Can not run malware

puddin0229 · February 28, 2010

I have Mcafee on my computer but it will not run then I started getting pop-up telling me that I have threats and am infected. I talked to a friend who knows more about computers that I do and he advised me to go to malware.org and down load and run. I did download but can not run. I also had spybot on computer and could not run it. I can not run my restore program nor can I analyze defrag or scan disc, im surprised it let me get on line at all. I am not computer savvy at all.. I tried to follow some of the resolutions you had with regards to renaming but I had no success not sure if I did it correctly. Please help me

kahdah · February 28, 2010

Hello puddin0229

Welcome to Malwarebytes.

=====================

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Under Custom scan's and fixes section paste in the below in bold

netsvcs

%SYSTEMDRIVE%\*.exe

/md5start

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

sceclt.dll

ntelogon.dll

logevent.dll

iaStor.sys

nvstor.sys

atapi.sys

IdeChnDr.sys

viasraid.sys

AGP440.sys

vaxscsi.sys

nvatabus.sys

viamraid.sys

nvata.sys

nvgts.sys

iastorv.sys

ViPrt.sys

eNetHook.dll

ahcix86.sys

KR10N.sys

nvstor32.sys

ahcix86s.sys

nvrd32.sys

symmpi.sys

adp3132.sys

mv61xx.sys

/md5stop

%systemroot%\*. /mp /s

CREATERESTOREPOINT

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\system32\drivers\*.sys /lockedfiles

%systemroot%\System32\config\*.sav
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
It may take a minute to load and become available.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically only C:\ should be checked)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop
**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Click OK and quit the GMER program.
Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
Post that log in your next reply.

puddin0229 · March 7, 2010

Hi thanks for the help sorry so long to get back to you....I downloaded the OTL and followed your directions...the first time I pasted all that were below because all looked bold and it froze and said:checking service:hkmsvc. So I looked at them again and some looked bolder than others so I pasted the following:

%SYSTEMDRIVE%\*.exe

IdeChnDr.sys

AGP440.sys

ViPrt.sys

eNetHook.dll

KR10N.sys

CREATERESTOREPOINT

and clicked run, this time it froze and said: Scanning Session Manager AppCertsDlls key...

it never completed so please help.

kahdah · March 7, 2010

Ok try to just run the gmer program and post that log.

puddin0229 · March 8, 2010

I have tried to run gmer for 2 days and it always freezes before it gets done so I can save it and apply to post. It takes about 8 hours to run,,,is it suppose to take that long? I was watching at the end hoping it would not freeze for the 3rd or 4th time and it was running C:\\mygames\ then I walked away for about 5 minutes came back and the screen was frozen and would not do anything.

kahdah · March 8, 2010

ok try this then.

Just double click it and let it run it quick scan it will get done quickly and you will see no more files getting scanned.

Then after it stops then click on save and post that log here.

puddin0229 · March 12, 2010

Im sorry i did not see where you could run a quick scan so i tried to run the scan again and it ran for a while then froze again. Is there any way I Can save the mbam on a jump drive then try to run it from there, or do you have any other suggestions I could use.....Thanks

kahdah · March 12, 2010

No I mean when you start gmer it will run a quick scan then stop.

At that point you can select save over to the right and post that log.

puddin0229 · March 13, 2010

I guess you say where did she come from....here is the saved GMER FILE:

ark.txt

I hope I did this correctly.....im trying to learn, thanks for your patience

puddin0229 · March 13, 2010

I guess you say where did she come from....here is the saved GMER FILE:

ark.txt

I hope I did this correctly.....im trying to learn, thanks for your patience

kahdah · March 13, 2010

Yes you did it right :lol:

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

=======================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

puddin0229 · March 14, 2010

I saved it on the desk top and when I double clicked on it it ask if wanted to run or cancel. I clicked on run and it gave me the hour glass like it was going to run but it did nothing else...I double clicked on it again and it did the same thing....it would not run

kahdah · March 14, 2010

Ok please try to right click on Combofix and change the name to puddin then try to run it again please.

Let me know if that doesn't work.

puddin0229 · March 14, 2010

It worked but I could not disable or uninstall Mcagee so i continued anyway at my own risk as it said.

after it ran this is the log

combo_log.txt

did that fix everything and do i need to try to delete mcafee again and reinstall it or another virus software?

kahdah · March 15, 2010

OK for now leave Mcafeee as it is.

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=41766&st=0entry214586

Driver::
aX09J13
"AOL Connectivity Service (AOL ACS) "


Collect::
c:\program files\skynet.dat
C:\program files\Common Files\aviburajuf.bin
c:\program files\Common Files\ahan.dll
c:\program files\moviepass Terms.html
c:\windows\system32\duhifiho.dll
c:\windows\system32\yemavema.dll
c:\windows\system32\zugowuva.dll
c:\windows\system32\drivers\aX09J13.sys

Folder::
c:\documents and settings\All Users\Application Data\jirohowu
c:\documents and settings\All Users\Application Data\gorumiba
c:\documents and settings\All Users\Application Data\savohofu
c:\documents and settings\All Users\Application Data\kuzeduhu
c:\program files\Gamevance
c:\program files\schtml
c:\program files\Your PC Protector
c:\program files\tinyproxy

FCopy::
c:\windows\system32\dllcache\atapi.sys|c:\windows\system32\drivers\atapi.sys
c:\windows\system32\dllcache\atapi.sys|c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

DDS::
TCP: {C3F865EB-CB87-45C0-8A31-6D4E8CFD9A26} = 83.149.115.157,4.2.2.1,192.168.1.254

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

puddin0229 · March 16, 2010

This is the report, I didn't know whether to put like this like you said as a copy and paste or as an attachment like before....I hope this is alright

ComboFix 10-03-15.04 - Owner 03/15/2010 22:47:59.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1522 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\puddin.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FW: AOL Firewall *enabled* {6515F560-BD88-41EB-AD77-F1F3F6F80BEA}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

--------------- FCopy ---------------

c:\windows\system32\dllcache\atapi.sys --> c:\windows\system32\drivers\atapi.sys

c:\windows\system32\dllcache\atapi.sys --> c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

.

((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))

.

2010-03-15 23:15 . 2010-03-15 23:43 -------- d-----w- C:\puddin4335p

2010-03-14 22:23 . 2010-03-14 23:23 -------- d-----w- C:\puddin

2010-03-06 22:31 . 2010-03-06 22:31 -------- d-----w- c:\documents and settings\Kenue\Local Settings\Application Data\Threat Expert

2010-02-28 00:18 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-28 00:18 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-27 22:50 . 2010-02-28 00:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-27 22:50 . 2010-02-27 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-16 03:28 . 2008-10-31 00:40 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire

2010-03-14 23:09 . 2006-08-05 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-14 22:11 . 2009-06-14 02:11 -------- d-----w- c:\program files\McAfee

2010-03-14 22:11 . 2009-06-14 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-03-14 22:11 . 2008-02-24 01:32 -------- d-----w- c:\program files\Spyware Doctor

2010-03-14 22:11 . 2008-02-20 04:01 -------- d-----w- c:\program files\Common Files\PC Tools

2010-03-14 21:55 . 2007-02-10 04:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-03-12 02:05 . 2009-06-14 03:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2010-03-06 23:45 . 2008-03-20 19:23 -------- d-----w- c:\documents and settings\Kenue\Application Data\LimeWire

2010-02-28 08:08 . 2010-02-09 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\vawirofa

2010-02-28 08:08 . 2010-01-23 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\natulevo

2010-02-27 20:05 . 2009-12-14 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\mafuyiha

2010-02-09 17:23 . 2010-02-09 17:23 -------- d-----w- c:\documents and settings\HULK2010\Application Data\Corel

2010-02-09 17:20 . 2010-02-09 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\pasaruwe

2010-02-09 17:20 . 2010-02-09 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\jijejamu

2010-02-07 02:21 . 2008-02-20 03:15 -------- d-----w- c:\program files\SpywareBlaster

2010-02-02 13:02 . 2009-12-03 00:50 -------- d-----w- c:\documents and settings\HULK2010\Application Data\LimeWire

2010-01-23 21:39 . 2010-01-23 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\labesina

2010-01-22 20:40 . 2009-12-17 07:19 -------- d-----w- c:\documents and settings\HULK2010\Application Data\U3

2010-01-21 04:55 . 2010-01-21 04:55 -------- d-----w- c:\documents and settings\Guest\Application Data\McAfee

2010-01-21 02:59 . 2007-04-01 19:55 -------- d-----w- c:\documents and settings\Guest\Application Data\Corel

2010-01-05 10:00 . 2004-12-07 21:37 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2003-07-16 20:46 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-24 20:03 . 2009-12-24 20:03 61224 ----a-w- c:\documents and settings\Owner\GoToAssistDownloadHelper.exe

2009-12-16 18:43 . 2005-03-30 02:17 343040 ----a-w- c:\windows\system32\mspaint.exe

2005-12-27 19:45 . 2005-12-27 19:45 774144 -c--a-w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2008-04-01 122933]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2008-04-01 221184]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-01 155648]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-01 98304]

"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]

"HostManager"="c:\program files\Common Files\AOL\1112159610\ee\AOLSoftware.exe" [2007-04-12 42032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-03-07 5181440]

c:\documents and settings\HULK2010\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\Real\RealPlayer\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\Kenue\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\Real\RealPlayer\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\Real\RealPlayer\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2008-12-2 36954]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"RestrictRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\limewire\\LimeWire.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Real\\RealPlayer\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\dla\\tfswctrl.exe"=

"c:\\Program Files\\Common Files\\Motive\\McciCMService.exe"=

S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\Mabinogi\GameGuard\dump_wmimmc.sys --> c:\nexon\Mabinogi\GameGuard\dump_wmimmc.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2003-07-16 00:12]

2010-03-16 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-04-01 22:32]

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

mWindow Title = Microsoft Internet Explorer

uInternet Settings,ProxyOverride = *.local;<local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-15 22:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-789336058-839522115-1003\Software\Corel\WordPerfect\11\Power Bar\Power Bar Last Selected - \

* |*]

"0Arial"=hex(80000006):30

[HKEY_USERS\S-1-5-21-682003330-789336058-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3880)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\wpdshext.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\Audiodev.dll

c:\windows\system32\WMVCore.DLL

c:\windows\system32\WMASF.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

.

Completion time: 2010-03-15 23:01:06

ComboFix-quarantined-files.txt 2010-03-16 04:01

ComboFix2.txt 2010-03-15 23:43

ComboFix3.txt 2010-03-14 23:23

Pre-Run: 41,448,816,640 bytes free

Post-Run: 41,410,297,856 bytes free

- - End Of File - - 187A741B77E5A2440DA203B9BBA3108F

kahdah · March 16, 2010

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

In your case this is referring to Limewire.

Please uninstall it.

===========================================

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

Click on the update tab then click on Check for updates.
If an update is found, it will download and install the latest version.
Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Check next options: Remove found threats and Scan unwanted applications.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
Copy and paste that log as a reply to this topic

puddin0229 · March 17, 2010

Malwarebytes' Anti-Malware 1.44

Database version: 3874

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

3/16/2010 9:20:21 PM

mbam-log-2010-03-16 (21-20-21).txt

Scan type: Quick Scan

Objects scanned: 184550

Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 33

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 12

Files Infected: 18

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{168dc258-1455-4e61-8590-9dac2f27b675} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1a8642f1-dc80-4edc-a39d-0fb62a58b455} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{3f91eb90-ef62-44ee-a685-fac29af111cd} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{54b8fe6a-2478-5a04-a615-4ea5dc7122b7} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{5c29c7e4-5321-4cad-be2e-877666bed5df} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{83dfb6ee-ab18-41b5-86d4-b544a141d67e} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{88d6cf0e-cf70-4c24-bf6e-e4e414bc649c} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{8f6a82a2-d7b1-443e-bb9f-f7dc887dd618} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{9856e2d8-ffb2-4fe5-8cad-d5ad6a35a804} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a3d06987-c35e-49e4-8fe2-ac67b9fbfb4c} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a58c497b-3ee2-45e7-9594-daca6be2a0d0} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ad0a3058-fd49-4f98-a514-fd055201835e} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ad5915ea-b61a-4dba-b5c8-ef4b2df0a3c7} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{bb187c0d-6f53-4f3e-9590-98fd3a7364a2} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d17726cc-d4dd-4c4a-9671-471d56e413b5} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{db8cce99-59c6-4552-8bfc-058feb38d6ce} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{dc3a04ee-cdd7-4407-915c-a5502f97eecd} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e1a63484-a022-4d42-830a-fbd411514440} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e282c728-189d-419e-8ee2-1601f4b39ba5} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{418d86be-7386-4f1a-83e0-53604adbda74} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\ExcellentAdDisplay.dll (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\APMFC1 (Rogue.AntiTrojanPro) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/updater,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Owner\Application Data\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\RegTool\Logs (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Application Data\VideoEgg\Updater (Adware.VideoEgg) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Application Data\VideoEgg\Updater\2364 (Adware.VideoEgg) -> Quarantined and deleted successfully.

C:\Program Files\PC Protection Center 2008 (Rogue.PCProtectionCenter) -> Quarantined and deleted successfully.

C:\Program Files\PC Protection Center 2008\lang (Rogue.PCProtectionCenter) -> Quarantined and deleted successfully.

C:\Program Files\Registry Mighty (Rogue.RegistryMighty) -> Quarantined and deleted successfully.

C:\Program Files\Registry Mighty\RepairBackup (Rogue.RegistryMighty) -> Quarantined and deleted successfully.

C:\Documents and Settings\JUST DONT KNOW\Start Menu\Programs\PlayMP3z (Adware.PLayMP3z) -> Quarantined and deleted successfully.

C:\WINDOWS\Ad-Ware Pro (Rogue.AdWarePro) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\VideoEgg\Loader\2364\npvideoegg-loader.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.

C:\imoliv.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\vbaaaah.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HULK\Local Settings\Temp\H8SRT5120.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\HULK\Local Settings\Temp\H8SRT513f.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\RegTool\Logs\2009-04-21 07-45-090.log (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Application Data\VideoEgg\Updater\updater.ver (Adware.VideoEgg) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Application Data\VideoEgg\Updater\2364\libcurlve.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Application Data\VideoEgg\Updater\2364\updater.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.

C:\Program Files\PC Protection Center 2008\lang\english.lng (Rogue.PCProtectionCenter) -> Quarantined and deleted successfully.

C:\Program Files\PC Protection Center 2008\lang\russian.lng (Rogue.PCProtectionCenter) -> Quarantined and deleted successfully.

C:\Program Files\Registry Mighty\RepairBackup\_20081130_165618.reg (Rogue.RegistryMighty) -> Quarantined and deleted successfully.

C:\Documents and Settings\JUST DONT KNOW\Start Menu\Programs\PlayMP3z\Run PlayMP3z.pif (Adware.PLayMP3z) -> Quarantined and deleted successfully.

C:\WINDOWS\Ad-Ware Pro\uninstall.exe (Rogue.AdWarePro) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kcopt.dll (Stolen.data) -> Quarantined and deleted successfully.

C:\WINDOWS\Ad-Ware Pro Setup Log.txt (Rogue.AdWarePro) -> Quarantined and deleted successfully.

C:\WINDOWS\Ad-Ware Pro Uninstall Log.txt (Rogue.AdWarePro) -> Quarantined and deleted successfully.

puddin0229 · March 17, 2010

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.16981 (vista_gdr.091215-2244)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=ef19397a3d97dd4c9613a6438b9dc4b3

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=false

# utc_time=2010-03-17 04:25:55

# local_time=2010-03-16 11:25:55 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5121 16776574 100 21 6602301 20798855 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=124434

# found=51

# cleaned=51

# scan_time=6242

C:\Documents and Settings\All Users\Application Data\jijejamu\jijejamu.dll a variant of Win32/Kryptik.CEO trojan (cleaned by deleting - quarantined) 96394336E735062B3CF20BAFDD1EC3A3 C

C:\Documents and Settings\All Users\Application Data\juposeno\juposeno.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 12D5E614B4311A59D558BF075428C5C3 C

C:\Documents and Settings\All Users\Application Data\labesina\labesina.dll a variant of Win32/Kryptik.CEO trojan (cleaned by deleting - quarantined) 99AB1ED1BF75DA7EC9D9CE799F87094C C

C:\Documents and Settings\All Users\Application Data\nijopido\nijopido.dll a variant of Win32/Kryptik.BUA trojan (cleaned by deleting - quarantined) E6DE20773D6486EE83E3BAB87DD76C6F C

C:\Documents and Settings\All Users\Application Data\pasaruwe\pasaruwe.exe a variant of Win32/Adware.PCProtector.B application (cleaned by deleting - quarantined) 6ECF8C6B0B5C26B4107B4393FA33E4E3 C

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch128.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 1321C6642F54596031BD81ED17FB91D8 C

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch132.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) A6B9CA71E90A24F3640826B259F7D990 C

C:\Documents and Settings\All Users\Application Data\turepare\turepare.dll a variant of Win32/Kryptik.CBQ trojan (cleaned by deleting - quarantined) 25663D3896C689487660D5AB811408F6 C

C:\Documents and Settings\All Users\Application Data\vikikeme\vikikeme.dll a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) 796A54BD2A843B36450E5872CA561D97 C

C:\Documents and Settings\All Users\Application Data\yemopego\yemopego.dll a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) 138658FE8509F94BEBC98556828862F1 C

C:\Documents and Settings\HULK2010\My Documents\My Pictures\HULK\My Documents\My Pictures\HULK2010\My Documents\My Pictures\HULK\Desktop\JUST DONT KNOW\My Documents\iMeshV7.exe a variant of Win32/Adware.Toolbar.Shopper.AA application (deleted - quarantined) 84E5BC764AFE52929481A01973AD9EF2 C

C:\Documents and Settings\HULK2010\My Documents\My Pictures\HULK\My Documents\My Pictures\HULK2010\My Documents\My Pictures\HULK\My Documents\LimeWire\Saved\jamie foxx she has her own.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 95BFBC95E9845643C7DCAAA024E2BC68 C

C:\Documents and Settings\HULK2010\My Documents\My Pictures\HULK\My Documents\My Pictures\HULK2010\My Documents\My Pictures\HULK\My Documents\LimeWire\Saved\Kanye West-Late Registration-04 - Gold Digger (Feat_ Jamie Foxx).wma WMA/TrojanDownloader.Wimad.NAD trojan (cleaned by deleting - quarantined) AEFF0ABAF96D4336264BB0C586E6319E C

C:\Documents and Settings\HULK2010\My Documents\My Pictures\HULK\My Documents\My Pictures\HULK2010\My Documents\My Pictures\HULK\My Documents\LimeWire\Saved\Mary Mary - Get Up.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) E0DB7BD7A77EDA33B52F9833F09DC3D8 C

C:\Documents and Settings\HULK2010\My Documents\My Pictures\HULK\My Documents\My Pictures\HULK2010\My Documents\My Pictures\HULK\My Documents\LimeWire\Saved\O Jays - Baby I Need Your Loving.wma probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) BDFEA0A8E6C89DA6B57837ADE2D98ED3 C

C:\Documents and Settings\HULK2010\My Documents\My Pictures\HULK\My Documents\My Pictures\HULK2010\My Documents\My Pictures\HULK\My Documents\LimeWire\Saved\soulja boy easy.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 71B46AF29C39DC0D4C8AC8E7DAF6D6A7 C

C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\gladys night memories.snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 936C1EAB00823F40B4A86771E1A65451 C

C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\itsso hard cooley high original studio version.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) CD37F1580BE3A9BE561A2D3712D19464 C

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\kuzeduhu\kuzeduhu.dll.vir a variant of Win32/Kryptik.CZK trojan (cleaned by deleting - quarantined) 9131E1E48C303DD1AB6EEA291EDB4D5C C

C:\Qoobox\Quarantine\C\Program Files\Gamevance\gvun.exe.vir a variant of Win32/Adware.Gamevance.AE application (cleaned by deleting - quarantined) C832B45C6B77D7C758DE7190E55D393C C

C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 1375586480385CFDD91A0F27B2E28F3E C

C:\Qoobox\Quarantine\C\Program Files\adc32.dll.vir Win32/Adware.PCProtector.A application (cleaned by deleting - quarantined) 8526C578E106193A541436563288D1CD C

C:\Qoobox\Quarantine\C\Program Files\alggui.exe.vir a variant of Win32/Adware.PCProtector.B application (cleaned by deleting - quarantined) CE6DA2892749BAC3F32732476223CF40 C

C:\Qoobox\Quarantine\C\Program Files\svchost.exe.vir a variant of Win32/Adware.PCProtector.B application (cleaned by deleting - quarantined) 02B5EBCFBD21452AE227D7847794FB37 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\H8SRTenbobqakdm.sys.vir a variant of Win32/Olmarik.SR trojan (cleaned by deleting - quarantined) 71079D7FFEEF52760C48BA6D612B232A C

C:\Qoobox\Quarantine\C\WINDOWS\system32\bataduka.dll.vir a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) 9BF8D5AE5EA911FC1DBB4C83D24FB3E5 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\bolapuno.dll.vir a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) 5E2BAEC8F98D1FD3B73AB8ED43001FA3 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 4CD346697529EFC743A608B2F5D0CC94 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\fugafizu.dll.vir a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) CB592A236ADEBD0167C20AF21972D400 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\gapfovbxloz.dll.vir a variant of Win32/Adware.GooochiBiz.AD application (cleaned by deleting - quarantined) 2C38B22678D92F3135ABEE0F664235A9 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTixfumqlvho.dll.vir a variant of Win32/Kryptik.BFC trojan (cleaned by deleting - quarantined) 9B51D2C8C22B301B6EEF40B8785BE1EB C

C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTnaokymupqk.dll.vir a variant of Win32/Kryptik.BFC trojan (cleaned by deleting - quarantined) C8A672464E5114ECDE4B39752364324D C

C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTtbwylyxevy.dll.vir a variant of Win32/Kryptik.BFC trojan (cleaned by deleting - quarantined) CC7A49540192A4D8A1D6056622020D4A C

C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTuckkwpbrnt.dll.vir a variant of Win32/Kryptik.BFC trojan (cleaned by deleting - quarantined) 1CAA16D9966C5B8602D7881E4CC265CB C

C:\Qoobox\Quarantine\C\WINDOWS\system32\kewowupa.dll.vir a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) 3B85E81D362C0DC50E27634192DAEBE5 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\lajijasu.dll.vir a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) 4D68A33827F6785BBF505AB45531B80E C

C:\Qoobox\Quarantine\C\WINDOWS\system32\nilimuvo.dll.vir a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) FA2E7F5318BC0DE58E7543CD6EB68CAA C

C:\Qoobox\Quarantine\C\WINDOWS\system32\wepekigi.dll.vir a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) 78D93C38FE42F14215B967F06E049E89 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\zowirewa.dll.vir a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) AC2132F896D7C83AB6FDF75663779435 C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP1\A0000091.sys Win32/Olmarik.UI trojan (cleaned - quarantined) 51CB0835761BE316E2558359156559CF C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP1\A0000099.dll a variant of Win32/Kryptik.CZK trojan (cleaned by deleting - quarantined) 9131E1E48C303DD1AB6EEA291EDB4D5C C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP1\A0000103.exe a variant of Win32/Adware.Gamevance.AE application (cleaned by deleting - quarantined) C832B45C6B77D7C758DE7190E55D393C C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP2\A0001359.dll a variant of Win32/Kryptik.CEO trojan (cleaned by deleting - quarantined) 96394336E735062B3CF20BAFDD1EC3A3 C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP2\A0001360.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 12D5E614B4311A59D558BF075428C5C3 C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP2\A0001361.dll a variant of Win32/Kryptik.CEO trojan (cleaned by deleting - quarantined) 99AB1ED1BF75DA7EC9D9CE799F87094C C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP2\A0001362.dll a variant of Win32/Kryptik.BUA trojan (cleaned by deleting - quarantined) E6DE20773D6486EE83E3BAB87DD76C6F C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP2\A0001363.exe a variant of Win32/Adware.PCProtector.B application (cleaned by deleting - quarantined) 6ECF8C6B0B5C26B4107B4393FA33E4E3 C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP2\A0001364.dll a variant of Win32/Kryptik.CBQ trojan (cleaned by deleting - quarantined) 25663D3896C689487660D5AB811408F6 C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP2\A0001365.dll a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) 796A54BD2A843B36450E5872CA561D97 C

C:\System Volume Information\_restore{2B6B23BF-2145-4A8C-9E7C-A73845E8E258}\RP2\A0001366.dll a variant of Win32/Kryptik.BNX trojan (cleaned by deleting - quarantined) 138658FE8509F94BEBC98556828862F1 C

C:\WINDOWS\system32\jevstuvlpibilbv.dll a variant of Win32/Adware.Virtumonde.NGX application (cleaned by deleting - quarantined) 8B9DAB120479DCDDA9E6EE5D4D44DFD8 C

kahdah · March 17, 2010

Looks much better.

Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

puddin0229 · March 17, 2010

OTL logfile created on: 3/17/2010 7:02:42 AM - Run 1

OTL by OldTimer - Version 3.1.34.0 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 75.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free

Paging file location(s): C:\pagefile.sys 2 3069 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.46 Gb Total Space | 38.46 Gb Free Space | 51.65% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: CYNTANDZEST

Current User Name: Owner

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)

PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)

PRC - C:\WINDOWS\system32\LxrJD31s.exe ()

PRC - C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)

PRC - C:\Nexon\Mabinogi\npkcmsvc.exe (INCA Internet Co., Ltd.)

PRC - C:\Program Files\Common Files\AOL\1112159610\EE\aolsoftware.exe (AOL LLC)

PRC - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)

PRC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (AOL LLC)

PRC - C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\Program Files\Common Files\AOL\ACS\WLHook.dll (America Online)

========== Win32 Services (SafeList) ==========

SRV - (McNASvc) -- File not found

SRV - (ITMRTSVC) -- File not found

SRV - (aolavupd) -- File not found

SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)

SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)

SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)

SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

SRV - (LxrJD31s) -- C:\WINDOWS\System32\LxrJD31s.exe ()

SRV - (SNMP) -- C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)

SRV - (npkcmsvc) -- C:\Nexon\Mabinogi\npkcmsvc.exe (INCA Internet Co., Ltd.)

SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (AOL LLC)

SRV - (dlbt_device) -- C:\WINDOWS\System32\dlbtcoms.exe (Dell)

SRV - (LPDSVC) -- C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)

DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)

DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)

DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)

DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)

DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)

DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)

DRV - (LxrJD31d) -- C:\WINDOWS\system32\drivers\LxrJD31d.sys ()

DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))

DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))

DRV - (MCSTRM) -- C:\WINDOWS\system32\drivers\mcstrm.sys (RealNetworks, Inc.)

DRV - (ATWPKT2) -- C:\WINDOWS\system32\drivers\atwpkt2.sys (America Online)

DRV - (StMp3Rec) -- C:\WINDOWS\system32\drivers\StMp3Rec.sys (Generic)

DRV - (NPPTNT2) -- C:\WINDOWS\system32\npptNT2.sys (INCA Internet Co., Ltd.)

DRV - (tfsnudfa) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)

DRV - (tfsnudf) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)

DRV - (tfsnifs) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)

DRV - (tfsncofs) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)

DRV - (tfsnboio) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)

DRV - (tfsnopio) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)

DRV - (tfsnpool) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)

DRV - (tfsndrct) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)

DRV - (tfsndres) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)

DRV - (drvnddm) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions)

DRV - (drvmcdb) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)

DRV - (sscdbhk5) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions)

DRV - (ssrtln) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions)

DRV - (IntelC52) -- C:\WINDOWS\system32\drivers\IntelC52.sys (Intel Corporation)

DRV - (IntelC51) -- C:\WINDOWS\system32\drivers\IntelC51.sys (Intel Corporation)

DRV - (IntelC53) -- C:\WINDOWS\system32\drivers\IntelC53.sys (Intel Corporation)

DRV - (mohfilt) -- C:\WINDOWS\system32\drivers\mohfilt.sys (Intel Corporation)

DRV - (bvrp_pci) -- C:\WINDOWS\system32\drivers\bvrp_pci.sys ()

DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)

DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)

DRV - (SbcpHid) -- C:\WINDOWS\system32\drivers\SbcpHid.sys ()

DRV - (OMCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)

DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:9090

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,start page = http://www.msn.com/

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

FF - HKLM\software\mozilla\Firefox\Extensions\\myspacefftb@myspace.com: C:\Documents and Settings\JUST DONT KNOW\Application Data\MySpace\Toolbar\bin\

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/09 21:11:49 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/09/22 22:38:37 | 000,000,000 | ---D | M]

[2009/06/04 19:55:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions

[2009/06/04 19:55:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2010/03/15 18:29:52 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)

O4 - HKLM..\Run: [Dell Photo AIO Printer 922] C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe ()

O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)

O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112159610\EE\aolsoftware.exe (AOL LLC)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

O4 - HKLM..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\intelmem.exe (Intel Corporation)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)

O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: RestrictRun = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)

O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)

O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx (SpinTop DRM Control)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/9/b...heckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} http://update.videoegg.com/wintel/VideoEggPublisher.exe (CVideoEgg_ActiveXCtl Object)

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Key error.)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab (Windows Live Safety Center Base Module)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.com/v5co...b?1112754142203 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1131064372484 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB (TLIEFlashObj Class)

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer)

O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)

O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)

O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)

O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Real%20Crimes%20-%20The%20Unicorn%20Killer/Images/armhelper.ocx (ArmHelper Control)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2005/03/29 21:20:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/16 21:34:32 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/03/16 21:07:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes

[2010/03/16 21:07:33 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/03/16 21:07:31 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/03/16 21:07:31 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/03/16 20:59:50 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/03/15 22:46:42 | 000,000,000 | ---D | C] -- C:\puddin17215p

[2010/03/15 18:15:46 | 000,000,000 | ---D | C] -- C:\puddin4335p

[2010/03/14 18:25:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\combo log txt

[2010/03/14 17:25:53 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/03/14 17:23:58 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/03/14 17:23:58 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/03/14 17:23:58 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/03/14 17:23:58 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/03/14 17:23:36 | 000,000,000 | ---D | C] -- C:\puddin

[2010/03/14 17:01:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/03/13 20:05:02 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/03/11 21:05:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore

[2010/03/06 18:14:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2010/02/27 22:38:35 | 000,553,984 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[2010/02/27 17:50:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2009/06/13 20:52:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe

[2008/10/13 21:12:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2008/10/11 17:17:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe

[2008/10/11 17:17:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Yahoo!

[2008/03/10 20:49:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2008/03/10 20:49:25 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2005/12/27 14:45:50 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll

[2005/12/08 15:26:00 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\flashshl.dll

[2005/08/31 20:33:54 | 000,092,672 | ---- | C] ( ) -- C:\WINDOWS\System32\DVDRead.dll

[2005/03/31 23:40:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia

[2003/12/09 13:16:52 | 000,442,368 | ---- | C] ( ) -- C:\WINDOWS\System32\comintfs.dll

[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[3 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/17 06:56:26 | 000,334,286 | ---- | M] () -- C:\logfile

[2010/03/17 06:55:42 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/03/17 06:55:30 | 000,011,261 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF

[2010/03/17 06:55:01 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/03/17 06:54:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/03/17 03:52:00 | 000,000,366 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job

[2010/03/16 21:24:09 | 008,388,608 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat

[2010/03/16 21:24:09 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini

[2010/03/16 21:07:36 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/03/15 22:57:36 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/03/15 18:29:52 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/03/15 18:11:21 | 003,891,061 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\puddin.exe

[2010/03/15 17:59:13 | 000,444,844 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/03/15 17:59:12 | 000,528,018 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/03/15 17:59:12 | 000,073,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/03/14 19:10:18 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/03/14 19:07:14 | 000,000,309 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI

[2010/03/14 18:26:01 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Word.lnk

[2010/03/14 17:26:00 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2010/03/13 20:10:57 | 003,888,953 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\ComboFix.exe

[2010/03/13 19:55:07 | 003,888,953 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe

[2010/03/13 19:51:00 | 000,000,627 | ---- | M] () -- C:\WINDOWS\dellstat.ini

[2010/03/11 23:19:08 | 000,002,317 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\OverDrive Media Console.lnk

[2010/03/08 00:54:33 | 000,008,804 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kiwayne's rough draft my edit.rtf

[2010/03/06 20:07:30 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\7w2htxsg.exe

[2010/03/06 19:40:31 | 000,553,984 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[2010/03/06 18:14:03 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf

[2010/03/06 13:29:20 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\litolani

[2010/03/05 14:03:19 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\Disk Cleanup.job

[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[3 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/16 21:07:36 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/03/14 17:26:00 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/03/14 17:25:56 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/03/14 17:23:58 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/03/14 17:23:58 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/03/14 17:23:58 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/03/14 17:23:58 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/03/14 17:23:58 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/03/14 16:42:35 | 003,891,061 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\puddin.exe

[2010/03/13 20:07:38 | 003,888,953 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\ComboFix.exe

[2010/03/13 19:54:55 | 003,888,953 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe

[2010/03/08 00:50:51 | 000,008,804 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kiwayne's rough draft my edit.rtf

[2010/03/06 20:07:28 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\7w2htxsg.exe

[2010/02/06 21:46:00 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old

[2009/08/19 20:59:57 | 000,018,166 | ---- | C] () -- C:\WINDOWS\System32\esyb.sys

[2009/08/19 20:59:57 | 000,014,206 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ijuluz.com

[2009/08/19 20:59:57 | 000,012,292 | ---- | C] () -- C:\WINDOWS\xivez.sys

[2009/08/19 20:59:57 | 000,011,653 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\netekud._sy

[2009/08/19 20:59:57 | 000,010,689 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\upamireb._dl

[2009/07/03 14:06:10 | 001,329,664 | ---- | C] () -- C:\WINDOWS\System32\nszFA.dll

[2009/07/02 21:51:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\game.INI

[2009/07/02 19:39:41 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat

[2009/07/02 16:37:43 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2009/06/29 20:52:53 | 000,622,113 | ---- | C] () -- C:\WINDOWS\System32\IDPList.dll

[2009/06/29 20:52:53 | 000,013,772 | ---- | C] () -- C:\WINDOWS\System32\IDPImmData.dll

[2009/06/29 20:52:52 | 000,000,162 | ---- | C] () -- C:\WINDOWS\System32\IDPCritProc.dll

[2009/06/07 12:35:29 | 000,000,076 | ---- | C] () -- C:\WINDOWS\System32\IDPVer.ini

[2009/06/07 12:14:08 | 000,002,557 | ---- | C] () -- C:\WINDOWS\System32\sk_bho.ini

[2009/06/07 11:40:19 | 000,000,045 | ---- | C] () -- C:\WINDOWS\System32\RPVersion.ini

[2009/05/15 23:37:13 | 000,000,607 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\BuGHkSmUzn.gif

[2009/05/15 23:37:12 | 000,002,119 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\BuGHkSmUat.gif

[2009/05/15 23:37:12 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\BuGHkSmUby.gif

[2008/11/30 15:40:21 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini

[2008/10/13 01:05:06 | 000,000,073 | ---- | C] () -- C:\WINDOWS\st_affiliate.ini

[2008/10/12 23:01:54 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\iexplore.iss

[2008/03/31 20:05:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI

[2008/03/20 22:48:25 | 000,000,627 | ---- | C] () -- C:\WINDOWS\dellstat.ini

[2008/03/20 22:44:53 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\dlbtsnls.dll

[2008/03/20 22:44:52 | 000,143,360 | R--- | C] () -- C:\WINDOWS\System32\dlbtcoin.dll

[2008/03/20 22:43:20 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbtvs.dll

[2008/03/20 22:43:15 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\dlbtcur.dll

[2008/03/20 22:43:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\dlbtcu.dll

[2008/03/20 22:43:02 | 000,557,056 | ---- | C] () -- C:\WINDOWS\System32\dlbtjswr.dll

[2008/03/20 22:42:52 | 000,401,408 | ---- | C] () -- C:\WINDOWS\System32\dlbtutil.dll

[2008/03/11 18:31:18 | 000,000,309 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI

[2007/11/20 13:32:41 | 000,025,964 | ---- | C] () -- C:\WINDOWS\System32\IDPSigLevel.dll

[2007/11/20 13:32:40 | 005,527,385 | ---- | C] () -- C:\WINDOWS\System32\IDPRSig.dll

[2007/11/20 13:32:39 | 004,985,733 | ---- | C] () -- C:\WINDOWS\System32\IDPFSig.dll

[2007/11/20 13:32:39 | 000,343,272 | ---- | C] () -- C:\WINDOWS\System32\IDPESig.dll

[2007/11/20 13:32:39 | 000,002,380 | ---- | C] () -- C:\WINDOWS\System32\IDPBlkCoo.dll

[2007/01/27 23:08:33 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\LxrJD31.dll

[2007/01/27 23:08:33 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\LxrJD20Sat.dll

[2007/01/27 23:08:32 | 000,069,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\LxrJD31d.sys

[2006/11/12 15:02:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\JDSecure31.INI

[2006/10/06 21:00:59 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Epscan2.INI

[2006/10/06 19:30:01 | 000,004,131 | ---- | C] () -- C:\WINDOWS\estwn323.ini

[2006/07/04 00:10:06 | 000,000,022 | ---- | C] () -- C:\WINDOWS\iexplore.ini

[2006/02/13 23:57:40 | 000,000,030 | ---- | C] () -- C:\WINDOWS\atid.ini

[2005/12/25 14:40:10 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2005/12/08 15:26:00 | 000,000,468 | ---- | C] () -- C:\WINDOWS\LXBRFMT.INI

[2005/12/08 15:26:00 | 000,000,022 | ---- | C] () -- C:\WINDOWS\FLASHKSK.INI

[2005/12/08 15:25:56 | 000,003,205 | ---- | C] () -- C:\WINDOWS\LXBRCAH.ini

[2005/12/08 15:25:55 | 000,002,178 | ---- | C] () -- C:\WINDOWS\System32\LXBRSET.INI

[2005/09/12 21:44:27 | 000,000,044 | ---- | C] () -- C:\WINDOWS\liveup.ini

[2005/07/17 23:30:34 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\gif89.dll

[2005/07/17 23:30:21 | 000,000,529 | ---- | C] () -- C:\WINDOWS\SIERRA.INI

[2005/06/08 15:21:28 | 000,000,191 | ---- | C] () -- C:\WINDOWS\QTW.INI

[2005/05/13 15:31:40 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2005/05/08 13:31:06 | 000,302,592 | ---- | C] () -- C:\WINDOWS\System32\pgp.dll

[2005/05/08 13:31:06 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\keydb.dll

[2005/05/08 13:31:06 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\simple.dll

[2005/05/08 13:31:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\bn.dll

[2005/05/08 13:29:34 | 000,000,018 | ---- | C] () -- C:\WINDOWS\Epson640.ini

[2005/04/26 01:58:19 | 000,000,082 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI

[2005/04/25 00:22:39 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2005/04/05 21:31:36 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\PFP110JPR.{PB

[2005/04/05 21:31:36 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\PFP110JCM.{PB

[2005/04/05 21:21:06 | 000,000,258 | ---- | C] () -- C:\WINDOWS\System32\BDEMERGE.INI

[2005/04/03 23:32:50 | 000,060,449 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2005/04/01 14:31:55 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL

[2005/04/01 14:31:17 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Nsvideo.dll

[2005/03/29 23:00:51 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2005/03/29 22:42:25 | 000,004,272 | R--- | C] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys

[2005/03/29 22:10:29 | 000,000,372 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2004/03/26 17:59:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2003/08/12 12:58:22 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll

[2003/08/12 12:58:20 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll

[2002/07/07 11:54:51 | 000,037,408 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys

[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:182786D9

@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E9BA8D0

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B2AAF611

@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E0F561FE

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Owner\My Documents\ComboFix.exe:SummaryInformation

@Alternate Data Stream - 153 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0A73A758

@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:51574724

@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FC460D15

@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A724744F

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ECE19DD1

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9BB9DCC9

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:84ECD9DF

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F25B38E8

@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C03F5109

@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:64648EF8

@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:33A7CC67

@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C8A7CF18

@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:861A898F

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2A6414DE

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2C22C34B

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:11201333

@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F321F01E

@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:03392111

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E8B5993B

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DCAF903C

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8F09BC2E

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7B98740F

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DA3C6C07

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5E1404CE

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E69E337

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:178D4338

@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B623B5B8

@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A3E01678

@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A17AFE82

@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:73933431

@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:64FE250B

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FD537E5A

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B7ADB4DA

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1F86F437

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F1C0B203

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CDBB1ABC

@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7B0B85D2

@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:41D53451

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D56DDC33

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:54997B77

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:77A023CE

@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F5096B56

@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AD2AB6E9

@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:67C9F690

@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4AC9B4B7

@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3DA64F2C

< End of report >

kahdah · March 17, 2010

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} http://update.videoegg.com/wintel/VideoEggPublisher.exe (CVideoEgg_ActiveXCtl Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
[2010/03/06 13:29:20 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\litolani
[2008/10/12 23:01:54 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\iexplore.iss

:Files
c:\documents and settings\All Users\Application Data\vawirofa
c:\documents and settings\All Users\Application Data\natulevo
c:\documents and settings\All Users\Application Data\mafuyiha
c:\documents and settings\All Users\Application Data\pasaruwe
c:\documents and settings\All Users\Application Data\jijejamu
c:\documents and settings\All Users\Application Data\labesina

Then click the Run Fix button at the top
Let the program run unhindered,when it is done it will say "Fix Complete press ok to open log"
Please post that log in your next reply.

================================Follow up scan=================================

Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

puddin0229 · March 18, 2010

Error: Unable to interpret <CODE> in the current context!

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{BA52B914-B692-46c4-B683-905236F6F655} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA52B914-B692-46c4-B683-905236F6F655}\ not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.

Starting removal of ActiveX control {38D63471-E630-4492-A986-B8C48B79F2F8}

Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{38D63471-E630-4492-A986-B8C48B79F2F8}\DownloadInformation\\INF .

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{38D63471-E630-4492-A986-B8C48B79F2F8}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38D63471-E630-4492-A986-B8C48B79F2F8}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{38D63471-E630-4492-A986-B8C48B79F2F8}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38D63471-E630-4492-A986-B8C48B79F2F8}\ not found.

Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

C:\WINDOWS\system32\litolani moved successfully.

C:\Documents and Settings\Owner\Application Data\iexplore.iss moved successfully.

========== FILES ==========

File\Folder c:\documents and settings\All Users\Application Data\vawirofa not found.

File\Folder c:\documents and settings\All Users\Application Data\natulevo not found.

File\Folder c:\documents and settings\All Users\Application Data\mafuyiha not found.

File\Folder c:\documents and settings\All Users\Application Data\pasaruwe not found.

File\Folder c:\documents and settings\All Users\Application Data\jijejamu not found.

File\Folder c:\documents and settings\All Users\Application Data\labesina not found.

OTL by OldTimer - Version 3.1.34.0 log created on 03172010_195909

puddin0229 · March 18, 2010

OTL logfile created on: 3/17/2010 8:02:42 PM - Run 2

OTL by OldTimer - Version 3.1.34.0 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 75.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free

Paging file location(s): C:\pagefile.sys 2 3069 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.46 Gb Total Space | 38.39 Gb Free Space | 51.56% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: CYNTANDZEST

Current User Name: Owner

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)

PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\MSM\McSmtFwk.exe (McAfee, Inc.)