RookitAgentNotRemovedOnRestart

View previous topic View next topic Go down

RookitAgentNotRemovedOnRestart

Post by ckelliher on 16th June 2010, 2:22 pm

MyApologies,TheSpacebarDoesn'tWorkAfterTryingToRemoveRookitAgentOnRestartWithMalwarebytes'AntiMalware.

%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\*.sys
%systemroot%\system32\drivers\*.dll
%systemroot%\system32\drivers\*.ini
%systemroot%\system32\drivers\*.exe
%SYSTEMDRIVE%\*.*
%PROGRAMFILES%\*.
%appdata%\*.*
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
disk.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
usbstor.sys
/md5stop
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

PleaseHelpMeRemoveThis.
Sincerely,
CatKelliher

ckelliher
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-06-16
OS OS : WindowsXP
Points Points : 23813
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by Sneakyone on 16th June 2010, 3:11 pm

Hello and welcome to GeekPolice.net.

My name is Sneakyone, and I will do my best to help get your problem resolved today.

I am currently a student in GeekPolice Academy, and will be a little delayed on each reply, as my instructors must review and approve each reply.

If you have any questions, please ask, and I will do my best to get to the question promptly.

Please wait here, while I get the first set of instructions for you.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56124
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by Sneakyone on 16th June 2010, 3:20 pm

Hi ckelliher, Smile

Welcome to GeekPolice.net.

My username is Sneakyone and I will be assisting you on your issue today.

Download [You must be registered and logged in to see this link.] to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    nvstor32.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    ws2_32.dll
    proquota.exe
    imm32.dll
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    nvrd32.sys
    /md5stop
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time


Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56124
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by ckelliher on 16th June 2010, 8:35 pm

Hiya Sneakyone,

I attempted to reply twice but just in case you were unable to retrieve the data (because my computer isn't well) from OTL I wanted to at least say thanks for your response and that the space bar is working again. Please advise when you get a chance.

Sincerely,
Cat

ckelliher
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-06-16
OS OS : WindowsXP
Points Points : 23813
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by ckelliher on 16th June 2010, 8:54 pm

OTL logfile created on: 6/16/2010 9:38:10 AM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.15 Gb Total Space | 10.65 Gb Free Space | 14.97% Space Free | Partition Type: NTFS
Drive D: | 7.77 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
Drive F: | 614.91 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive G: | 465.11 Gb Total Space | 348.03 Gb Free Space | 74.83% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALBIONDESKTOP
Current User Name: Sarah
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/16 07:15:58 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
PRC - [2008/10/21 10:09:59 | 000,050,472 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe
PRC - [2008/09/12 09:45:48 | 000,036,352 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/01/11 16:54:52 | 000,166,304 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2008/01/11 16:54:42 | 000,061,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2007/11/21 20:44:41 | 000,185,632 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2007/10/23 13:19:06 | 001,410,344 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2007/10/23 13:18:46 | 000,202,024 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
PRC - [2007/10/08 14:50:56 | 000,041,824 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aolsoftware.exe
PRC - [2007/09/25 00:11:35 | 000,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
PRC - [2007/09/18 15:30:50 | 000,110,592 | ---- | M] (Last.fm) -- C:\Program Files\Last.fm\LastFMHelper.exe
PRC - [2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/14 17:26:06 | 001,261,568 | ---- | M] () -- C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
PRC - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/02/10 16:17:04 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005/10/05 01:12:00 | 000,094,208 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2005/09/08 03:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE


========== Modules (SafeList) ==========

MOD - [2010/06/16 07:15:58 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
MOD - [2009/07/12 02:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2009/03/06 05:33:26 | 000,961,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveUtil.dll
MOD - [2009/02/12 16:19:38 | 000,178,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
MOD - [2009/02/12 16:19:32 | 002,217,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
MOD - [2008/10/25 12:44:34 | 000,022,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveNew.dll
MOD - [2007/03/08 08:36:28 | 000,161,280 | ---- | M] () -- C:\WINDOWS\uhafinohazozahuy.dll
MOD - [2006/12/01 21:56:00 | 000,096,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
MOD - [2006/08/25 08:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/04 03:00:00 | 000,152,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll
MOD - [2004/08/04 03:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2004/08/04 03:00:00 | 000,059,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll


========== Win32 Services (SafeList) ==========

SRV - [2008/01/11 16:55:38 | 002,138,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2008/01/11 16:54:58 | 000,245,664 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2008/01/11 16:54:42 | 000,061,856 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - [2010/01/20 17:53:06 | 000,013,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\epmntdrv.sys -- (epmntdrv)
DRV - [2010/01/20 17:53:04 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2008/01/11 16:39:34 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2007/11/15 13:30:48 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (npf)
DRV - [2007/10/04 16:14:00 | 006,854,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/02/06 21:22:24 | 000,194,304 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2006/06/02 03:17:30 | 000,014,336 | R--- | M] (Thomson Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NetRcaCmXP.sys -- (USB_NDISXP)
DRV - [2006/02/10 16:19:12 | 001,107,224 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/01/10 10:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/09/12 01:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/08 03:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 03:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 03:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 03:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 03:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 03:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 03:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 10:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 10:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 03:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2004/08/12 15:45:54 | 000,137,728 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/03 21:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 21:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2001/08/17 12:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 12:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 12:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 12:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 12:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 11:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 11:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 11:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 11:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 11:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 11:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 11:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 11:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 11:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = [You must be registered and logged in to see this link.]

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1043

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.selectedengine: "Yahoo"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: {008BB719-7E0F-4092-8F9C-FEE774B73494}:1.9.1
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 1043

FF - HKLM\software\mozilla\Firefox\Extensions\\{008BB719-7E0F-4092-8F9C-FEE774B73494}: C:\Documents and Settings\Sarah\Local Settings\Application Data\{008BB719-7E0F-4092-8F9C-FEE774B73494} [2010/02/17 10:42:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Flock\Extensions\\Plugins: C:\Program Files\Flock\flock\plugins [2010/06/09 12:01:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Flock\Extensions\\Components: C:\Program Files\Flock\flock\components [2010/06/09 12:01:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox 3 Beta 1\components [2010/06/09 12:01:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3 Beta 1\plugins [2010/06/09 12:01:36 | 000,000,000 | ---D | M]

[2008/02/27 11:32:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Extensions
[2010/06/14 16:15:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\pg3sb7lb.default\extensions
[2009/10/14 09:10:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\pg3sb7lb.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/02/14 14:56:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\pg3sb7lb.default\extensions\moveplayer@movenetworks.com

O1 HOSTS File: ([2010/06/09 17:11:42 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No CLSID value found.
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [Inokasazasaza] C:\WINDOWS\uhafinohazozahuy.DLL ()
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [MyWGU Messenger] C:\Program Files\MyWGU Messenger\MyWGU-Messenger.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe (Last.fm)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll File not found
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (RtlGina2.dll) - C:\WINDOWS\System32\RtlGina2.dll ()
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 11:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/18 14:12:18 | 000,000,088 | R--- | M] () - F:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: autotson - (C:\WINDOWS\system32\rundinst.dll) - C:\WINDOWS\System32\rundinst.dll File not found
O36 - AppCertDlls: cida2bin - (C:\WINDOWS\system32\setvdown.dll) - C:\WINDOWS\System32\setvdown.dll File not found
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/06/16 07:15:48 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2010/06/14 22:16:21 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/06/09 17:11:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\SmitfraudFix
[2010/06/09 17:06:10 | 000,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe
[2010/06/09 17:06:10 | 000,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2010/06/09 17:06:10 | 000,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2010/06/09 17:06:10 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\VACFix.exe
[2010/06/09 17:06:10 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe
[2010/06/09 17:06:10 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe
[2010/06/09 17:06:10 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe
[2010/06/09 17:06:10 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2010/06/09 17:06:10 | 000,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2010/06/09 17:06:10 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2010/06/09 17:06:10 | 000,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe
[2010/06/09 17:06:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\SmitfraudFix
[2010/06/09 14:26:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/06/09 07:17:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Local Settings\Application Data\swegrfhoj
[2010/06/09 07:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Local Settings\Application Data\fffgyrnv
[2010/06/03 06:28:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\SASQUATCH! 2010
[2010/05/10 18:14:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Application Data\Facebook
[2010/04/16 19:21:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\Pomegranates - Persian Pop, Funk, Folk And Psych Of The 60s And 70s (2009)
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/06/16 09:38:34 | 000,741,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\qlnnj.sys
[2010/06/16 09:38:33 | 000,574,464 | ---- | M] () -- C:\WINDOWS\System32\drivers\rqphmoqj.sys
[2010/06/16 07:15:58 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2010/06/16 06:44:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/16 06:44:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/16 06:44:23 | 1608,667,136 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/16 06:43:30 | 005,767,168 | ---- | M] () -- C:\Documents and Settings\Sarah\NTUSER.DAT
[2010/06/16 06:30:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ajeziniyetasoyu.bin
[2010/06/16 00:14:32 | 004,842,030 | -H-- | M] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\IconCache.db
[2010/06/14 22:15:16 | 001,181,383 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\sarsfx.exe
[2010/06/12 12:08:56 | 000,010,752 | ---- | M] () -- C:\Documents and Settings\Sarah\Application Data\dvd.bmk
[2010/06/11 18:30:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (KYLE-Kylie).job
[2010/06/10 12:09:58 | 000,062,976 | ---- | M] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/10 12:09:58 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/10 12:04:01 | 000,298,848 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 03:12:37 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/10 03:06:52 | 000,494,820 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 03:06:52 | 000,437,042 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 03:06:52 | 000,068,886 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/09 17:19:23 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Sarah\ntuser.ini
[2010/06/09 17:11:47 | 000,003,164 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2010/06/09 17:05:46 | 001,872,472 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\SmitfraudFix.exe
[2010/06/09 17:01:09 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/06/09 11:37:14 | 000,001,698 | ---- | M] () -- C:\WINDOWS\Jjegutibo.dat
[2010/05/12 23:28:00 | 000,310,272 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Copy of Fillmore Schedule May 17th.xls
[2010/05/12 21:38:46 | 000,310,272 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Copy of Fillmore Schedule May 10th (2).xls
[2010/05/11 14:05:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/07 21:30:17 | 000,069,632 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Sasquatch schedule.xls
[2010/05/06 14:22:03 | 072,535,665 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\The_National-High_Violet.zip
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/05 22:29:02 | 000,186,887 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\donut.jpg
[2010/03/27 14:21:52 | 012,880,136 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Serena Maneesh-Ayisha Abyss.mp3
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/14 22:14:59 | 001,181,383 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\sarsfx.exe
[2010/06/09 17:20:40 | 1608,667,136 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/09 17:06:34 | 000,003,164 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2010/06/09 17:06:10 | 000,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2010/06/09 17:06:10 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2010/06/09 17:06:10 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2010/06/09 17:04:32 | 001,872,472 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\SmitfraudFix.exe
[2010/05/12 21:39:06 | 000,310,272 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Copy of Fillmore Schedule May 17th.xls
[2010/05/12 20:48:58 | 000,310,272 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Copy of Fillmore Schedule May 10th (2).xls
[2010/05/07 21:30:17 | 000,069,632 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Sasquatch schedule.xls
[2010/05/06 13:45:29 | 072,535,665 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\The_National-High_Violet.zip
[2010/05/02 22:01:56 | 000,574,464 | ---- | C] () -- C:\WINDOWS\System32\drivers\rqphmoqj.sys
[2010/04/05 22:29:01 | 000,186,887 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\donut.jpg
[2010/03/27 14:18:51 | 012,880,136 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Serena Maneesh-Ayisha Abyss.mp3
[2010/02/17 22:45:29 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2010/02/17 22:45:29 | 000,013,192 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2010/02/17 22:45:29 | 000,008,456 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2010/02/17 10:39:01 | 000,741,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\qlnnj.sys
[2010/01/05 13:47:26 | 000,000,024 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/12/21 17:34:34 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\RtlGina2.dll
[2008/12/21 17:34:33 | 000,966,765 | ---- | C] () -- C:\WINDOWS\System32\acAuth.dll
[2008/12/21 17:34:32 | 000,356,352 | ---- | C] () -- C:\WINDOWS\System32\SCMLib.dll
[2007/12/14 22:56:13 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/12/06 00:15:10 | 000,000,271 | ---- | C] () -- C:\WINDOWS\maketorrent.ini
[2007/11/21 18:20:43 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/02/25 23:53:43 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/01/30 14:47:39 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\991A48BF09.sys
[2007/01/30 14:47:38 | 000,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/09/23 12:04:29 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/23 12:00:41 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/09/23 11:56:03 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/09/23 11:23:26 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/06/01 02:22:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/06/01 02:22:00 | 001,478,656 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/06/01 02:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/06/01 02:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/06/01 02:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/06/01 02:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/05/02 15:38:24 | 000,000,748 | ---- | C] () -- C:\WINDOWS\SetBrowser.ini
[2006/04/22 16:00:10 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2005/11/10 06:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 11:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 11:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 10:51:27 | 000,161,280 | ---- | C] () -- C:\WINDOWS\uhafinohazozahuy.dll

========== LOP Check ==========

[2008/11/01 18:22:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/01/13 02:39:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2007/11/25 12:09:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Last.fm
[2010/02/10 21:55:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/01/27 20:53:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/01/06 19:59:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/29 10:47:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008/11/01 18:23:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\acccore
[2010/05/10 18:14:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Facebook
[2007/12/05 16:15:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\FinalBurner Video DVD
[2008/06/23 19:12:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Flock
[2007/11/22 11:51:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\iSproggler
[2008/01/08 10:33:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Leadertech
[2010/02/18 23:51:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\tidysongs15.27F6A35B76E5883BF9E6FEE514586561E60595CA.1
[2009/01/13 03:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Tific
[2010/06/15 22:08:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\uTorrent
[2008/04/24 13:00:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Viewpoint

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\*. /mp /s >

< c:\$recycle.bin\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-06-11 10:01:34


< MD5 for: AGP440.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2004/08/03 21:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/03 21:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys

< MD5 for: AUTOCHK.EXE >
[2008/04/13 17:12:12 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\autochk.exe
[2004/08/04 03:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=B3415B9D6026F65E43089ABED096C38C -- C:\i386\autochk.exe
[2004/08/04 03:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=B3415B9D6026F65E43089ABED096C38C -- C:\WINDOWS\system32\autochk.exe

< MD5 for: BEEP.SYS >
[2004/08/04 03:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\i386\beep.sys
[2004/08/04 03:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[2007/06/13 04:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\explorer.exe
[2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2004/08/04 03:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: IMM32.DLL >
[2008/04/13 17:11:54 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=0DA85218E92526972A821587E6A8BF8F -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll
[2004/08/04 03:00:00 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=87CA7CE6469577F059297B9D6556D66D -- C:\i386\imm32.dll
[2004/08/04 03:00:00 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=87CA7CE6469577F059297B9D6556D66D -- C:\WINDOWS\system32\imm32.dll

< MD5 for: KERNEL32.DLL >
[2007/04/16 09:07:27 | 000,986,112 | ---- | M] (Microsoft Corporation) MD5=09F7CB3687F86EDAA4CA081F7AB66C03 -- C:\WINDOWS\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[2006/07/05 03:57:10 | 000,985,088 | ---- | M] (Microsoft Corporation) MD5=0FDD84928A5DDE2510761B7EC76CCEC9 -- C:\WINDOWS\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[2009/03/21 06:54:07 | 000,989,184 | ---- | M] (Microsoft Corporation) MD5=80202858D245FF07DAA1739C57A3E19B -- C:\WINDOWS\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[2004/08/04 03:00:00 | 000,983,552 | ---- | M] (Microsoft Corporation) MD5=888190E31455FAD793312F8D087146EB -- C:\WINDOWS\$NtUninstallKB917422$\kernel32.dll
[2007/04/16 08:52:53 | 000,984,576 | ---- | M] (Microsoft Corporation) MD5=A01F9CA902A88F7CED06884174D6419D -- C:\WINDOWS\$NtUninstallKB959426$\kernel32.dll
[2009/03/21 07:18:57 | 000,986,112 | ---- | M] (Microsoft Corporation) MD5=B6ACAED7588295129791E0E6A2B0FADE -- C:\WINDOWS\system32\dllcache\kernel32.dll
[2009/03/21 07:18:57 | 000,986,112 | ---- | M] (Microsoft Corporation) MD5=B6ACAED7588295129791E0E6A2B0FADE -- C:\WINDOWS\system32\kernel32.dll
[2009/03/21 07:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[2008/04/13 17:11:56 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=C24B983D211C34DA8FCC1AC38477971D -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kernel32.dll
[2006/07/05 03:55:01 | 000,984,064 | ---- | M] (Microsoft Corporation) MD5=D8DB5397DE07577C1CB50BA6D23B3AD4 -- C:\i386\kernel32.dll
[2006/07/05 03:55:01 | 000,984,064 | ---- | M] (Microsoft Corporation) MD5=D8DB5397DE07577C1CB50BA6D23B3AD4 -- C:\WINDOWS\$NtUninstallKB935839$\kernel32.dll
[2009/03/21 06:59:23 | 000,991,744 | ---- | M] (Microsoft Corporation) MD5=DA11D9D6ECBDF0F93436A4B7C13F7BEC -- C:\WINDOWS\$hf_mig$\KB959426\SP3QFE\kernel32.dll

< MD5 for: MSWSOCK.DLL >
[2008/06/20 10:41:10 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=097722F235A1FB698BF9234E01B52637 -- C:\WINDOWS\system32\dllcache\mswsock.dll
[2008/06/20 10:41:10 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=097722F235A1FB698BF9234E01B52637 -- C:\WINDOWS\system32\mswsock.dll
[2008/06/20 10:36:11 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=1DFCA7713EA5A70D5D93B436AEA0317A -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[2004/08/04 03:00:00 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\i386\mswsock.dll
[2004/08/04 03:00:00 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll
[2008/06/20 10:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[2008/04/13 17:12:01 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mswsock.dll
[2008/06/20 10:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll

< MD5 for: NDIS.SYS >
[2008/04/13 12:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[2004/08/04 03:00:00 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=558635D3AF1C7546D26067D5D9B6959E -- C:\i386\ndis.sys
[2004/08/04 03:00:00 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=558635D3AF1C7546D26067D5D9B6959E -- C:\WINDOWS\system32\drivers\ndis.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467$\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389$\netlogon.dll

< MD5 for: NTFS.SYS >
[2007/02/09 04:23:36 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=05AB81909514BFD69CBB1F2C147CF6B9 -- C:\WINDOWS\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[2007/02/09 04:10:35 | 000,574,464 | ---- | M] (Microsoft Corporation) MD5=19A811EF5F1ED5C926A028CE107FF1AF -- C:\WINDOWS\system32\dllcache\ntfs.sys
[2007/02/09 04:10:35 | 000,574,464 | ---- | M] (Microsoft Corporation) MD5=19A811EF5F1ED5C926A028CE107FF1AF -- C:\WINDOWS\system32\drivers\ntfs.sys
[2008/04/13 12:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntfs.sys
[2004/08/04 03:00:00 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\i386\ntfs.sys
[2004/08/04 03:00:00 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\WINDOWS\$NtUninstallKB930916$\ntfs.sys

< MD5 for: NTMSSVC.DLL >
[2008/04/13 17:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntmssvc.dll
[2004/08/04 03:00:00 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=B62F29C00AC55A761B2E45877D85EA0F -- C:\i386\ntmssvc.dll
[2004/08/04 03:00:00 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=B62F29C00AC55A761B2E45877D85EA0F -- C:\WINDOWS\system32\ntmssvc.dll

< MD5 for: PROQUOTA.EXE >
[2004/08/04 03:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\i386\proquota.exe
[2004/08/04 03:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\system32\proquota.exe
[2008/04/13 17:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe

< MD5 for: QMGR.DLL >
[2004/08/04 03:00:00 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\i386\qmgr.dll
[2004/08/04 03:00:00 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\system32\qmgr.dll
[2008/04/13 17:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< MD5 for: SFCFILES.DLL >
[2004/08/04 03:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\i386\sfcfiles.dll
[2004/08/04 03:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\system32\sfcfiles.dll
[2008/04/13 17:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll

< MD5 for: SPOOLSV.EXE >
[2005/06/10 17:17:13 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=AD3D9D191AEA7B5445FE1D82FFBB4788 -- C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[2008/04/13 17:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=D8E14A61ACC1D4A6CD0D38AEBAC7FA3B -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
[2005/06/10 16:53:32 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=DA81EC57ACD4CDC3D4C51CF3D409AF9F -- C:\i386\spoolsv.exe
[2005/06/10 16:53:32 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=DA81EC57ACD4CDC3D4C51CF3D409AF9F -- C:\WINDOWS\system32\spoolsv.exe

< MD5 for: SRSVC.DLL >
[2008/04/13 17:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\srsvc.dll
[2004/08/04 03:00:00 | 000,170,496 | ---- | M] (Microsoft Corporation) MD5=92BDF74F12D6CBEC43C94D4B7F804838 -- C:\i386\srsvc.dll
[2004/08/04 03:00:00 | 000,170,496 | ---- | M] (Microsoft Corporation) MD5=92BDF74F12D6CBEC43C94D4B7F804838 -- C:\WINDOWS\system32\srsvc.dll

< MD5 for: SVCHOST.EXE >
[2008/04/13 17:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[2004/08/04 03:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\i386\svchost.exe
[2004/08/04 03:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: TERMSRV.DLL >
[2004/08/04 03:00:00 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=B60C877D16D9C880B952FDA04ADF16E6 -- C:\i386\termsrv.dll
[2004/08/04 03:00:00 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=B60C877D16D9C880B952FDA04ADF16E6 -- C:\WINDOWS\system32\termsrv.dll
[2008/04/13 17:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

< MD5 for: USERINIT.EXE >
[2004/08/04 03:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\i386\userinit.exe
[2004/08/04 03:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe
[2008/04/13 17:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe

< MD5 for: WS2_32.DLL >
[2008/04/13 17:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
[2004/08/04 03:00:00 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\i386\ws2_32.dll
[2004/08/04 03:00:00 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\system32\ws2_32.dll

< MD5 for: XMLPROV.DLL >
[2008/04/13 17:12:11 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\xmlprov.dll
[2004/08/04 03:00:00 | 000,129,536 | ---- | M] (Microsoft Corporation) MD5=EEF46DAB68229A14DA3D8E73C99E2959 -- C:\i386\xmlprov.dll
[2004/08/04 03:00:00 | 000,129,536 | ---- | M] (Microsoft Corporation) MD5=EEF46DAB68229A14DA3D8E73C99E2959 -- C:\WINDOWS\system32\xmlprov.dll

< %systemroot%\system32\*.dll /lockedfiles >
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

ckelliher
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-06-16
OS OS : WindowsXP
Points Points : 23813
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by ckelliher on 16th June 2010, 8:56 pm

OTL Extras logfile created on: 6/16/2010 9:38:10 AM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.15 Gb Total Space | 10.65 Gb Free Space | 14.97% Space Free | Partition Type: NTFS
Drive D: | 7.77 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
Drive F: | 614.91 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive G: | 465.11 Gb Total Space | 348.03 Gb Free Space | 74.83% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALBIONDESKTOP
Current User Name: Sarah
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 3 Beta 1\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MI1933~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0x00000000
"FirewallDisableNotify" = 0x00000000
"UpdatesDisableNotify" = 0x00000000
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Last.fm\LastFM.exe" = C:\Program Files\Last.fm\LastFM.exe:*:Enabled:Last.fm -- (Last.fm)
"C:\Program Files\Soulseek-Test\slsk.exe" = C:\Program Files\Soulseek-Test\slsk.exe:*:Enabled:SoulSeek -- File not found
"C:\Program Files\Soulseek\slsk.exe" = C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek -- File not found
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- File not found
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- File not found
"C:\Program Files\TVAnts\Tvants.exe" = C:\Program Files\TVAnts\Tvants.exe:*:Enabled:TVAnts -- File not found
"C:\Program Files\SmartFTP Client\SmartFTP.exe" = C:\Program Files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0 -- (SmartSoft Ltd.)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{01C76294-8CF2-4A76-AD7B-9958F8FF44E2}" = OpenOffice.org 2.3
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3846E811-639D-4DE1-844B-30491C0A6C0C}" = Dell Support 3.2
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4102037D-E8E0-48E0-B203-E521D194FB71}" = NETGEAR WG111v2 wireless USB 2.0 adapter
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6F23C1A3-9F62-470C-BD12-B83F04E67865}" = SmartFTP Client
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7583239A-D4BE-48CA-A253-396122B3D3E9}" = Zune
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel(R) PROSet for Wired Connections
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BF1DD9D-DB81-46BD-9807-E3D1E5CC1033}" = Nero 8 Demo
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{FF16DD21-E754-4A43-B3EC-CB6D93A6813D}" = iSproggler
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM MusicLink 4.0.0.0" = AIM MusicLink 4.0.0.0
"AIM_6" = AIM 6
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"EASEUS Partition Master Home Edition_is1" = EASEUS Partition Master 5.0.1 Home Edition
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Flock" = Flock 1.0
"HP Deskjet 3740 Series_Driver" = HP Deskjet 3740 Series
"iPod To Computer Transfer_is1" = iPod To Computer Transfer 3.5
"LastFM_is1" = Last.fm 1.3.2.13
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"netrcacm Uninstall" = RCA USB Cable Modem
"NVIDIA Drivers" = NVIDIA Drivers
"PhotoScape" = PhotoScape
"PROSet" = Intel(R) PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer
"SmartFTP Client 2.5 Setup Files" = SmartFTP Client 2.5 Setup Files (remove only)
"SmartFTP Client 3.0 Setup Files" = SmartFTP Client 3.0 Setup Files (remove only)
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.3.1
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VideoLAN VLC media player 0.8.6c
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Mail" = AT&T Yahoo! Internet Mail

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/5/2008 1:26:26 PM | Computer Name = ALBIONDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module medialibrarynse.dll, version 3.1.3.0, fault address 0x00003484.

Error - 9/5/2008 1:26:39 PM | Computer Name = ALBIONDESKTOP | Source = Application Error | ID = 1001
Description = Fault bucket 562860059.

Error - 9/10/2008 1:45:41 AM | Computer Name = ALBIONDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3105, faulting module
quicktime.qts, version 7.4.0.91, fault address 0x001514d4.

Error - 9/24/2008 6:46:15 PM | Computer Name = ALBIONDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3105, faulting module
xul.dll, version 1.9.0.3105, fault address 0x0043d300.

Error - 9/24/2008 6:48:59 PM | Computer Name = ALBIONDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3169, faulting module
quicktime.qts, version 7.4.0.91, fault address 0x001514d4.

Error - 10/2/2008 6:39:29 PM | Computer Name = ALBIONDESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application uTorrent.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/24/2008 5:08:56 PM | Computer Name = ALBIONDESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3188, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/1/2008 6:24:08 PM | Computer Name = ALBIONDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3188, faulting module
quicktime.qts, version 7.4.0.91, fault address 0x001514d4.

Error - 11/1/2008 9:21:22 PM | Computer Name = ALBIONDESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3188, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/8/2008 9:04:23 PM | Computer Name = ALBIONDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application wjqs.exe, version 0.0.0.0, faulting module wjqs.exe,
version 0.0.0.0, fault address 0x00001260.

[ System Events ]
Error - 6/16/2010 1:09:47 AM | Computer Name = ALBIONDESKTOP | Source = E100B | ID = 262151
Description = Adapter Intel(R) PRO/100 VE Network Connection #2: EEprom corruption
detected

Error - 6/16/2010 1:11:03 AM | Computer Name = ALBIONDESKTOP | Source = Service Control Manager | ID = 7000
Description = The Broadcom Netgroup Packet Filter service failed to start due to
the following error: %%2

Error - 6/16/2010 1:23:49 AM | Computer Name = ALBIONDESKTOP | Source = E100B | ID = 262151
Description = Adapter Intel(R) PRO/100 VE Network Connection #2: EEprom corruption
detected

Error - 6/16/2010 1:25:06 AM | Computer Name = ALBIONDESKTOP | Source = Service Control Manager | ID = 7000
Description = The Broadcom Netgroup Packet Filter service failed to start due to
the following error: %%2

Error - 6/16/2010 1:37:31 AM | Computer Name = ALBIONDESKTOP | Source = E100B | ID = 262151
Description = Adapter Intel(R) PRO/100 VE Network Connection #2: EEprom corruption
detected

Error - 6/16/2010 1:38:47 AM | Computer Name = ALBIONDESKTOP | Source = Service Control Manager | ID = 7000
Description = The Broadcom Netgroup Packet Filter service failed to start due to
the following error: %%2

Error - 6/16/2010 3:15:54 AM | Computer Name = ALBIONDESKTOP | Source = E100B | ID = 262151
Description = Adapter Intel(R) PRO/100 VE Network Connection #2: EEprom corruption
detected

Error - 6/16/2010 3:17:11 AM | Computer Name = ALBIONDESKTOP | Source = Service Control Manager | ID = 7000
Description = The Broadcom Netgroup Packet Filter service failed to start due to
the following error: %%2

Error - 6/16/2010 9:44:38 AM | Computer Name = ALBIONDESKTOP | Source = E100B | ID = 262151
Description = Adapter Intel(R) PRO/100 VE Network Connection #2: EEprom corruption
detected

Error - 6/16/2010 9:45:54 AM | Computer Name = ALBIONDESKTOP | Source = Service Control Manager | ID = 7000
Description = The Broadcom Netgroup Packet Filter service failed to start due to
the following error: %%2


< End of report >

ckelliher
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-06-16
OS OS : WindowsXP
Points Points : 23813
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by Sneakyone on 16th June 2010, 10:04 pm

Hi ckelliher, Smile

Glad your keyboard is in working order now. Smile

I see you have uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.


I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

=======

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

=======

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    MOD - [2007/03/08 08:36:28 | 000,161,280 | ---- | M] () -- C:\WINDOWS\uhafinohazozahuy.dll
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1043
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 1043
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No CLSID value found.
    O4 - HKLM..\Run: [Inokasazasaza] C:\WINDOWS\uhafinohazozahuy.DLL ()
    O4 - HKCU..\Run: [MyWGU Messenger] C:\Program Files\MyWGU Messenger\MyWGU-Messenger.exe File not found
    O36 - AppCertDlls: autotson - (C:\WINDOWS\system32\rundinst.dll) - C:\WINDOWS\System32\rundinst.dll File not found
    O36 - AppCertDlls: cida2bin - (C:\WINDOWS\system32\setvdown.dll) - C:\WINDOWS\System32\setvdown.dll File not found

    :files
    C:\Documents and Settings\Sarah\Local Settings\Application Data\swegrfhoj
    C:\Documents and Settings\Sarah\Local Settings\Application Data\fffgyrnv
    C:\WINDOWS\System32\drivers\qlnnj.sys
    C:\WINDOWS\System32\drivers\rqphmoqj.sys
    C:\WINDOWS\Ajeziniyetasoyu.bin
    C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    C:\WINDOWS\Jjegutibo.dat
    C:\WINDOWS\uhafinohazozahuy.dll

    :commands
    [emptytemp]
    [resethosts]
    [reboot]


  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=========

To disable CD Emulation programs using DeFogger please perform these steps:
  1. Please download [You must be registered and logged in to see this link.] to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.


=======

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56124
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by ckelliher on 17th June 2010, 8:59 am

Hiya Sneakyone,

Duly noted about the file sharing thing. I brought it to my partner's attention.

