Value error.
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Reg Error: Value error.
SafeBootMin: sdAuxService - Reg Error: Value error.
SafeBootMin: sdCoreService - Reg Error: Value error.

SafeBootNet: aawservice - Reg Error: Value error.
SafeBootNet: Base - Reg Error: Value error.
SafeBootNet: Boot Bus Extender - Reg Error: Value error.
SafeBootNet: Boot file system - Reg Error: Value error.
SafeBootNet: File system - Reg Error: Value error.
SafeBootNet: Filter - Reg Error: Value error.
SafeBootNet: NDIS Wrapper - Reg Error: Value error.
SafeBootNet: NetBIOSGroup - Reg Error: Value error.
SafeBootNet: NetDDEGroup - Reg Error: Value error.
SafeBootNet: Network - Reg Error: Value error.
SafeBootNet: NetworkProvider - Reg Error: Value error.
SafeBootNet: PCI Configuration - Reg Error: Value error.
SafeBootNet: PNP Filter - Reg Error: Value error.
SafeBootNet: PNP_TDI - Reg Error: Value error.
SafeBootNet: Primary disk - Reg Error: Value error.
SafeBootNet: SCSI Class - Reg Error: Value error.
SafeBootNet: sermouse.sys - Reg Error: Value error.
SafeBootNet: Streams Drivers - Reg Error: Value error.
SafeBootNet: System Bus Extender - Reg Error: Value error.
SafeBootNet: TDI - Reg Error: Value error.
SafeBootNet: vga.sys - Reg Error: Value error.
SafeBootNet: {1a3e09be-1e45-494b-9174-d7385b45bbf5} - Reg Error: Value error.
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Reg Error: Value error.
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Reg Error: Value error.
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Reg Error: Value error.
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Reg Error: Value error.
SafeBootNet: sdAuxService - Reg Error: Value error.
SafeBootNet: sdCoreService - Reg Error: Value error.

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1325db73-d9f1-48f8-8895-6d814ec58889} - Security Update for Windows XP (KB913433)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - Reg Error: Value error.
ActiveX: {AA218328-0EA8-4D70-8972-E987A9190FF4} - Reg Error: Value error.
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

ramirez3
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-05-29
OS OS : xp
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by ramirez3 on Sat May 29, 2010 6:07 pm

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 30 Days ==========

[2010/05/29 11:59:42 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/05/29 11:59:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/05/29 11:59:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/28 01:34:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stephen\Local Settings\Application Data\AIM Toolbar
[2010/05/27 22:56:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stephen\Local Settings\Application Data\hoqlqcrfs
[2010/05/25 00:44:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2010/05/25 00:44:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AIM
[2010/05/25 00:44:21 | 000,000,000 | ---D | C] -- C:\Program Files\AIM
[2010/05/02 03:14:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stephen\Desktop\Unused Desktop Shortcuts
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/29 13:08:01 | 000,860,672 | ---- | M] () -- C:\WINDOWS\System32\drivers\ejkyugpp.sys
[2010/05/29 12:18:16 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/29 12:17:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/29 12:17:02 | 010,223,616 | -H-- | M] () -- C:\Documents and Settings\Stephen\NTUSER.DAT
[2010/05/29 12:17:02 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Stephen\ntuser.ini
[2010/05/29 12:04:47 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/29 12:00:00 | 000,000,314 | ---- | M] () -- C:\WINDOWS\tasks\lrborpqd.job
[2010/05/29 11:41:20 | 000,087,808 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/27 23:07:32 | 002,643,408 | -H-- | M] () -- C:\Documents and Settings\Stephen\Local Settings\Application Data\IconCache.db
[2010/05/25 00:44:31 | 000,001,464 | -H-- | M] () -- C:\IPH.PH
[2010/05/25 00:44:26 | 000,001,574 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2010/05/23 17:18:08 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/16 23:10:30 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/05/13 13:27:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/12 03:00:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/10 19:54:53 | 000,031,214 | ---- | M] () -- C:\Documents and Settings\Stephen\My Documents\l_eaa5c230f7aa49c4b682bf88464d3405.jpg
[2010/05/10 19:54:46 | 000,036,732 | ---- | M] () -- C:\Documents and Settings\Stephen\My Documents\l_0e4c86418b154447b360e6757e76af66.jpg
[2010/05/10 19:54:35 | 000,037,596 | ---- | M] () -- C:\Documents and Settings\Stephen\My Documents\l_d33071ccadaa47bc8bb61a4ba47baeb1.jpg
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2310/03/21 06:37:50 | 000,000,653 | -HS- | C] () -- C:\Documents and Settings\Stephen\Start Menu\Programs\Startup\scandisk.lnk
[2010/05/27 23:01:28 | 000,000,945 | ---- | C] () -- C:\Documents and Settings\Stephen\Desktop\Spybot - Search & Destroy.lnk
[2010/05/25 00:44:26 | 000,001,574 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2010/05/23 17:18:08 | 000,009,878 | ---- | C] () -- C:\Documents and Settings\Stephen\hs_err_pid4464.log
[2010/05/10 19:54:53 | 000,031,214 | ---- | C] () -- C:\Documents and Settings\Stephen\My Documents\l_eaa5c230f7aa49c4b682bf88464d3405.jpg
[2010/05/10 19:54:46 | 000,036,732 | ---- | C] () -- C:\Documents and Settings\Stephen\My Documents\l_0e4c86418b154447b360e6757e76af66.jpg
[2010/05/10 19:54:35 | 000,037,596 | ---- | C] () -- C:\Documents and Settings\Stephen\My Documents\l_d33071ccadaa47bc8bb61a4ba47baeb1.jpg
[2009/12/15 18:23:43 | 000,860,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\ejkyugpp.sys
[2009/02/09 19:45:06 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2009/02/09 19:43:43 | 000,000,890 | ---- | C] () -- C:\WINDOWS\disney.ini
[2008/10/27 22:37:22 | 000,000,022 | ---- | C] () -- C:\WINDOWS\msnmsgr.exe.ini
[2007/10/25 18:26:10 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2007/04/17 22:23:15 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/04/17 21:59:17 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2007/04/17 21:59:17 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2007/04/17 21:59:17 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2006/11/15 17:01:35 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/11/15 16:36:58 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/10/15 19:39:19 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/18 19:32:07 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/07/17 19:45:16 | 000,000,152 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/07/17 18:43:18 | 000,000,394 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2006/06/10 19:49:47 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/06/08 07:35:04 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/07 07:56:02 | 000,000,104 | ---- | C] () -- C:\WINDOWS\wb.ini
[2006/03/15 15:49:49 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/03/15 15:49:48 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/03/15 15:49:48 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/03/15 15:49:46 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/03/15 15:49:46 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/03/15 15:49:46 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/03/15 15:49:44 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/01/27 18:50:56 | 000,002,356 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/13 10:56:20 | 000,005,810 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2004/08/04 08:00:00 | 000,066,560 | ---- | C] () -- C:\WINDOWS\System32\console.dll
[2004/08/04 08:00:00 | 000,002,304 | ---- | C] () -- C:\WINDOWS\System32\winsts.sys
[2004/08/04 08:00:00 | 000,002,304 | ---- | C] () -- C:\WINDOWS\System32\ndisdrv.sys
[2004/08/04 08:00:00 | 000,000,006 | ---- | C] () -- C:\WINDOWS\System32\FInstall.sys
[2004/08/04 08:00:00 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\notepad.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[9 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[9 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/05/29 13:09:51 | 000,860,672 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\ejkyugpp.sys

< %systemroot%\System32\config\*.sav >
[2005/07/19 18:57:17 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/07/19 18:57:17 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/07/19 18:57:17 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2004/08/04 08:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2004/08/04 08:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2004/08/04 08:00:00 | 000,000,006 | ---- | M] () -- C:\WINDOWS\system32\FInstall.sys
[2004/08/04 08:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2004/08/04 08:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2004/08/04 08:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2004/08/04 08:00:00 | 000,032,768 | ---- | M] (fdlgdhrswval vdidbdr) -- C:\WINDOWS\system32\lsm32.sys
[2008/04/13 20:11:56 | 000,002,304 | ---- | M] () -- C:\WINDOWS\system32\ndisdrv.sys
[2004/08/04 08:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2004/08/04 08:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2004/08/04 08:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2004/08/04 08:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2004/08/04 08:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/04 08:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/04 08:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/04 08:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/04 08:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/04 08:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/13 14:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/08/14 09:21:25 | 001,850,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[2008/04/13 20:11:56 | 000,002,304 | ---- | M] () -- C:\WINDOWS\system32\winsts.sys
[9 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 20:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 20:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 20:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 20:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 20:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 20:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 20:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/13 20:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 20:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 20:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 20:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 20:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 20:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 20:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 20:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2007/03/06 17:21:12 | 000,013,454 | ---- | M] () -- C:\addon.lua
[2005/07/20 02:11:43 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2006/07/03 17:50:08 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2007/02/18 05:20:04 | 000,000,967 | ---- | M] () -- C:\Cartographer_Mining.toc
[2007/03/15 21:20:36 | 000,001,719 | ---- | M] () -- C:\Changelog-Cartographer_Mining-r29658.xml
[2007/03/15 21:20:36 | 000,001,719 | ---- | M] () -- C:\changelog-r29658.txt
[2005/07/20 02:11:43 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2005/07/20 02:11:43 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/25 00:44:31 | 000,001,464 | -H-- | M] () -- C:\IPH.PH
[2005/07/20 02:11:43 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/09/20 02:16:32 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/29 12:17:47 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2006/10/12 12:17:55 | 000,001,561 | ---- | M] () -- C:\rapport.txt
[2007/01/05 22:26:02 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2007/01/08 00:42:47 | 000,000,232 | -H-- | M] () -- C:\sqmdata01.sqm
[2007/01/24 00:02:53 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2006/07/16 23:53:05 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2006/07/20 22:27:10 | 000,000,280 | -H-- | M] () -- C:\sqmdata04.sqm
[2006/07/20 22:35:13 | 000,000,280 | -H-- | M] () -- C:\sqmdata05.sqm
[2006/07/24 01:10:46 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2006/07/28 01:45:04 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2006/07/28 01:45:04 | 000,000,208 | -H-- | M] () -- C:\sqmdata08.sqm
[2006/07/30 19:16:05 | 000,000,232 | -H-- | M] () -- C:\sqmdata09.sqm
[2006/08/09 22:46:20 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2006/08/18 23:06:43 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2006/08/28 15:17:23 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2006/09/27 18:39:13 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2006/10/10 19:21:03 | 000,000,232 | -H-- | M] () -- C:\sqmdata14.sqm
[2006/10/12 12:19:14 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2006/10/28 00:30:43 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
[2006/11/21 23:24:22 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2006/12/13 20:58:09 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2007/01/02 23:03:42 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2006/12/13 20:58:09 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2007/01/02 23:03:42 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2007/01/05 22:26:02 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2007/01/08 00:42:47 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2007/01/24 00:02:53 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2006/07/16 23:53:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2006/07/20 22:27:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2006/07/20 22:35:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2006/07/24 01:10:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2006/07/28 01:45:04 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2006/07/28 01:45:04 | 000,000,136 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2006/07/30 19:16:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2006/08/09 22:46:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2006/08/18 23:06:43 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2006/08/28 15:17:23 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2006/09/27 18:39:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2006/10/10 19:21:03 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2006/10/12 12:19:14 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2006/10/28 00:30:43 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2006/11/21 23:24:21 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2006/06/11 13:23:23 | 000,007,690 | ---- | M] () -- C:\SSPPPoE.log
[2005/10/31 11:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe
[2008/12/30 23:09:14 | 000,000,137 | ---- | M] () -- C:\VundoFix.txt
[2009/12/15 22:16:14 | 000,000,228 | ---- | M] () -- C:\xcrashdump.dat
[2009/12/15 18:23:38 | 000,096,768 | ---- | M] (Nyasin) -- C:\xrsowilc.exe
[2008/03/30 05:51:21 | 000,000,150 | ---- | M] () -- C:\YServer.txt


< %PROGRAMFILES%\*. >
[2005/07/20 02:15:19 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2006/06/07 07:33:51 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2010/05/25 00:44:25 | 000,000,000 | ---D | M] -- C:\Program Files\AIM
[2010/05/25 00:44:38 | 000,000,000 | ---D | M] -- C:\Program Files\AIM Toolbar
[2006/06/10 19:55:09 | 000,000,000 | ---D | M] -- C:\Program Files\AlienGUIse
[2008/12/30 15:28:49 | 000,000,000 | ---D | M] -- C:\Program Files\Alwil Software
[2006/10/30 15:36:26 | 000,000,000 | ---D | M] -- C:\Program Files\AOD
[2008/12/30 22:41:14 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2008/04/15 21:55:04 | 000,000,000 | ---D | M] -- C:\Program Files\Azureus
[2009/05/16 17:57:35 | 000,000,000 | ---D | M] -- C:\Program Files\BitTorrent
[2008/12/30 22:41:19 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2008/12/25 00:59:36 | 000,000,000 | ---D | M] -- C:\Program Files\Canon
[2010/01/16 13:13:05 | 000,000,000 | ---D | M] -- C:\Program Files\Carambis
[2010/04/14 12:12:55 | 000,000,000 | ---D | M] -- C:\Program Files\Carbonite
[2010/05/29 11:59:42 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2005/07/20 02:09:41 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2005/07/20 03:50:07 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2008/09/20 23:02:31 | 000,000,000 | ---D | M] -- C:\Program Files\Diablo II
[2006/06/10 16:21:38 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2008/02/28 20:52:05 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2007/03/31 18:06:12 | 000,000,000 | ---D | M] -- C:\Program Files\EA GAMES
[2006/06/10 15:55:18 | 000,000,000 | ---D | M] -- C:\Program Files\Efficient Networks
[2009/12/31 17:46:11 | 000,000,000 | ---D | M] -- C:\Program Files\Electronic Arts
[2009/06/28 19:29:35 | 000,000,000 | ---D | M] -- C:\Program Files\GameSpy Arcade
[2009/02/09 19:50:09 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/12/30 00:07:02 | 000,000,000 | ---D | M] -- C:\Program Files\Hijackthis
[2010/01/29 12:05:13 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/03/31 03:00:38 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2009/12/30 20:18:51 | 000,000,000 | ---D | M] -- C:\Program Files\InternetSecurity2010
[2010/03/31 03:23:51 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2006/06/21 19:13:39 | 000,000,000 | ---D | M] -- C:\Program Files\Kazaa
[2006/12/13 18:15:26 | 000,000,000 | ---D | M] -- C:\Program Files\Logitech
[2008/12/31 16:06:05 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/29 12:05:07 | 000,000,000 | ---D | M] -- C:\Program Files\MarkAny
[2006/10/10 13:53:12 | 000,000,000 | ---D | M] -- C:\Program Files\Maxthon
[2008/09/20 02:21:41 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/12/09 16:24:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2006/10/15 19:38:36 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2005/07/20 02:11:47 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2007/05/22 19:08:21 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Games
[2008/08/20 22:40:26 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/01/22 01:21:39 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2009/02/09 16:31:00 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Virtual PC
[2009/12/31 15:08:23 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft WSE
[2006/10/15 19:38:39 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2009/02/05 20:46:38 | 000,000,000 | ---D | M] -- C:\Program Files\MINITAB 14 Student
[2008/10/08 22:56:29 | 000,000,000 | ---D | M] -- C:\Program Files\mIRC
[2010/03/11 14:21:10 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/04/03 02:45:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/08/15 00:45:06 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2008/08/20 22:40:18 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2005/07/20 02:08:54 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2005/07/20 02:09:19 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2007/05/22 19:10:47 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2008/11/21 19:02:45 | 000,000,000 | ---D | M] -- C:\Program Files\MySpace
[2008/09/20 02:17:32 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2005/07/20 02:09:23 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/05/12 03:00:26 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2006/06/20 16:03:53 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/02/12 17:15:53 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2009/08/15 00:45:00 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2006/10/12 12:07:55 | 000,000,000 | ---D | M] -- C:\Program Files\Roguescanfix
[2010/01/29 12:04:54 | 000,000,000 | ---D | M] -- C:\Program Files\Samsung
[2006/07/17 19:45:16 | 000,000,000 | ---D | M] -- C:\Program Files\Sierra On-Line
[2008/12/30 15:19:12 | 000,000,000 | ---D | M] -- C:\Program Files\Sophos
[2009/12/31 17:53:42 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/29 12:40:31 | 000,000,000 | ---D | M] -- C:\Program Files\Spyware Doctor
[2009/08/30 21:46:56 | 000,000,000 | ---D | M] -- C:\Program Files\Stellarium
[2008/12/30 15:52:37 | 000,000,000 | ---D | M] -- C:\Program Files\TBONBin
[2007/09/20 14:52:10 | 000,000,000 | ---D | M] -- C:\Program Files\Tensons
[2007/05/28 17:42:05 | 000,000,000 | ---D | M] -- C:\Program Files\Turbine
[2005/07/20 02:17:35 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2008/08/17 20:44:05 | 000,000,000 | ---D | M] -- C:\Program Files\Ventrilo
[2007/09/20 15:03:48 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2007/06/13 19:31:00 | 000,000,000 | ---D | M] -- C:\Program Files\Viewpoint
[2007/08/19 17:35:12 | 000,000,000 | ---D | M] -- C:\Program Files\Warcraft III
[2009/08/08 18:19:44 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2010/01/03 14:59:41 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live Safety Center
[2009/08/08 18:20:03 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2007/06/18 17:35:25 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/02/09 19:48:43 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/09/20 02:17:30 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2005/07/20 02:10:41 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/11/10 19:27:12 | 000,000,000 | ---D | M] -- C:\Program Files\windstream_act
[2008/05/01 04:38:11 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2010/03/28 23:22:25 | 000,000,000 | ---D | M] -- C:\Program Files\World of Warcraft
[2008/10/08 22:49:40 | 000,000,000 | ---D | M] -- C:\Program Files\xchat
[2005/07/20 02:11:47 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2008/03/30 05:51:40 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!
[2008/12/25 00:46:46 | 000,000,000 | ---D | M] -- C:\Program Files\Zune

< %appdata%\*.* >
[2010/01/29 12:05:19 | 000,002,528 | ---- | M] () -- C:\Documents and Settings\Stephen\Application Data\$_hpcst$.hpc
[2005/07/19 18:58:32 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Stephen\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/20 02:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/20 02:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/20 02:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/20 02:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/09/20 02:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/09/20 02:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 08:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATA.SYS >
[2005/05/26 13:06:00 | 000,092,800 | R--- | M] (NVIDIA Corporation) MD5=33C5D977343D5A696B5CB2CC57E3A795 -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: NVATABUS.SYS >
[2005/05/26 13:06:00 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=33C5D977343D5A696B5CB2CC57E3A795 -- C:\ALIENWARE\DRIVERS\NF4RAID\NVATABUS.SYS
[2005/05/26 13:06:00 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=33C5D977343D5A696B5CB2CC57E3A795 -- C:\WINDOWS\system32\drivers\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2008/09/20 02:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2008/09/20 02:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2004/08/03 23:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\$NtServicePackUninstall$\usbstor.sys
[2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-05-27 01:08:35

========== Alternate Data Streams ==========

@Alternate Data Stream - 3552 bytes -> C:\WINDOWS\alienware logo_slvr.jpg:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

Ok, so basically whenever I try to open any of my spyware removers I get a bogus message saying the file is corrupt and it asks me if I want to activate my spyware tools. I also get a lot of popups telling me my PC is infected with BankerFox.A then followed by fake spyware remover ads. Not even sure how I got it, I wasn't at any different websites than normal when it popped up.

Thanks for the help in advance.

ramirez3
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-05-29
OS OS : xp
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by Belahzur on Sat May 29, 2010 9:56 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by ramirez3 on Sun May 30, 2010 6:38 pm

ComboFix 10-05-29.05 - Stephen 05/30/2010 14:10:34.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1423 [GMT -4:00]
Running from: c:\documents and settings\Stephen\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\drivers\ejkyugpp.sys
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\Thumbs.db
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_WINSTS
-------\Legacy_ejkyugpp
-------\Service_ejkyugpp


((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-29 15:59 . 2010-05-29 16:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-28 05:34 . 2010-05-28 05:34 -------- d-----w- c:\documents and settings\Stephen\Local Settings\Application Data\AIM Toolbar
2010-05-28 02:56 . 2010-05-29 18:36 -------- d-----w- c:\documents and settings\Stephen\Local Settings\Application Data\hoqlqcrfs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 18:16 . 2008-12-31 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 18:12 . 2006-10-11 17:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 06:09 . 2010-05-11 17:52 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\unregister.bat
2010-04-17 02:12 . 2010-04-17 02:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-14 16:12 . 2010-03-31 07:24 -------- d-----w- c:\program files\Carbonite
2010-03-31 07:24 . 2010-03-31 07:24 61440 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28b4d8c5-n\decora-sse.dll
2010-03-31 07:24 . 2010-03-31 07:24 503808 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a40034e-n\msvcp71.dll
2010-03-31 07:24 . 2010-03-31 07:24 499712 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a40034e-n\jmc.dll
2010-03-31 07:24 . 2010-03-31 07:24 348160 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a40034e-n\msvcr71.dll
2010-03-31 07:24 . 2010-03-31 07:24 12800 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28b4d8c5-n\decora-d3d.dll
2010-03-14 06:20 . 2010-03-14 06:20 152576 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-14 06:20 . 2010-03-14 06:20 79488 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28 . 2009-05-25 23:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Driver Updater"="c:\program files\Carambis\Driver Updater\dupdater.exe" [2009-10-01 4805632]
"Aim"="c:\program files\AIM\aim.exe" [2010-04-19 3972440]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB5425"="command" [X]
"SpybotDeletingD3758"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-20 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 28160]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NoIE4StubProcessing"="c:\windows\system32\reg.exe DELETE HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 03:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/28/2007 2:38 PM 24652]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/18/2010 10:41 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/18/2010 10:41 PM 30104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\26B.tmp --> c:\windows\system32\26B.tmp [?]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [1/29/2010 12:05 PM 90240]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [1/29/2010 12:05 PM 14976]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [1/29/2010 12:05 PM 121856]
.
Contents of the 'Scheduled Tasks' folder

2010-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - neogaf.com
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
FF - plugin: c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-tbon - c:\program files\TBONBin\tbon.exe
HKCU-Run-AutoStartNPSAgent - c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe
HKCU-Run-gadcom - c:\documents and settings\Stephen\Application Data\gadcom\gadcom.exe
HKLM-Run-NPSStartup - (no file)
HKU-Default-Run-notepad - c:\docume~1\LOCALS~1\ntload.dll
Notify-khfGxuRk - khfGxuRk.dll



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\26B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1436377304-323887150-1316774145-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(2000)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2010-05-30 14:21:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-30 18:21

Pre-Run: 83,185,713,152 bytes free
Post-Run: 83,514,941,440 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - C95DC2BB1D13CA57B4CE32392BAA0F04


I was able to get rid of the problem by updating malwarebytes/spybot, but I want to be sure I get rid of the entire problem, so thanks.

ramirez3
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-05-29
OS OS : xp
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by Belahzur on Sun May 30, 2010 10:19 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Folder::
    c:\documents and settings\Stephen\Local Settings\Application Data\hoqlqcrfs

    Registry::
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"=-

    DDS::
    uInternet Settings,ProxyOverride =
    uInternet Settings,ProxyServer = http=127.0.0.1:5555

    RegLock::
    [HKEY_USERS\S-1-5-21-1436377304-323887150-1316774145-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by ramirez3 on Mon May 31, 2010 3:08 pm

Ok, after it got done running this time and rebooted it was stuck at the shut down screen all night, so I went ahead and restarted it myself, here's the log it produced.

ComboFix 10-05-29.05 - Stephen 05/31/2010 2:10.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1489 [GMT -4:00]
Running from: c:\documents and settings\Stephen\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Stephen\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Stephen\Local Settings\Application Data\hoqlqcrfs

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-31 )))))))))))))))))))))))))))))))
.

2010-05-30 21:18 . 2010-05-30 21:18 503808 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2a6665a2-n\msvcp71.dll
2010-05-30 21:18 . 2010-05-30 21:18 499712 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2a6665a2-n\jmc.dll
2010-05-30 21:18 . 2010-05-30 21:18 348160 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2a6665a2-n\msvcr71.dll
2010-05-30 21:18 . 2010-05-30 21:18 61440 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-738a09c6-n\decora-sse.dll
2010-05-30 21:18 . 2010-05-30 21:18 12800 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-738a09c6-n\decora-d3d.dll
2010-05-30 18:07 . 2010-05-30 18:21 -------- d-----w- C:\Combo-Fix
2010-05-29 15:59 . 2010-05-29 16:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-28 05:34 . 2010-05-28 05:34 -------- d-----w- c:\documents and settings\Stephen\Local Settings\Application Data\AIM Toolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 21:18 . 2007-05-08 01:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-30 18:40 . 2010-01-16 17:13 -------- d-----w- c:\program files\Carambis
2010-05-30 18:40 . 2005-07-20 07:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-29 18:16 . 2008-12-31 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 18:12 . 2006-10-11 17:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 06:09 . 2010-05-11 17:52 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\unregister.bat
2010-04-17 02:12 . 2010-04-17 02:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-14 16:12 . 2010-03-31 07:24 -------- d-----w- c:\program files\Carbonite
2010-03-31 07:24 . 2010-03-31 07:24 61440 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28b4d8c5-n\decora-sse.dll
2010-03-31 07:24 . 2010-03-31 07:24 503808 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a40034e-n\msvcp71.dll
2010-03-31 07:24 . 2010-03-31 07:24 499712 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a40034e-n\jmc.dll
2010-03-31 07:24 . 2010-03-31 07:24 348160 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a40034e-n\msvcr71.dll
2010-03-31 07:24 . 2010-03-31 07:24 12800 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28b4d8c5-n\decora-d3d.dll
2010-03-14 06:20 . 2010-03-14 06:20 152576 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-14 06:20 . 2010-03-14 06:20 79488 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28 . 2009-05-25 23:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Aim"="c:\program files\AIM\aim.exe" [2010-04-19 3972440]
"tbon"="c:\program files\TBONBin\tbon.exe" [BU]
"gadcom"="c:\documents and settings\Stephen\Application Data\gadcom\gadcom.exe" [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB5425"="command" [X]
"SpybotDeletingD3758"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-20 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 28160]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NoIE4StubProcessing"="c:\windows\system32\reg.exe DELETE HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGxuRk]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 03:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/28/2007 2:38 PM 24652]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/18/2010 10:41 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/18/2010 10:41 PM 30104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\26B.tmp --> c:\windows\system32\26B.tmp [?]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [1/29/2010 12:05 PM 90240]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [1/29/2010 12:05 PM 14976]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [1/29/2010 12:05 PM 121856]
.
Contents of the 'Scheduled Tasks' folder

2010-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - neogaf.com
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
FF - plugin: c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-31 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\26B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2010-05-31 11:04:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-31 15:04
ComboFix2.txt 2010-05-30 18:21

Pre-Run: 83,555,201,024 bytes free
Post-Run: 83,511,721,984 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 04C34A56A4BCE48082DC9A27F658C16D

ramirez3
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-05-29
OS OS : xp
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by Belahzur on Mon May 31, 2010 11:35 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "gadcom"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "SpybotDeletingB5425"=-
    "SpybotDeletingD3758"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "NoIE4StubProcessing"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGxuRk]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by ramirez3 on Tue Jun 01, 2010 3:43 pm

ComboFix 10-05-31.03 - Stephen 06/01/2010 4:27.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1506 [GMT -4:00]
Running from: c:\documents and settings\Stephen\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Stephen\My Documents\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.

2010-06-01 08:24 . 2010-06-01 08:24 -------- d-----w- C:\Combo-Fix31217C
2010-05-30 21:18 . 2010-05-30 21:18 503808 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2a6665a2-n\msvcp71.dll
2010-05-30 21:18 . 2010-05-30 21:18 499712 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2a6665a2-n\jmc.dll
2010-05-30 21:18 . 2010-05-30 21:18 348160 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2a6665a2-n\msvcr71.dll
2010-05-30 21:18 . 2010-05-30 21:18 61440 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-738a09c6-n\decora-sse.dll
2010-05-30 21:18 . 2010-05-30 21:18 12800 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-738a09c6-n\decora-d3d.dll
2010-05-30 18:07 . 2010-05-30 18:21 -------- d-----w- C:\Combo-Fix
2010-05-29 15:59 . 2010-05-29 16:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-28 05:34 . 2010-05-28 05:34 -------- d-----w- c:\documents and settings\Stephen\Local Settings\Application Data\AIM Toolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 21:18 . 2007-05-08 01:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-30 18:40 . 2010-01-16 17:13 -------- d-----w- c:\program files\Carambis
2010-05-30 18:40 . 2005-07-20 07:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-29 18:16 . 2008-12-31 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 18:12 . 2006-10-11 17:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 06:09 . 2010-05-11 17:52 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\unregister.bat
2010-04-17 02:12 . 2010-04-17 02:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-14 16:12 . 2010-03-31 07:24 -------- d-----w- c:\program files\Carbonite
2010-03-31 07:24 . 2010-03-31 07:24 61440 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28b4d8c5-n\decora-sse.dll
2010-03-31 07:24 . 2010-03-31 07:24 503808 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a40034e-n\msvcp71.dll
2010-03-31 07:24 . 2010-03-31 07:24 499712 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a40034e-n\jmc.dll
2010-03-31 07:24 . 2010-03-31 07:24 348160 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a40034e-n\msvcr71.dll
2010-03-31 07:24 . 2010-03-31 07:24 12800 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28b4d8c5-n\decora-d3d.dll
2010-03-14 06:20 . 2010-03-14 06:20 152576 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-14 06:20 . 2010-03-14 06:20 79488 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28 . 2009-05-25 23:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Aim"="c:\program files\AIM\aim.exe" [2010-04-19 3972440]
"tbon"="c:\program files\TBONBin\tbon.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-20 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 28160]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 03:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/28/2007 2:38 PM 24652]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/18/2010 10:41 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/18/2010 10:41 PM 30104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\26B.tmp --> c:\windows\system32\26B.tmp [?]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [1/29/2010 12:05 PM 90240]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [1/29/2010 12:05 PM 14976]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [1/29/2010 12:05 PM 121856]
.
Contents of the 'Scheduled Tasks' folder

2010-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - neogaf.com
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
FF - plugin: c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\mu6d7r14.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\26B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-01 04:31:10
ComboFix-quarantined-files.txt 2010-06-01 08:31
ComboFix2.txt 2010-05-31 15:04
ComboFix3.txt 2010-05-30 18:21

Pre-Run: 83,469,471,744 bytes free
Post-Run: 83,422,011,392 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 3E62A9A2D1DAB03595D5E27EB46A8244

ramirez3
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-05-29
OS OS : xp
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by Belahzur on Tue Jun 01, 2010 9:12 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 7.0
    2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    J2SE Runtime Environment 5.0 Update 10
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) 6 Update 19
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.

Then download and install [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by ramirez3 on Wed Jun 02, 2010 4:17 am

Alright, did all of that, anything else I need to do?

ramirez3
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-05-29
OS OS : xp
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by Belahzur on Wed Jun 02, 2010 8:27 pm

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by ramirez3 on Thu Jun 03, 2010 5:56 am

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2278c16a857001408f5424eaf07b28be
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-03 04:45:36
# local_time=2010-06-03 12:45:36 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 43951795 43951795 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=66243
# found=8
# cleaned=8
# scan_time=5214
C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusSystemPro1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentwiw.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentwiw1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentwu.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ejkyugpp.sys.vir Win32/Bubnix.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{810CFDD6-55CA-42B7-84DB-5CCE2DF017C1}\RP1\A0000048.sys Win32/Bubnix.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{810CFDD6-55CA-42B7-84DB-5CCE2DF017C1}\RP19\A0003101.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ramirez3
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-05-29
OS OS : xp
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by Belahzur on Thu Jun 03, 2010 9:26 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Need help removing BankerFox.A virus

Post by ramirez3 on Fri Jun 04, 2010 3:10 am

It seems to be completely fixed, thanks so much for the help. Smile

ramirez3
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-05-29
OS OS : xp
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum