DreaminBlue

[*]the contents ofC:\Combofix.txt; ComboFix 09-08-28.06 - Jillian 08/29/2009 15:46.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.261 [GMT -4:00] Running from: c:\documents and settings\Jillian\Desktop\Combo-Fix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\gyduru.lib c:\documents and settings\All Users\Application Data\jezy.exe c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm c:\documents and settings\All Users\Application Data\qapopeva.bin c:\documents and settings\All Users\Application Data\tatuqiti.scr c:\documents and settings\All Users\Application Data\uvujiradah.dl c:\documents and settings\All Users\Application Data\vure.pif c:\documents and settings\All Users\Application Data\ykomydu.pif c:\documents and settings\All Users\Application Data\ysegev.scr c:\documents and settings\All Users\Documents\bijojuzufo.dll c:\documents and settings\All Users\Documents\celyz._dl c:\documents and settings\All Users\Documents\ewuryruty.dll c:\documents and settings\All Users\Documents\osagoteca.reg c:\documents and settings\All Users\Documents\vysazugini._dl c:\documents and settings\All Users\Documents\ydoboven.dl c:\documents and settings\Jillian\Application Data\enenavor.sys c:\documents and settings\Jillian\Application Data\ihykemivo.lib c:\documents and settings\Jillian\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk c:\documents and settings\Jillian\Application Data\miwubet.inf c:\documents and settings\Jillian\Application Data\ofuhofycix.ban c:\documents and settings\Jillian\Application Data\oqope.scr c:\documents and settings\Jillian\Application Data\panip.reg c:\documents and settings\Jillian\Application Data\puce.dl c:\documents and settings\Jillian\Application Data\ywony.exe c:\documents and settings\Jillian\Application Data\zyfitom.lib c:\documents and settings\Jillian\Local Settings\Application Data\bopepaq.reg c:\documents and settings\Jillian\Local Settings\Application Data\cekaduse.bat c:\documents and settings\Jillian\Local Settings\Application Data\davuqo._dl c:\documents and settings\Jillian\Local Settings\Application Data\egojem.exe c:\documents and settings\Jillian\Local Settings\Application Data\ejaqubivod.scr c:\documents and settings\Jillian\Local Settings\Application Data\ekago.bat c:\documents and settings\Jillian\Local Settings\Application Data\eviwoc._dl c:\documents and settings\Jillian\Local Settings\Application Data\quzukawyc.exe c:\documents and settings\Jillian\My Documents\ZbThumbnail.info c:\program files\Common Files\oziryveqi.dl c:\program files\Common Files\sycudi.vbs c:\program files\Common Files\ucaxi.vbs c:\program files\Common Files\upuqumota.com c:\program files\Common Files\vybobe.bin c:\program files\Common Files\vytacawy.scr c:\program files\Common Files\vywupiso._dl c:\program files\Common Files\ycyzynazu._dl c:\windows\abowom.vbs c:\windows\adol.pif c:\windows\braviax.exe c:\windows\desktop c:\windows\desktop\readme.rtf c:\windows\ekefazexeg.sys c:\windows\gixenomar.reg c:\windows\imezafe.exe c:\windows\Installer\66a7a56.msi c:\windows\koqy.scr c:\windows\oqiwa.dll c:\windows\qawysicoq.bat c:\windows\run.log c:\windows\system32\_scui.cpl c:\windows\system32\~.exe c:\windows\system32\ecubar.bat c:\windows\system32\uacinit.dll c:\windows\system32\wisdstr.exe c:\windows\ufevoc.inf c:\windows\uqaco.sys c:\windows\uxyfeh.bin c:\windows\wiaserviv.log c:\windows\winkey.drv c:\windows\Winset.drv c:\windows\wukeza.sys c:\windows\ybekuveviv.pif c:\windows\yhofesafof.dl c:\windows\yxivuquf.bat Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\system32\logevent.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 ))))))))))))))))))))))))))))))) . 2009-08-29 19:02 . 2009-08-29 19:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-08-28 21:21 . 2009-08-28 21:22 -------- d-----w- c:\program files\ERUNT 2009-08-26 22:49 . 2009-08-26 22:49 -------- d-----w- c:\program files\Trend Micro 2009-08-25 21:31 . 2009-08-25 21:31 -------- d-sh--w- c:\documents and settings\Jillian\IECompatCache 2009-08-25 00:10 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-25 00:10 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-25 00:10 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-25 00:10 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-25 00:10 . 2009-08-25 00:10 -------- d-----w- c:\program files\Avira 2009-08-25 00:10 . 2009-08-25 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-22 21:57 . 2009-08-22 21:57 -------- d-----w- c:\documents and settings\Jillian\Application Data\Malwarebytes 2009-08-22 21:54 . 2009-08-22 21:54 26624 ----a-w- c:\windows\system32\UAClrwsklyavg.dll 2009-08-22 04:26 . 2009-08-29 19:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-21 04:25 . 2009-08-23 01:17 -------- d-----w- C:\40E3EBCA 2009-08-20 23:23 . 2009-07-08 17:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys 2009-08-20 22:56 . 2009-08-20 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-08-20 22:47 . 2009-08-20 22:47 12329 ----a-w- c:\windows\zagexiz.com 2009-08-20 00:37 . 2009-08-20 00:37 -------- d-sh--w- c:\documents and settings\Jillian\PrivacIE 2009-08-19 23:01 . 2009-08-19 23:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-19 23:01 . 2009-08-19 23:01 -------- d-sh--w- c:\documents and settings\Jillian\IETldCache 2009-08-19 22:44 . 2009-08-19 22:45 -------- dc-h--w- c:\windows\ie8 2009-08-19 21:52 . 2009-08-19 22:34 174 ----a-w- c:\windows\system32\UACpdaidaoytr.dat 2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\program files\MSBuild 2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\program files\Reference Assemblies 2009-08-15 14:07 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-15 14:07 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-15 14:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-15 14:07 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2009-08-15 14:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-15 14:07 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-15 14:07 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-15 14:07 . 2009-08-15 14:07 -------- d-----w- C:\8befe50c44ca06c1022efcfe 2009-08-13 07:54 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-28 22:42 . 2007-11-08 14:20 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-28 03:10 . 2007-09-26 21:20 -------- d-----w- c:\documents and settings\Jillian\Application Data\OpenOffice.org2 2009-08-27 00:49 . 2009-08-27 00:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel 2009-08-20 23:13 . 2007-09-15 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-08-20 23:13 . 2007-09-15 17:32 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-20 23:05 . 2007-09-15 17:32 -------- d-----w- c:\program files\Symantec 2009-08-20 22:47 . 2009-08-20 22:47 10148 ----a-w- c:\program files\Common Files\hyjasyt.lib 2009-08-20 22:21 . 2009-08-20 22:21 18366 ----a-w- c:\documents and settings\All Users\Application Data\alijakyvas.dat 2009-08-20 00:43 . 2009-08-20 00:43 12375 ----a-w- c:\program files\Common Files\mujyryqij._sy 2009-08-20 00:43 . 2009-08-20 00:43 11307 ----a-w- c:\documents and settings\Jillian\Application Data\izavojapi.dat 2009-08-19 21:41 . 2009-08-19 21:40 784771 ----a-w- c:\windows\system32\xa.tmp 2009-08-19 21:41 . 2008-10-27 21:23 68584 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT 2009-08-18 03:15 . 2009-06-19 03:01 -------- d-----w- c:\program files\AIMTunes 2009-08-08 21:15 . 2007-09-25 22:03 -------- d-----w- c:\documents and settings\Jillian\Application Data\uTorrent 2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-26 15:07 . 2007-09-25 20:44 -------- d-----w- c:\program files\iTunes 2009-07-26 15:06 . 2009-07-26 15:06 -------- d-----w- c:\program files\iPod 2009-07-26 15:06 . 2007-09-25 20:42 -------- d-----w- c:\program files\Common Files\Apple 2009-07-26 14:58 . 2009-07-26 14:56 -------- d-----w- c:\program files\QuickTime 2009-07-26 14:46 . 2009-07-26 14:46 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe 2009-07-23 22:02 . 2009-07-22 03:10 -------- d-----w- c:\program files\qatkko 2009-07-21 21:43 . 2007-09-13 15:14 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-17 20:52 . 2007-12-08 07:17 -------- d-----w- c:\documents and settings\Jillian\Application Data\Move Networks 2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-16 22:25 . 2009-07-16 22:25 127872 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\uninstall.exe 2009-07-16 22:25 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\plugins\npqmp071503000010.dll 2009-07-16 22:25 . 2009-07-16 22:25 1686272 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe 2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-09 16:16 . 2009-03-16 22:28 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-07-09 16:16 . 2008-07-15 15:55 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-07-08 17:44 . 2009-07-08 17:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2009-07-07 02:44 . 2009-07-28 02:55 937984 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe 2009-07-07 02:44 . 2009-07-28 02:55 103424 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\pixomatic.dll 2009-07-07 02:44 . 2009-07-28 02:55 65536 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll 2009-07-07 02:44 . 2009-07-28 02:55 4722688 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\cooliris19.dll 2009-07-07 02:44 . 2009-07-28 02:55 106496 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll 2009-07-07 02:44 . 2009-07-28 02:54 344064 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe 2009-06-30 23:19 . 2009-07-05 21:16 106496 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Plugins\npcoolirisplugin.dll 2009-06-30 23:19 . 2009-07-05 21:15 65536 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com-trash\components\coolirisstub.dll 2009-06-30 23:19 . 2009-07-05 21:15 4734976 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com-trash\libs\cooliris19.dll 2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-19 02:56 . 2009-06-19 02:56 1144808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe 2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe 2009-06-12 12:31 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2007-09-13 00:49 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-24 185896] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-23 02:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6snjy2vtrre.sys] @="\??\c:\windows\system32\drivers\6snjy2vtrre.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qy2vdwing2i.sys] @="\??\c:\windows\system32\drivers\qy2vdwing2i.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rrjill.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Ares\\Ares.exe"= "c:\\Program Files\\Last.fm\\LastFM.exe"= "c:\\Program Files\\Ruckus Player\\Ruckus.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/24/2009 8:10 PM 108289] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/30/2007 5:28 PM 24652] S2 6snjy2vtrre.sys;6snjy2vtrre.sys;\??\c:\windows\system32\drivers\6snjy2vtrre.sys --> c:\windows\system32\drivers\6snjy2vtrre.sys [?] S2 gmolnx;gmolnx;c:\windows\system32\drivers\okhjgof.sys --> c:\windows\system32\drivers\okhjgof.sys [?] S2 qy2vdwing2i.sys;qy2vdwing2i.sys;c:\windows\system32\drivers\qy2vdwing2i.sys [8/4/2004 6:00 AM 79872] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . - - - - ORPHANS REMOVED - - - - HKCU-Run-NordBull - c:\windows\msa.exe HKCU-Run-EasyDVDMon - (no file) HKCU-Run-Aim6 - (no file) HKLM-Run-net - c:\windows\system32\net.net HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe Notify-NavLogon - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: aol.com\kdc.uas Trusted Zone: windows.com\time FF - ProfilePath - c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - component: c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - plugin: c:\documents and settings\Jillian\Application Data\Move Networks\plugins\npqmp071503000010.dll FF - plugin: c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll FF - plugin: c:\documents and settings\Jillian\Application Data\Mozilla\plugins\npcoolirisplugin.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-29 15:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1004) c:\windows\system32\Ati2evxx.dll c:\program files\Intel\Wireless\Bin\LgNotify.dll - - - - - - - > 'explorer.exe'(2028) c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\windows\system32\ati2evxx.exe c:\progra~1\Intel\Wireless\Bin\1XConfig.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Dell AIO Printer A920\dlbkbmon.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-08-29 16:01 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-29 20:00 Pre-Run: 25,273,696,256 bytes free Post-Run: 28,957,212,672 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 331 --- E O F --- 2009-08-27 02:19 [*]Eset scan log ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=8bf597026a6a7040ab7cc411f77f2310 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-08-29 09:10:45 # local_time=2009-08-29 05:10:45 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1797 37 100 98 3419525606304 # scanned=68918 # found=10 # cleaned=10 # scan_time=2096 C:\40E3EBCA\Backup\C_\Documents and Settings\Jillian\Local Settings\Temp\f.exe a variant of Win32/Kryptik.ADG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\40E3EBCA\Backup\C_\WINDOWS\msa.exe a variant of Win32/Kryptik.ADG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\40E3EBCA\Backup\C_\WINDOWS\system32\dllcache\beep.sys a variant of Win32/UltimateDefender.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\40E3EBCA\Backup\C_\WINDOWS\system32\drivers\beep.sys a variant of Win32/UltimateDefender.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\system32\xa.tmp Win32/TrojanDownloader.Agent.OYU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C [*]the contents of OTL.txt OTL logfile created on: 8/29/2009 5:24:41 PM - Run 1 OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Jillian\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 511.23 Mb Total Physical Memory | 205.14 Mb Available Physical Memory | 40.13% Memory free 1.22 Gb Paging File | 0.97 Gb Available in Paging File | 79.27% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 74.53 Gb Total Space | 26.93 Gb Free Space | 36.14% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: JILLIAN-TROUT Current User Name: Jillian Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2003/07/29 15:11:00 | 00,323,584 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe PRC - [2005/07/22 22:40:54 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe PRC - [2005/07/22 22:43:46 | 00,372,809 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe PRC - [2005/07/22 22:52:30 | 00,225,353 | ---- | M] (Intel

[*]the contents ofC:\Combofix.txt; ComboFix 09-08-28.06 - Jillian 08/29/2009 15:46.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.261 [GMT -4:00] Running from: c:\documents and settings\Jillian\Desktop\Combo-Fix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\gyduru.lib c:\documents and settings\All Users\Application Data\jezy.exe c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm c:\documents and settings\All Users\Application Data\qapopeva.bin c:\documents and settings\All Users\Application Data\tatuqiti.scr c:\documents and settings\All Users\Application Data\uvujiradah.dl c:\documents and settings\All Users\Application Data\vure.pif c:\documents and settings\All Users\Application Data\ykomydu.pif c:\documents and settings\All Users\Application Data\ysegev.scr c:\documents and settings\All Users\Documents\bijojuzufo.dll c:\documents and settings\All Users\Documents\celyz._dl c:\documents and settings\All Users\Documents\ewuryruty.dll c:\documents and settings\All Users\Documents\osagoteca.reg c:\documents and settings\All Users\Documents\vysazugini._dl c:\documents and settings\All Users\Documents\ydoboven.dl c:\documents and settings\Jillian\Application Data\enenavor.sys c:\documents and settings\Jillian\Application Data\ihykemivo.lib c:\documents and settings\Jillian\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk c:\documents and settings\Jillian\Application Data\miwubet.inf c:\documents and settings\Jillian\Application Data\ofuhofycix.ban c:\documents and settings\Jillian\Application Data\oqope.scr c:\documents and settings\Jillian\Application Data\panip.reg c:\documents and settings\Jillian\Application Data\puce.dl c:\documents and settings\Jillian\Application Data\ywony.exe c:\documents and settings\Jillian\Application Data\zyfitom.lib c:\documents and settings\Jillian\Local Settings\Application Data\bopepaq.reg c:\documents and settings\Jillian\Local Settings\Application Data\cekaduse.bat c:\documents and settings\Jillian\Local Settings\Application Data\davuqo._dl c:\documents and settings\Jillian\Local Settings\Application Data\egojem.exe c:\documents and settings\Jillian\Local Settings\Application Data\ejaqubivod.scr c:\documents and settings\Jillian\Local Settings\Application Data\ekago.bat c:\documents and settings\Jillian\Local Settings\Application Data\eviwoc._dl c:\documents and settings\Jillian\Local Settings\Application Data\quzukawyc.exe c:\documents and settings\Jillian\My Documents\ZbThumbnail.info c:\program files\Common Files\oziryveqi.dl c:\program files\Common Files\sycudi.vbs c:\program files\Common Files\ucaxi.vbs c:\program files\Common Files\upuqumota.com c:\program files\Common Files\vybobe.bin c:\program files\Common Files\vytacawy.scr c:\program files\Common Files\vywupiso._dl c:\program files\Common Files\ycyzynazu._dl c:\windows\abowom.vbs c:\windows\adol.pif c:\windows\braviax.exe c:\windows\desktop c:\windows\desktop\readme.rtf c:\windows\ekefazexeg.sys c:\windows\gixenomar.reg c:\windows\imezafe.exe c:\windows\Installer\66a7a56.msi c:\windows\koqy.scr c:\windows\oqiwa.dll c:\windows\qawysicoq.bat c:\windows\run.log c:\windows\system32\_scui.cpl c:\windows\system32\~.exe c:\windows\system32\ecubar.bat c:\windows\system32\uacinit.dll c:\windows\system32\wisdstr.exe c:\windows\ufevoc.inf c:\windows\uqaco.sys c:\windows\uxyfeh.bin c:\windows\wiaserviv.log c:\windows\winkey.drv c:\windows\Winset.drv c:\windows\wukeza.sys c:\windows\ybekuveviv.pif c:\windows\yhofesafof.dl c:\windows\yxivuquf.bat Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\system32\logevent.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 ))))))))))))))))))))))))))))))) . 2009-08-29 19:02 . 2009-08-29 19:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-08-28 21:21 . 2009-08-28 21:22 -------- d-----w- c:\program files\ERUNT 2009-08-26 22:49 . 2009-08-26 22:49 -------- d-----w- c:\program files\Trend Micro 2009-08-25 21:31 . 2009-08-25 21:31 -------- d-sh--w- c:\documents and settings\Jillian\IECompatCache 2009-08-25 00:10 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-25 00:10 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-25 00:10 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-25 00:10 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-25 00:10 . 2009-08-25 00:10 -------- d-----w- c:\program files\Avira 2009-08-25 00:10 . 2009-08-25 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-22 21:57 . 2009-08-22 21:57 -------- d-----w- c:\documents and settings\Jillian\Application Data\Malwarebytes 2009-08-22 21:54 . 2009-08-22 21:54 26624 ----a-w- c:\windows\system32\UAClrwsklyavg.dll 2009-08-22 04:26 . 2009-08-29 19:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-21 04:25 . 2009-08-23 01:17 -------- d-----w- C:\40E3EBCA 2009-08-20 23:23 . 2009-07-08 17:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys 2009-08-20 22:56 . 2009-08-20 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-08-20 22:47 . 2009-08-20 22:47 12329 ----a-w- c:\windows\zagexiz.com 2009-08-20 00:37 . 2009-08-20 00:37 -------- d-sh--w- c:\documents and settings\Jillian\PrivacIE 2009-08-19 23:01 . 2009-08-19 23:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-19 23:01 . 2009-08-19 23:01 -------- d-sh--w- c:\documents and settings\Jillian\IETldCache 2009-08-19 22:44 . 2009-08-19 22:45 -------- dc-h--w- c:\windows\ie8 2009-08-19 21:52 . 2009-08-19 22:34 174 ----a-w- c:\windows\system32\UACpdaidaoytr.dat 2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\program files\MSBuild 2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\program files\Reference Assemblies 2009-08-15 14:07 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-15 14:07 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-15 14:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-15 14:07 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2009-08-15 14:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-15 14:07 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-15 14:07 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-15 14:07 . 2009-08-15 14:07 -------- d-----w- C:\8befe50c44ca06c1022efcfe 2009-08-13 07:54 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-28 22:42 . 2007-11-08 14:20 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-28 03:10 . 2007-09-26 21:20 -------- d-----w- c:\documents and settings\Jillian\Application Data\OpenOffice.org2 2009-08-27 00:49 . 2009-08-27 00:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel 2009-08-20 23:13 . 2007-09-15 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-08-20 23:13 . 2007-09-15 17:32 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-20 23:05 . 2007-09-15 17:32 -------- d-----w- c:\program files\Symantec 2009-08-20 22:47 . 2009-08-20 22:47 10148 ----a-w- c:\program files\Common Files\hyjasyt.lib 2009-08-20 22:21 . 2009-08-20 22:21 18366 ----a-w- c:\documents and settings\All Users\Application Data\alijakyvas.dat 2009-08-20 00:43 . 2009-08-20 00:43 12375 ----a-w- c:\program files\Common Files\mujyryqij._sy 2009-08-20 00:43 . 2009-08-20 00:43 11307 ----a-w- c:\documents and settings\Jillian\Application Data\izavojapi.dat 2009-08-19 21:41 . 2009-08-19 21:40 784771 ----a-w- c:\windows\system32\xa.tmp 2009-08-19 21:41 . 2008-10-27 21:23 68584 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT 2009-08-18 03:15 . 2009-06-19 03:01 -------- d-----w- c:\program files\AIMTunes 2009-08-08 21:15 . 2007-09-25 22:03 -------- d-----w- c:\documents and settings\Jillian\Application Data\uTorrent 2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-26 15:07 . 2007-09-25 20:44 -------- d-----w- c:\program files\iTunes 2009-07-26 15:06 . 2009-07-26 15:06 -------- d-----w- c:\program files\iPod 2009-07-26 15:06 . 2007-09-25 20:42 -------- d-----w- c:\program files\Common Files\Apple 2009-07-26 14:58 . 2009-07-26 14:56 -------- d-----w- c:\program files\QuickTime 2009-07-26 14:46 . 2009-07-26 14:46 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe 2009-07-23 22:02 . 2009-07-22 03:10 -------- d-----w- c:\program files\qatkko 2009-07-21 21:43 . 2007-09-13 15:14 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-17 20:52 . 2007-12-08 07:17 -------- d-----w- c:\documents and settings\Jillian\Application Data\Move Networks 2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-16 22:25 . 2009-07-16 22:25 127872 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\uninstall.exe 2009-07-16 22:25 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\plugins\npqmp071503000010.dll 2009-07-16 22:25 . 2009-07-16 22:25 1686272 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe 2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-09 16:16 . 2009-03-16 22:28 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-07-09 16:16 . 2008-07-15 15:55 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-07-08 17:44 . 2009-07-08 17:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2009-07-07 02:44 . 2009-07-28 02:55 937984 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe 2009-07-07 02:44 . 2009-07-28 02:55 103424 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\pixomatic.dll 2009-07-07 02:44 . 2009-07-28 02:55 65536 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll 2009-07-07 02:44 . 2009-07-28 02:55 4722688 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\cooliris19.dll 2009-07-07 02:44 . 2009-07-28 02:55 106496 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll 2009-07-07 02:44 . 2009-07-28 02:54 344064 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe 2009-06-30 23:19 . 2009-07-05 21:16 106496 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Plugins\npcoolirisplugin.dll 2009-06-30 23:19 . 2009-07-05 21:15 65536 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com-trash\components\coolirisstub.dll 2009-06-30 23:19 . 2009-07-05 21:15 4734976 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com-trash\libs\cooliris19.dll 2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-19 02:56 . 2009-06-19 02:56 1144808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe 2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe 2009-06-12 12:31 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2007-09-13 00:49 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-24 185896] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-23 02:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6snjy2vtrre.sys] @="\??\c:\windows\system32\drivers\6snjy2vtrre.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qy2vdwing2i.sys] @="\??\c:\windows\system32\drivers\qy2vdwing2i.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rrjill.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Ares\\Ares.exe"= "c:\\Program Files\\Last.fm\\LastFM.exe"= "c:\\Program Files\\Ruckus Player\\Ruckus.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/24/2009 8:10 PM 108289] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/30/2007 5:28 PM 24652] S2 6snjy2vtrre.sys;6snjy2vtrre.sys;\??\c:\windows\system32\drivers\6snjy2vtrre.sys --> c:\windows\system32\drivers\6snjy2vtrre.sys [?] S2 gmolnx;gmolnx;c:\windows\system32\drivers\okhjgof.sys --> c:\windows\system32\drivers\okhjgof.sys [?] S2 qy2vdwing2i.sys;qy2vdwing2i.sys;c:\windows\system32\drivers\qy2vdwing2i.sys [8/4/2004 6:00 AM 79872] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . - - - - ORPHANS REMOVED - - - - HKCU-Run-NordBull - c:\windows\msa.exe HKCU-Run-EasyDVDMon - (no file) HKCU-Run-Aim6 - (no file) HKLM-Run-net - c:\windows\system32\net.net HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe Notify-NavLogon - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: aol.com\kdc.uas Trusted Zone: windows.com\time FF - ProfilePath - c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - component: c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - plugin: c:\documents and settings\Jillian\Application Data\Move Networks\plugins\npqmp071503000010.dll FF - plugin: c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll FF - plugin: c:\documents and settings\Jillian\Application Data\Mozilla\plugins\npcoolirisplugin.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-29 15:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1004) c:\windows\system32\Ati2evxx.dll c:\program files\Intel\Wireless\Bin\LgNotify.dll - - - - - - - > 'explorer.exe'(2028) c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\windows\system32\ati2evxx.exe c:\progra~1\Intel\Wireless\Bin\1XConfig.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Dell AIO Printer A920\dlbkbmon.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-08-29 16:01 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-29 20:00 Pre-Run: 25,273,696,256 bytes free Post-Run: 28,957,212,672 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 331 --- E O F --- 2009-08-27 02:19 [*]Eset scan log ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=8bf597026a6a7040ab7cc411f77f2310 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-08-29 09:10:45 # local_time=2009-08-29 05:10:45 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1797 37 100 98 3419525606304 # scanned=68918 # found=10 # cleaned=10 # scan_time=2096 C:\40E3EBCA\Backup\C_\Documents and Settings\Jillian\Local Settings\Temp\f.exe a variant of Win32/Kryptik.ADG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\40E3EBCA\Backup\C_\WINDOWS\msa.exe a variant of Win32/Kryptik.ADG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\40E3EBCA\Backup\C_\WINDOWS\system32\dllcache\beep.sys a variant of Win32/UltimateDefender.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\40E3EBCA\Backup\C_\WINDOWS\system32\drivers\beep.sys a variant of Win32/UltimateDefender.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\system32\xa.tmp Win32/TrojanDownloader.Agent.OYU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C [*]the contents of OTL.txt OTL logfile created on: 8/29/2009 5:24:41 PM - Run 1 OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Jillian\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 511.23 Mb Total Physical Memory | 205.14 Mb Available Physical Memory | 40.13% Memory free 1.22 Gb Paging File | 0.97 Gb Available in Paging File | 79.27% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 74.53 Gb Total Space | 26.93 Gb Free Space | 36.14% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: JILLIAN-TROUT Current User Name: Jillian Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2003/07/29 15:11:00 | 00,323,584 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe PRC - [2005/07/22 22:40:54 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe PRC - [2005/07/22 22:43:46 | 00,372,809 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe PRC - [2005/07/22 22:52:30 | 00,225,353 | ---- | M] (Intel

Ran in normal mode. avenger.txt Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\WINDOWS\system32\drivers\UACmpkdlkdoyb.sys" not found! Deletion of file "C:\WINDOWS\system32\drivers\UACmpkdlkdoyb.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\Windows\system32\UACd.sys" not found! Deletion of file "C:\Windows\system32\UACd.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\Windows\UACd.sys" not found! Deletion of file "C:\Windows\UACd.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\UACmplepxourr.dll" not found! Deletion of file "C:\WINDOWS\system32\UACmplepxourr.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\UAChnvymqfqqg.dll" not found! Deletion of file "C:\WINDOWS\system32\UAChnvymqfqqg.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\UAChnvymqfqqg.dll" not found! Deletion of file "C:\WINDOWS\system32\UAChnvymqfqqg.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\UACwpbwskbvdk.dll" not found! Deletion of file "C:\WINDOWS\system32\UACwpbwskbvdk.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "C:\Documents and Settings\Jillian\Local Settings\Temp\UAC22d4.tmp" deleted successfully. File "C:\40E3EBCA\Backup\C_\Documents and Settings\Jillian\Local Settings\Temp\UAC7c51.tmp" deleted successfully. File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.dll" deleted successfully. File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.vir" deleted successfully. File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.vll" deleted successfully. File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.dll" deleted successfully. File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.vir" deleted successfully. File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.vll" deleted successfully. Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found! Deletion of driver "UACd" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Driver "UACd.sys" deleted successfully. Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACmpkdlkdoyb.sys" not found! Deletion of driver "UACmpkdlkdoyb.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACmpkdlkdoyb" not found! Deletion of driver "UACmpkdlkdoyb" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\UACd.sys" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\UACd.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UACd.sys" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UACd.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UACd.sys" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UACd.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\UACd.sys" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\UACd.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Folder "C:\recycler" deleted successfully. Error: could not open folder "D:\recycler" Deletion of folder "D:\recycler" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open folder "e:\recycler" Deletion of folder "e:\recycler" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open folder "f:\recycler" Deletion of folder "f:\recycler" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open folder "g:\recycler" Deletion of folder "g:\recycler" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open folder "h:\recycler" Deletion of folder "h:\recycler" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.

I do have the CD for my Windows XP I had Symantec when this virus occured and not Avira. I deleted it to download and run avira. I tried to download McAfee and failed. I do have another computer to use for downloads. I am at work now but will follow up with your other post around 5:30 pm.

I have PC Antispyware 2010. I cannot run Malware bytes for more than 5 seconds even when I rename it. DSS and hijackthis will not open. GMER ran when I changed the filename and ran in safemode. I copied the results below. GMER ran about 30 minutes in normal mode but closed. Now I cannot run GMER, a window opens saying Windows cannot access the specified device. Please help! Most programs do not run. I have cluttered my desktop with antivirus programs and I finally give up. Avira was running in the background while this ran. Should I disable it, if so, how? Should I uninstall it? I also downloaded and uninstalled other antispyware things, let me know if I need to remove more random files from these. Thank's for looking at this! GMER 1.0.15.15077 [gjill.exe] - http://www.gmer.net Rootkit scan 2009-08-26 20:15:08 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- Code 82EBC290 ZwEnumerateKey Code 82EBA058 ZwFlushInstructionCache Code 82F38C96 IofCallDriver Code 82E8E71E IofCompleteRequest Code 82EB6B2D ZwSaveKey Code 82F4B72D ZwSaveKeyEx ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKey 804DD6E8 5 Bytes JMP 82EB6B32 .text ntoskrnl.exe!ZwSaveKeyEx 804DD6FC 5 Bytes JMP 82F4B732 .text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 82F38C9B .text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 82E8E723 PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 82EBC294 PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 82EBA05C ? win32k.sys:1 The system cannot find the file specified. ! ? win32k.sys:2 The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01329315 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 013FDBCB C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 013FDD81 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01404832 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 01361CA2 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0151E021 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0151DF51 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0151DFBE C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0151DE22 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0151DE84 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0151E084 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0151DEE6 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[572] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[572] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0140488E C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[572] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0 .text C:\Program Files\Internet Explorer\Iexplore.exe[572] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0 .text C:\Program Files\Internet Explorer\Iexplore.exe[572] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0 .text C:\Program Files\Internet Explorer\Iexplore.exe[572] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0 .text C:\Program Files\Internet Explorer\Iexplore.exe[572] WININET.dll!HttpAddRequestHeadersA 63018275 5 Bytes JMP 0117000A .text C:\Program Files\Internet Explorer\Iexplore.exe[572] WININET.dll!HttpAddRequestHeadersW 630282B3 5 Bytes JMP 0126000A .text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01329315 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01404832 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0151E021 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0151DF51 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0151DFBE C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0151DE22 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0151DE84 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0151E084 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0151DEE6 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[632] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[632] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[632] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0 .text C:\Program Files\Internet Explorer\Iexplore.exe[632] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0 .text C:\Program Files\Internet Explorer\Iexplore.exe[632] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0 .text C:\Program Files\Internet Explorer\Iexplore.exe[632] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0 .text C:\Program Files\Internet Explorer\Iexplore.exe[632] WININET.dll!HttpAddRequestHeadersA 63018275 5 Bytes JMP 00F7000A .text C:\Program Files\Internet Explorer\Iexplore.exe[632] WININET.dll!HttpAddRequestHeadersW 630282B3 5 Bytes JMP 0106000A .text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1132] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1132] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1248] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1248] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1472] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1472] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1512] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1512] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll .text C:\WINDOWS\system32\svchost.exe[1512] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Internet Explorer\Iexplore.exe[572] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\Program Files\Internet Explorer\Iexplore.exe[572] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\Program Files\Internet Explorer\Iexplore.exe[572] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [01EC18FD] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) IAT C:\Program Files\Internet Explorer\Iexplore.exe[632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\Program Files\Internet Explorer\Iexplore.exe[632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1132] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1132] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [572] 0x35670000 Library \\?\globalroot\systemroot\system32\UACmplepxourr.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [572] 0x00B20000 Library \\?\globalroot\systemroot\system32\UACmplepxourr.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [632] 0x00B20000 Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [632] 0x35670000 Library \\?\globalroot\systemroot\system32\UACmplepxourr.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [640] 0x00D00000 Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1132] 0x35670000 Library \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1132] 0x03900000 Library \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1248] 0x10000000 Library \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1248] 0x00720000 Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1248] 0x35670000 Library \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1420] 0x10000000 Library \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1420] 0x00720000 Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1420] 0x35670000 Library \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1472] 0x10000000 Library \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1472] 0x00720000 Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1472] 0x35670000 Library \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1512] 0x10000000 Library \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1512] 0x00720000 Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1512] 0x35670000 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\UACmpkdlkdoyb.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACmpkdlkdoyb.sys Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACmpkdlkdoyb.sys Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UAClrwsklyavg.dll Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpdaidaoytr.dat Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACgixjyibvog.db Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACmplepxourr.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACmpkdlkdoyb.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACmpkdlkdoyb.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UAClrwsklyavg.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpdaidaoytr.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACgixjyibvog.db Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACmplepxourr.dll ---- Files - GMER 1.0.15 ---- File C:\40E3EBCA\Backup\C_\Documents and Settings\Jillian\Local Settings\Temp\UAC7c51.tmp 343040 bytes executable File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.dll 74240 bytes executable File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.vir 74240 bytes executable File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.vll 74240 bytes executable File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.dll 26624 bytes executable File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.vir 26624 bytes executable File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.vll 26624 bytes executable File C:\Documents and Settings\Jillian\Application Data\CopyTrans\Logs\All Users 0 bytes File C:\Documents and Settings\Jillian\Application Data\CopyTrans\Logs\Default User 0 bytes File C:\Documents and Settings\Jillian\Application Data\CopyTrans\Logs\Jillian 0 bytes File C:\Documents and Settings\Jillian\Application Data\CopyTrans\Logs\LocalService 0 bytes File C:\Documents and Settings\Jillian\Application Data\CopyTrans\Logs\NetworkService 0 bytes File C:\Documents and Settings\Jillian\Local Settings\Temp\UAC22d4.tmp 83968 bytes executable File C:\Program Files\Canon\CameraWindow\MyCamera\ABBYY FineReader 5.0 Sprint 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\ABBYY FineReader 6.0 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\Adobe 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\AdvancedDVDPlayer 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\AIM Music Link 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\AIM6 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\AIMTunes 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\Apple Software Update 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\Ares 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\ATI Technologies 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\Avira 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\Bonjour 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\Broadcom 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\Cheetah Burner 0 bytes File C:\Program Files\Canon\CameraWindow\MyCamera\Common Files 0 bytes File C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServices\Schemas\MailAccounts.syncschema\Contents\Resources\com.apple.Outlook.plist 408 bytes File C:\Program Files\Common Files\Microsoft Shared\THEMES11\CASCADE\Info-Windows.plist 736 bytes File C:\Program Files\Common Files\Microsoft Shared\THEMES11\CASCADE\Resources 0 bytes ---- EOF - GMER 1.0.15 ----