I removed the Viewpoint Media Player as you've suggested.

I copied and pasted the information from your latest post to OTL a few times yet it indicated to be non-responsive after clicking on the Run Fix button. Perhaps I did it incorrectly.

What do you think should be my next course of action?

Sincerely,
ckelliher

ckelliher
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-06-16
OS OS : WindowsXP
Points Points : 23813
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by Sneakyone on 18th June 2010, 1:08 am

Hi ckelliher, Smile

Sorry for the delay,

Have you tried download and running ComboFix yet?

If you haven't, please do. Right On!

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56124
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by ckelliher on 19th June 2010, 4:12 am

Hiya Sneakyone,

My apologies for the delay, I work odd hours.

Here is what Combo Fix reported.

Sincerely,
ckelliher

ComboFix 10-06-18.03 - Sarah 06/18/2010 20:55:34.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.827 [GMT -7:00]
Running from: c:\documents and settings\Sarah\Desktop\Commy.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sarah\Local Settings\Application Data\{008BB719-7E0F-4092-8F9C-FEE774B73494}
c:\documents and settings\Sarah\Local Settings\Application Data\{008BB719-7E0F-4092-8F9C-FEE774B73494}\chrome.manifest
c:\documents and settings\Sarah\Local Settings\Application Data\{008BB719-7E0F-4092-8F9C-FEE774B73494}\chrome\content\_cfg.js
c:\documents and settings\Sarah\Local Settings\Application Data\{008BB719-7E0F-4092-8F9C-FEE774B73494}\chrome\content\overlay.xul
c:\documents and settings\Sarah\Local Settings\Application Data\{008BB719-7E0F-4092-8F9C-FEE774B73494}\install.rdf
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\10123.exe
c:\windows\system32\11478.exe
c:\windows\system32\12731.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\23666.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\29454.exe
c:\windows\system32\31284.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\driVERs\rqphmoqj.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe
c:\windows\uhafinohazozahuy.dll
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf
-------\Legacy_rqphmoqj
-------\Service_rqphmoqj


((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-17 00:31 . 2010-06-17 00:31 -------- d-----w- C:\_OTL
2010-06-15 05:16 . 2010-06-15 05:16 -------- d-----w- c:\program files\Sophos
2010-06-10 00:06 . 2010-06-10 00:07 -------- d-----w- c:\documents and settings\Sarah\SmitfraudFix
2010-06-09 14:17 . 2010-06-09 22:15 -------- d-----w- c:\documents and settings\Sarah\Local Settings\Application Data\swegrfhoj
2010-06-09 14:17 . 2010-06-09 22:15 -------- d-----w- c:\documents and settings\Sarah\Local Settings\Application Data\fffgyrnv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 04:05 . 2010-02-17 17:39 741376 ----a-w- c:\windows\system32\drivers\qlnnj.sys
2010-06-19 03:44 . 2007-12-16 18:32 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 1
2010-06-18 19:42 . 2007-11-26 21:24 -------- d-----w- c:\documents and settings\Sarah\Application Data\uTorrent
2010-06-17 08:49 . 2010-02-17 17:42 120 ----a-w- c:\windows\Jjegutibo.dat
2010-06-17 08:49 . 2010-02-17 17:42 0 ----a-w- c:\windows\Ajeziniyetasoyu.bin
2010-06-17 08:43 . 2006-09-23 18:50 -------- d-----w- c:\program files\Viewpoint
2010-06-13 04:56 . 2010-06-13 04:56 439816 ----a-w- c:\documents and settings\Sarah\Application Data\Real\Update\setup3.10\setup.exe
2010-06-10 10:12 . 2009-08-15 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-09 20:07 . 2010-01-13 23:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 19:01 . 2006-09-23 18:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-09 14:46 . 2009-03-23 18:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 02:42 . 2007-11-22 15:42 -------- d-----w- c:\program files\uTorrent
2010-05-11 01:15 . 2010-05-11 01:14 50354 ----a-w- c:\documents and settings\Sarah\Application Data\Facebook\uninstall.exe
2010-05-11 01:14 . 2010-05-11 01:14 -------- d-----w- c:\documents and settings\Sarah\Application Data\Facebook
2010-05-02 05:56 . 2004-08-10 17:51 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-01-13 23:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-01-13 23:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:20 . 2004-08-10 17:51 668672 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:20 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2007-09-10 19:45 . 2007-09-10 19:45 3393369 ----a-w- c:\program files\openofficeorg4.cab
2007-09-10 19:44 . 2007-09-10 19:44 66502315 ----a-w- c:\program files\openofficeorg3.cab
2007-09-10 19:36 . 2007-09-10 19:36 17643096 ----a-w- c:\program files\openofficeorg2.cab
2007-09-10 19:34 . 2007-09-10 19:34 18779946 ----a-w- c:\program files\openofficeorg1.cab
2007-09-10 19:32 . 2007-09-10 19:32 217 ----a-w- c:\program files\setup.ini
2007-09-10 19:32 . 2007-09-10 19:32 4362752 ----a-w- c:\program files\openofficeorg23.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2007-12-05 23:01 . 2007-01-30 21:47 88 --sh--r- c:\windows\system32\991A48BF09.sys
2007-12-05 23:01 . 2007-01-30 21:47 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-22 185632]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"nwiz"="nwiz.exe" [2007-10-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-01-11 166304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [2007-11-25 110592]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2008-12-21 1261568]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
cida2bin REG_SZ c:\windows\system32\setvdown.dll
autotson REG_SZ c:\windows\system32\rundinst.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2/17/2010 10:45 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2/17/2010 10:45 PM 8456]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\114.tmp --> c:\windows\system32\114.tmp [?]
S3 NdisWDM;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\DRIVERS\ndiswdm.sys --> c:\windows\system32\DRIVERS\ndiswdm.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/21/2008 5:34 PM 194304]
S3 USB_NDISXP;RCA USB Digital Cable Modem Driver;c:\windows\system32\drivers\NetRcaCmXP.sys [8/26/2008 4:36 PM 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - qlnnj
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:1043
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\pg3sb7lb.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedengine - Yahoo
FF - plugin: c:\documents and settings\Sarah\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\pg3sb7lb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
HKCU-Run-MyWGU Messenger - c:\program files\MyWGU Messenger\MyWGU-Messenger.exe
HKLM-Run-Inokasazasaza - c:\windows\uhafinohazozahuy.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-18 21:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\114.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\qlnnj]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\RtlGina2.dll

- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-18 21:09:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 04:09

Pre-Run: 14,889,807,872 bytes free
Post-Run: 16,180,850,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 3295986A348C68FC6BB453D1FA4D76AB

ckelliher
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-06-16
OS OS : WindowsXP
Points Points : 23813
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by Sneakyone on 19th June 2010, 5:10 am

Hi ckelliher, Smile

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    File::
    c:\windows\system32\drivers\qlnnj.sys
    c:\windows\Jjegutibo.dat
    c:\windows\Ajeziniyetasoyu.bin
    c:\windows\system32\114.tmp
    c:\windows\system32\setvdown.dll
    c:\windows\system32\rundinst.dll

    Folder::
    c:\documents and settings\Sarah\Local Settings\Application Data\swegrfhoj
    c:\documents and settings\Sarah\Local Settings\Application Data\fffgyrnv
    c:\documents and settings\Sarah\SmitfraudFix
    c:\program files\Viewpoint

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:1043
    uInternet Settings,ProxyOverride =

    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
    "cida2bin"=-
    "autotson"=-
    [-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
    [-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\qlnnj]

    Driver::
    MEMSWEEP2

    Reboot::

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56124
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by ckelliher on 19th June 2010, 11:45 am

Hiya Sneakyone,

I will be home after work today around 3pm Pacific Time. Thanks for all your help so far. Our computer seems so much faster now.

Sincerely,
ckelliher

ComboFix 10-06-18.03 - Sarah 06/19/2010 4:27.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.1061 [GMT -7:00]
Running from: c:\documents and settings\Sarah\Desktop\Commy.exe
Command switches used :: c:\documents and settings\Sarah\Desktop\CFScript.txt

FILE ::
"c:\windows\Ajeziniyetasoyu.bin"
"c:\windows\Jjegutibo.dat"
"c:\windows\system32\114.tmp"
"c:\windows\system32\drivers\qlnnj.sys"
"c:\windows\system32\rundinst.dll"
"c:\windows\system32\setvdown.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sarah\Local Settings\Application Data\fffgyrnv
c:\documents and settings\Sarah\Local Settings\Application Data\swegrfhoj
c:\documents and settings\Sarah\SmitfraudFix
c:\documents and settings\Sarah\SmitfraudFix\404Fix.exe
c:\documents and settings\Sarah\SmitfraudFix\Agent.OMZ.Fix.exe
c:\documents and settings\Sarah\SmitfraudFix\beep_2K_original.sys
c:\documents and settings\Sarah\SmitfraudFix\beep_XP_original.sys
c:\documents and settings\Sarah\SmitfraudFix\dumphive.exe
c:\documents and settings\Sarah\SmitfraudFix\exit.exe
c:\documents and settings\Sarah\SmitfraudFix\GenericRenosFix.exe
c:\documents and settings\Sarah\SmitfraudFix\HostsChk.exe
c:\documents and settings\Sarah\SmitfraudFix\IEDFix.C.exe
c:\documents and settings\Sarah\SmitfraudFix\IEDFix.exe
c:\documents and settings\Sarah\SmitfraudFix\o4Patch.exe
c:\documents and settings\Sarah\SmitfraudFix\Policies.exe
c:\documents and settings\Sarah\SmitfraudFix\Process.exe
c:\documents and settings\Sarah\SmitfraudFix\ProxyDisable.exe
c:\documents and settings\Sarah\SmitfraudFix\Reboot.exe
c:\documents and settings\Sarah\SmitfraudFix\restart.exe
c:\documents and settings\Sarah\SmitfraudFix\SmitfraudFix.cmd
c:\documents and settings\Sarah\SmitfraudFix\SmiUpdate.exe
c:\documents and settings\Sarah\SmitfraudFix\SrchSTS.exe
c:\documents and settings\Sarah\SmitfraudFix\swreg.exe
c:\documents and settings\Sarah\SmitfraudFix\swsc.exe
c:\documents and settings\Sarah\SmitfraudFix\swxcacls.exe
c:\documents and settings\Sarah\SmitfraudFix\UIFix.exe
c:\documents and settings\Sarah\SmitfraudFix\unzip.exe
c:\documents and settings\Sarah\SmitfraudFix\VACFix.exe
c:\documents and settings\Sarah\SmitfraudFix\VCCLSID.exe
c:\documents and settings\Sarah\SmitfraudFix\WS2Fix.exe
c:\program files\Viewpoint
c:\program files\Viewpoint\Viewpoint Manager\CPtask.xml
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html
c:\program files\Viewpoint\Viewpoint Toolbar\3.8.0\eula.txt
c:\windows\Ajeziniyetasoyu.bin
c:\windows\Jjegutibo.dat
c:\windows\system32\drivers\qlnnj.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Legacy_qlnnj
-------\Service_qlnnj


((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 03:50 . 2010-06-19 04:09 -------- d-----w- C:\Commy
2010-06-17 00:31 . 2010-06-17 00:31 -------- d-----w- C:\_OTL
2010-06-15 05:16 . 2010-06-15 05:16 -------- d-----w- c:\program files\Sophos
2010-06-13 04:56 . 2010-06-13 04:56 439816 ----a-w- c:\documents and settings\Sarah\Application Data\Real\Update\setup3.10\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 04:10 . 2007-12-16 18:32 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 1
2010-06-18 19:42 . 2007-11-26 21:24 -------- d-----w- c:\documents and settings\Sarah\Application Data\uTorrent
2010-06-10 10:12 . 2009-08-15 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-09 20:07 . 2010-01-13 23:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 19:01 . 2006-09-23 18:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-09 14:46 . 2009-03-23 18:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 02:42 . 2007-11-22 15:42 -------- d-----w- c:\program files\uTorrent
2010-05-11 01:15 . 2010-05-11 01:14 50354 ----a-w- c:\documents and settings\Sarah\Application Data\Facebook\uninstall.exe
2010-05-11 01:14 . 2010-05-11 01:14 -------- d-----w- c:\documents and settings\Sarah\Application Data\Facebook
2010-05-02 05:56 . 2004-08-10 17:51 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-01-13 23:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-01-13 23:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:20 . 2004-08-10 17:51 668672 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:20 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2007-09-10 19:45 . 2007-09-10 19:45 3393369 ----a-w- c:\program files\openofficeorg4.cab
2007-09-10 19:44 . 2007-09-10 19:44 66502315 ----a-w- c:\program files\openofficeorg3.cab
2007-09-10 19:36 . 2007-09-10 19:36 17643096 ----a-w- c:\program files\openofficeorg2.cab
2007-09-10 19:34 . 2007-09-10 19:34 18779946 ----a-w- c:\program files\openofficeorg1.cab
2007-09-10 19:32 . 2007-09-10 19:32 217 ----a-w- c:\program files\setup.ini
2007-09-10 19:32 . 2007-09-10 19:32 4362752 ----a-w- c:\program files\openofficeorg23.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2007-12-05 23:01 . 2007-01-30 21:47 88 --sh--r- c:\windows\system32\991A48BF09.sys
2007-12-05 23:01 . 2007-01-30 21:47 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-22 185632]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"nwiz"="nwiz.exe" [2007-10-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-01-11 166304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [2007-11-25 110592]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2008-12-21 1261568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2/17/2010 10:45 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2/17/2010 10:45 PM 8456]
S3 NdisWDM;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\DRIVERS\ndiswdm.sys --> c:\windows\system32\DRIVERS\ndiswdm.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/21/2008 5:34 PM 194304]
S3 USB_NDISXP;RCA USB Digital Cable Modem Driver;c:\windows\system32\drivers\NetRcaCmXP.sys [8/26/2008 4:36 PM 14336]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\pg3sb7lb.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedengine - Yahoo
FF - plugin: c:\documents and settings\Sarah\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\pg3sb7lb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-19 04:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\RtlGina2.dll

- - - - - - - > 'explorer.exe'(3128)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-19 04:41:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 11:41
ComboFix2.txt 2010-06-19 04:09

Pre-Run: 16,268,673,024 bytes free
Post-Run: 16,233,902,080 bytes free

- - End Of File - - 1F29AB2DB7BE1740E1A148EB8995091C

ckelliher
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-06-16
OS OS : WindowsXP
Points Points : 23813
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by Sneakyone on 19th June 2010, 4:26 pm

Hi ckelliher, Smile

Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56124
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by ckelliher on 20th June 2010, 12:14 am

Hiya Sneakyone,

Holy crap! 8 threats found! Please let me know what you think I should do next.

Sincerely,
ckelliher

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=65ce845871887040a08d7fc21c301720
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-06-19 11:02:04
# local_time=2010-06-19 04:02:04 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 44228523 44228523 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=102906
# found=8
# cleaned=8
# scan_time=2448
C:\Documents and Settings\Sarah\Application Data\Sun\Java\Deployment\cache\6.0\23\40d74897-5fb451e0 probably a variant of Java/TrojanDownloader.Agent.AB trojan (cleaned by deleting - quarantined) FC68B243472B78E13A177959ADBE6F0C C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\qlnnj.sys.vir Win32/Bubnix.AP trojan (cleaned by deleting - quarantined) 2AACA53B0486E329E516E30F5430E26A C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\rqphmoqj.sys.vir a variant of Win32/Rootkit.Kryptik.BI trojan (cleaned by deleting - quarantined) 14B51746C77CC9A7147709FDC232CA79 C
C:\Qoobox\Quarantine\C\WINDOWS\uhafinohazozahuy.dll.vir a variant of Win32/Cimag.BQ trojan (cleaned by deleting - quarantined) 7F39E57DE4E84D5A56CEDA1B0633CD59 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1057\A0078088.dll a variant of Win32/Cimag.BQ trojan (cleaned by deleting - quarantined) 7F39E57DE4E84D5A56CEDA1B0633CD59 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1057\A0078093.sys a variant of Win32/Rootkit.Kryptik.BI trojan (cleaned by deleting - quarantined) 14B51746C77CC9A7147709FDC232CA79 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1058\A0078230.sys Win32/Bubnix.AP trojan (cleaned by deleting - quarantined) 2AACA53B0486E329E516E30F5430E26A C
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AUD trojan (cleaned by deleting - quarantined) D7E2EB1AB87771735D998081845526E2 C

ckelliher
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-06-16
OS OS : WindowsXP
Points Points : 23813
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by Sneakyone on 20th June 2010, 12:53 am

Hi ckelliher, Smile

Your computer is now clean. Now, time to remove the tools used.

Updating System Restore
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE.


You now have a clean restore point.

To get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do a calculation of temporary/old files, and then display a dialogue box.
  • Select the More Options Tab.
  • At the bottom will be a System Restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done.


========

Removing the tools
Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download [You must be registered and logged in to see this link.] by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


============

Service Pack upgrade
Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: [You must be registered and logged in to see this link.]

===========

Update Programs

Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

======

If you don't have a AntiSpyware I recommend to download these free programs to help keep you spyware free:
1. [You must be registered and logged in to see this link.]
2. [You must be registered and logged in to see this link.]

If you don't have a Antivirus I recommend to download these free Antivirus programs:
1. [You must be registered and logged in to see this link.]
2. [You must be registered and logged in to see this link.]
3. [You must be registered and logged in to see this link.]

If you don't have a good Firewall I recommend these free firewalls:
1. [You must be registered and logged in to see this link.]
2. [You must be registered and logged in to see this link.]

I recommend using [You must be registered and logged in to see this link.] for a antimalware program.

Please don't download more than one Antivirus, firewall, or antispyware because they will conflict with each other making your computer slow, data loss, and false results so just don't do it.

================

Here are some prevention tips I have provided:

1. Don't download files from untrusted websites or websites that seem suspious.

2. Don't use torrents they are a good way to get lots of malware.

3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

4. Disable autorun [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]

5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

6. Don't ever click on the links inside of a popup.

7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

8. Use a Site Advisor so you don't go to sites that will infect you. [You must be registered and logged in to see this link.]

9. Also there are many holes and flaws in Internet Explorer I recommend using [You must be registered and logged in to see this link.] to keep you more safe.

10. Always keep your [You must be registered and logged in to see this link.] and Adobe updated.

11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

12. Always have a Firewall and a Antivirus.

Thanks for choosing GeekPolice, see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

For more information please visit [You must be registered and logged in to see this link.]

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56124
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by ckelliher on 20th June 2010, 2:12 am

Sneakyone!

You are marvelous!

A thousand thank you's!

I WILL be giving a donation next paycheck!

Sincerely,
ckelliher

ckelliher
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-06-16
OS OS : WindowsXP
Points Points : 23813
# Likes # Likes : 0

View user profile

Back to top Go down

Re: RookitAgentNotRemovedOnRestart

Post by Sneakyone on 20th June 2010, 2:27 am

Your welcome, I am glad I was able to help out. Smile

Thanks for the donation. Smile

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56124
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum