Jump to content

Malwarebytes can not remove Vundo


Recommended Posts

Vundo can not be removed by Malware bytes. After full scan, clean and restarting computer the adware Vundo comes back again and again. Here is a log. Can someone help please.

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

C:\WINDOWS\TEMP\US53E8.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3trayp.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {3f17372a-5f4e-4f97-a48f-1c18781bc4f9} - C:\WINDOWS\system32\bazajoja.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [s3Trayp] S3trayp.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [wewapawulu] Rundll32.exe "C:\WINDOWS\system32\dasikema.dll",s

O4 - HKLM\..\Run: [CPMb7331958] Rundll32.exe "c:\windows\system32\fokonefo.dll",a

O4 - HKLM\..\Run: [b4002ac4] rundll32.exe "C:\WINDOWS\system32\ribegaja.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [wewapawulu] Rundll32.exe "C:\WINDOWS\system32\dasikema.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://companyweb

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DomainServer.lan

O17 - HKLM\Software\..\Telephony: DomainName = DomainServer.lan

O17 - HKLM\System\CCS\Services\Tcpip\..\{F42FC35B-1325-4674-91CE-A5762B59629F}: NameServer = 10.16.0.1

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DomainServer.lan

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DomainServer.lan

O20 - AppInit_DLLs: C:\WINDOWS\system32\laduhute.dll c:\windows\system32\topolobu.dll c:\windows\system32\tadeyike.dll c:\windows\system32\pufikere.dll c:\windows\system32\fokonefo.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fokonefo.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fokonefo.dll

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

--

End of file - 8449 bytes

Link to post
Share on other sites

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.
I need you to follow the instructions provided here
first.
I also need for you to download this program
http://oldtimer.geekstogo.com/OTListIt.exe' rel="external nofollow">
to your desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop

  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

  • Place a checkmark in the
    "Scan All Users"
    checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

  • Click the Run Scan button

  • NOTE:
    Please be patient and let the scan run without using the computer

  • When the scan is complete, a text file (
    OTListIt.Txt
    ) will open in Notepad (if not, it can be found on your Desktop)

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

  • Submit your reply and close the Notepad window with
    OTList.txt

  • Also OTListIt's
    Extras.txt
    log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

  • NOTE:
    If the files (
    OTListIt.txt, Extras.txt
    ) do not appear in your taskbar, just open the files in notepad from your desktop.


Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.
Link to post
Share on other sites

MBAM Scan:

Malwarebytes' Anti-Malware 1.30

Database version: 1424

Windows 5.1.2600 Service Pack 2

30/11/2008 10:22:42 AM

mbam-log-2008-11-30 (10-22-42).txt

Scan type: Quick Scan

Objects scanned: 66410

Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 3

Registry Values Infected: 5

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 3

OTlistIT:

OTListIt logfile created on: 29/11/2008 8:28:34 AM - Run

OTListIt by OldTimer - Version 1.0.12.0 Folder = C:\Documents and Settings\bj.DOMAINSERVER\Desktop\vundo

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

958.36 Mb Total Physical Memory | 301.65 Mb Available Physical Memory | 31.48% Memory free

2.26 Gb Paging File | 1.80 Gb Available in Paging File | 79.87% Paging File free

Paging file location(s): C:\pagefile.sys 1440 2880;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 78.12 Gb Total Space | 30.17 Gb Free Space | 38.62% Space Free | Partition Type: NTFS

Drive D: | 154.76 Gb Total Space | 135.22 Gb Free Space | 87.38% Space Free | Partition Type: NTFS

Unable to calculate disk information.

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: pj

Current User Name: bj

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Whitelist: On

File Age = 30 Days

========== Processes ==========

[2007/11/15 18:46:12 | 00,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe

[2007/09/12 11:20:58 | 00,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe

[2008/10/22 16:10:24 | 00,170,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

[2007/03/29 09:09:38 | 00,603,856 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe

[2007/03/29 09:09:36 | 00,685,776 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe

[2007/03/29 09:03:16 | 00,282,704 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

[2007/03/29 09:10:02 | 00,214,712 | ---- | M] () -- C:\WINDOWS\Temp\US53E8.EXE

[2007/02/06 10:30:52 | 00,176,128 | R--- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\system32\S3Trayp.exe

[2007/03/29 09:10:06 | 00,394,952 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe

[2007/09/12 11:20:58 | 00,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[2008/11/27 19:00:20 | 01,805,552 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[2004/08/04 23:00:00 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe

[2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe

[2008/11/29 08:28:22 | 00,418,304 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\vundo\OTListIt.exe

========== (O23) Win32 Services ==========

[2007/09/06 14:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled | Stopped])

[2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

[2007/09/12 18:27:24 | 00,554,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Disabled | Stopped])

[2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

[2007/09/03 17:13:54 | 00,081,920 | ---- | M] (FirebirdSQL Project) -- C:\Program Files\Firebird\Firebird_2_0\bin\fbguard.exe -- (FirebirdGuardianDefaultInstance [Disabled | Stopped])

[2007/09/03 17:13:48 | 02,002,944 | ---- | M] (FirebirdSQL Project) -- C:\Program Files\Firebird\Firebird_2_0\bin\fbserver.exe -- (FirebirdServerDefaultInstance [Disabled | Stopped])

[2008/11/09 19:31:23 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [Disabled | Stopped])

[2008/02/03 09:05:05 | 00,025,088 | ---- | M] (Arainia Solutions) -- C:\Program Files\Gizmo\gservice.exe -- (Gizmo Central [Disabled | Stopped])

[2007/10/17 23:22:02 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Disabled | Stopped])

[2007/10/17 22:29:33 | 00,619,048 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\Hamachi\hamachi.exe -- (HamachiService [Disabled | Stopped])

[2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [Disabled | Stopped])

[2007/09/26 15:41:56 | 00,503,608 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [Disabled | Stopped])

[2007/09/12 18:27:24 | 02,999,664 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate [Disabled | Stopped])

[2007/11/15 18:46:12 | 00,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint [Auto | Running])

[2007/09/12 11:20:58 | 00,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn [Auto | Running])

[2008/10/22 16:10:24 | 00,170,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService [Auto | Running])

[2007/06/01 11:21:30 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [Disabled | Stopped])

[2007/03/28 20:41:24 | 03,290,728 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe -- (Norton Ghost [Disabled | Stopped])

[2007/03/29 09:09:38 | 00,603,856 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe -- (ntrtscan [Auto | Running])

[2007/03/29 09:03:16 | 00,282,704 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe -- (OfcPfwSvc [Auto | Running])

[2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

[2007/03/29 09:09:36 | 00,685,776 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe -- (tmlisten [Auto | Running])

[2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Disabled | Stopped])

========== Driver Services ==========

[2008/08/14 07:57:42 | 00,074,720 | ---- | M] (Adobe Systems, Inc.) -- C:\WINDOWS\System32\drivers\adfs.sys -- (adfs [Auto | Running])

[2007/06/01 14:04:45 | 00,096,968 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD [On_Demand | Running])

[2005/04/07 16:18:34 | 00,003,840 | ---- | M] () -- C:\WINDOWS\system32\drivers\BANTExt.sys -- (BANTExt [system | Running])

[2000/07/24 02:01:00 | 00,019,537 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\system32\drivers\BRPAR.SYS -- (BrPar [Auto | Running])

[2005/03/14 16:01:38 | 00,041,984 | ---- | M] (DeviceGuys, Inc.) -- C:\WINDOWS\system32\drivers\DGIVECP.SYS -- (DgiVecp [Auto | Running])

[2004/08/03 23:58:30 | 00,207,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4.sys -- (Dot4 [On_Demand | Stopped])

[2001/08/17 14:47:32 | 00,012,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4Prt.sys -- (Dot4Print [On_Demand | Stopped])

[2001/08/17 14:47:32 | 00,023,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4usb.sys -- (dot4usb [On_Demand | Stopped])

[2007/03/01 07:56:07 | 00,015,440 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO [system | Running])

[2007/02/16 11:56:49 | 00,011,984 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay [On_Demand | Running])

[2001/08/17 23:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Stopped])

[2007/03/28 20:12:18 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])

[2006/07/14 07:30:52 | 00,014,848 | ---- | M] () -- C:\WINDOWS\system32\drivers\gHidPnp.sys -- (gHidPnp [On_Demand | Stopped])

[2008/02/03 09:05:07 | 00,016,595 | ---- | M] (Arainia Solutions) -- C:\WINDOWS\System32\drivers\gizmodrv.sys -- (GizmoDrv [system | Running])

[2006/07/12 04:48:46 | 00,017,408 | ---- | M] ( Mouse Upfilter Driver ) -- C:\WINDOWS\system32\drivers\gMouPS2.sys -- (gMouPS2 [On_Demand | Running])

[2006/07/14 07:33:58 | 00,009,984 | ---- | M] () -- C:\WINDOWS\system32\drivers\gMouUsb.sys -- (gMouUsb [On_Demand | Stopped])

[2007/10/17 22:29:33 | 00,025,544 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi [On_Demand | Stopped])

[2005/01/07 18:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus [On_Demand | Running])

[2006/03/20 11:48:36 | 00,049,920 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])

[2006/03/20 11:48:36 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])

[2006/03/20 11:48:37 | 00,021,568 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])

[2007/10/27 00:29:08 | 00,101,120 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard [On_Demand | Stopped])

[2007/04/23 21:12:28 | 04,402,176 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])

[2005/01/28 15:38:34 | 00,033,536 | R--- | M] (ASUSTeK Computer Inc. ) -- C:\WINDOWS\system32\drivers\ipgdnd51.sys -- (ipgd [On_Demand | Stopped])

[2004/08/03 23:58:36 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [system | Stopped])

[2007/09/12 11:21:00 | 00,012,992 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo [Auto | Running])

[2007/09/12 11:20:28 | 00,010,144 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\drivers\lmimirr.sys -- (lmimirr [On_Demand | Running])

[2007/11/15 18:46:38 | 00,083,288 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP [Disabled | Stopped])

[2007/09/12 11:20:58 | 00,046,112 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver [Auto | Running])

[2008/10/22 16:10:22 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector [On_Demand | Running])

[2004/08/04 23:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])

[2003/08/19 02:56:54 | 00,064,512 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtlnic5.sys -- (RTL8023 [On_Demand | Running])

[2007/03/05 12:54:54 | 00,709,632 | ---- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\system32\drivers\S3gIGPm.sys -- (S3GIGP [On_Demand | Running])

[2008/08/19 23:34:20 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [system | Running])

[2008/08/19 23:34:22 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])

[2008/08/19 23:34:20 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [system | Running])

[2004/08/04 23:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])

[2005/08/30 17:57:18 | 00,058,320 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\ss_bus.sys -- (ss_bus [On_Demand | Stopped])

[2005/08/30 17:58:56 | 00,008,304 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\ss_mdfl.sys -- (ss_mdfl [On_Demand | Stopped])

[2005/08/30 17:59:00 | 00,094,000 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\ss_mdm.sys -- (ss_mdm [On_Demand | Stopped])

[2006/07/24 16:05:00 | 00,005,632 | ---- | M] () -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen [system | Running])

[2007/03/28 20:29:12 | 00,131,944 | ---- | M] (StorageCraft) -- C:\WINDOWS\system32\drivers\symsnap.sys -- (symsnap [boot | Running])

[2007/12/24 18:37:00 | 00,138,384 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])

[2008/05/02 17:22:00 | 00,205,328 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\tmxpflt.sys -- (TmFilter [Auto | Running])

[2008/05/02 17:21:52 | 00,036,368 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\tmpreflt.sys -- (TmPreFilter [Auto | Running])

[2007/03/22 11:54:58 | 01,844,928 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TM_CFW.sys -- (TM_CFW [Auto | Running])

[2004/08/04 10:07:44 | 00,044,672 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\UAGP35.SYS -- (uagp35 [boot | Running])

[2004/08/04 00:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio [On_Demand | Stopped])

[2005/10/21 12:47:05 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usb8023x.sys -- (usb_rndisx [On_Demand | Stopped])

[2007/03/28 20:29:10 | 00,037,864 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\v2imount.sys -- (v2imount [Auto | Running])

[2006/10/17 23:22:26 | 00,009,216 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\videX32.sys -- (videX32 [boot | Running])

[2007/03/28 20:23:50 | 00,014,072 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\vproeventmonitor.sys -- (VProEventMonitor [On_Demand | Stopped])

[2008/05/02 17:17:18 | 01,169,240 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\vsapint.sys -- (VSApiNt [Auto | Running])

[2006/11/06 18:04:56 | 00,028,672 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])

[2007/03/28 20:49:42 | 00,128,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\WimFltr.sys -- (WimFltr [On_Demand | Stopped])

[2006/10/18 20:39:58 | 00,017,920 | ---- | M] (VIA Technologies,Inc) -- C:\WINDOWS\system32\drivers\xfilt.sys -- (xfilt [boot | Running])

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

HKU\S-1-5-21-664856848-190524549-2150508390-1135\S-1-5-21-664856848-190524549-2150508390-1135\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (767 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 activate.adobe.com

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (no name) - {3f17372a-5f4e-4f97-a48f-1c18781bc4f9} - C:\WINDOWS\system32\bazajoja.dll File not found

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKCU\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKCU\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-18\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKU\S-1-5-18\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [CPMb7331958] Rundll32.exe "c:\windows\system32\fokonefo.dll",a File not found

O4 - HKLM..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" (LogMeIn, Inc.)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray (Malwarebytes Corporation)

O4 - HKLM..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow (Trend Micro Inc.)

O4 - HKLM..\Run: [s3Trayp] S3trayp.exe (S3 Graphics Co., Ltd.)

O4 - HKLM..\Run: [wewapawulu] Rundll32.exe "C:\WINDOWS\system32\dasikema.dll",s File not found

O4 - HKCU..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

O4 - HKU\S-1-5-19..\Run: [wewapawulu] Rundll32.exe "C:\WINDOWS\system32\dasikema.dll",s File not found

O4 - HKU\S-1-5-20..\Run: [wewapawulu] Rundll32.exe "C:\WINDOWS\system32\dasikema.dll",s File not found

O4 - HKU\S-1-5-21-664856848-190524549-2150508390-1135..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

O4 - HKLM..\RunOnce: [spybotDeletingA3006] command /c del "C:\WINDOWS\system32\ribegaja.dll_old" ()

O4 - HKLM..\RunOnce: [spybotDeletingA5145] command /c del "c:\windows\system32\fokonefo.dll_old" ()

O4 - HKLM..\RunOnce: [spybotDeletingC6795] cmd /c del "C:\WINDOWS\system32\ribegaja.dll_old" (Microsoft Corporation)

O4 - HKLM..\RunOnce: [spybotDeletingC711] cmd /c del "c:\windows\system32\fokonefo.dll_old" (Microsoft Corporation)

O4 - HKCU..\RunOnce: [spybotDeletingB2659] command /c del "C:\WINDOWS\system32\ribegaja.dll_old" ()

O4 - HKCU..\RunOnce: [spybotDeletingB7104] command /c del "c:\windows\system32\fokonefo.dll_old" ()

O4 - HKCU..\RunOnce: [spybotDeletingD4696] cmd /c del "C:\WINDOWS\system32\ribegaja.dll_old" (Microsoft Corporation)

O4 - HKCU..\RunOnce: [spybotDeletingD7484] cmd /c del "c:\windows\system32\fokonefo.dll_old" (Microsoft Corporation)

O4 - HKU\S-1-5-21-664856848-190524549-2150508390-1135..\RunOnce: [spybotDeletingB2659] command /c del "C:\WINDOWS\system32\ribegaja.dll_old" ()

O4 - HKU\S-1-5-21-664856848-190524549-2150508390-1135..\RunOnce: [spybotDeletingB7104] command /c del "c:\windows\system32\fokonefo.dll_old" ()

O4 - HKU\S-1-5-21-664856848-190524549-2150508390-1135..\RunOnce: [spybotDeletingD4696] cmd /c del "C:\WINDOWS\system32\ribegaja.dll_old" (Microsoft Corporation)

O4 - HKU\S-1-5-21-664856848-190524549-2150508390-1135..\RunOnce: [spybotDeletingD7484] cmd /c del "c:\windows\system32\fokonefo.dll_old" (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\bj\Start Menu\Programs\Startup\hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (LogMeIn Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoThemesTab = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoColorChoice = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoSizeChoice = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoVisualStyleChoice = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingsPage = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoThemesTab = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoColorChoice = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoSizeChoice = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoVisualStyleChoice = 0

O7 - HKU\S-1-5-21-664856848-190524549-2150508390-1135\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingsPage = 0

O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)

O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (OnlineScanner Control)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.16.0.1

O18 - Protocol\Handler: - belarc - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)

O18 - Protocol\Handler: - ipp - No CLSID value found

O18 - Protocol\Handler: - ipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp - No CLSID value found

O18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp\oledb - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - mso-offdap - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - mso-offdap11 - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)

O20 - See sections below for AppInitDlls and Winlogon settings

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}c:\windows\system32\fokonefo.dll File not found

O22 - SharedTaskScheduler: (STS) - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fokonefo.dll File not found

========== AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_Dlls" = C:\WINDOWS\system32\laduhute.dll c:\windows\system32\topolobu.dll c:\windows\system32\tadeyike.dll c:\windows\system32\pufikere.dll c:\windows\system32\fokonefo.dll

>[2008/08/25 07:49:59 | 00,060,416 | -HS- | M] () -- C:\WINDOWS\system32\laduhute.dll

>File not found -- c:\windows\system32\topolobu.dll

>File not found -- c:\windows\system32\tadeyike.dll

>File not found -- c:\windows\system32\pufikere.dll

>File not found -- c:\windows\system32\fokonefo.dll

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]

!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

LMIinit: "DllName" = LMIinit.dll -- C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []

[2007/10/14 09:25:24 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a782777d-2a30-11dd-86a0-001a922d802e}\Shell]

"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a782777d-2a30-11dd-86a0-001a922d802e}\Shell\AutoRun]

"" = Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a782777d-2a30-11dd-86a0-001a922d802e}\Shell\AutoRun\command]

"" = F:\AutoRun.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a782777e-2a30-11dd-86a0-001a922d802e}\Shell]

"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a782777e-2a30-11dd-86a0-001a922d802e}\Shell\AutoRun]

"" = Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a782777e-2a30-11dd-86a0-001a922d802e}\Shell\AutoRun\command]

"" = F:\AutoRun.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]

[2008/11/29 07:33:59 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\HijackThis.lnk

[2008/11/29 07:23:08 | 00,000,000 | ---D | C] -- C:\Program Files\EsetOnlineScanner

[2008/11/29 07:16:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\vundo

[2008/11/28 14:58:08 | 00,002,713 | -HS- | C] () -- C:\WINDOWS\System32\wubajiro.exe

[2008/11/27 18:21:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2008/11/27 18:21:04 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2008/11/27 18:21:03 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2008/11/27 18:21:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bj.DOMAINSERVER\Application Data\SUPERAntiSpyware.com

[2008/11/27 18:20:53 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard

[2008/11/27 18:20:45 | 06,634,008 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\SUPERAntiSpyware.exe

[2008/11/26 22:44:21 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe

[2008/11/26 22:44:20 | 00,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe

[2008/11/26 22:44:20 | 00,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe

[2008/11/26 22:44:20 | 00,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe

[2008/11/26 22:44:20 | 00,087,552 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\VACFix.exe

[2008/11/26 22:44:20 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe

[2008/11/26 22:44:20 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe

[2008/11/26 22:44:20 | 00,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe

[2008/11/26 22:44:20 | 00,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe

[2008/11/26 22:44:20 | 00,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe

[2008/11/26 22:44:20 | 00,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe

[2008/11/26 22:44:20 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe

[2008/11/26 22:44:20 | 00,025,600 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe

[2008/11/26 22:41:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\SmitfraudFix

[2008/11/26 22:41:51 | 01,581,780 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\SmitfraudFix.exe

[2008/11/26 21:49:37 | 00,000,000 | ---D | C] -- C:\VundoFix Backups

[2008/11/26 21:11:26 | 00,000,514 | ---- | C] () -- C:\WINDOWS\tasks\Malwarebytes' Scheduled Scan for bj.job

[2008/11/26 06:56:25 | 00,000,266 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2008/11/25 20:58:07 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\Spybot - Search & Destroy.lnk

[2008/11/25 20:53:50 | 14,968,808 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\spybotsd160.exe

[2008/11/25 20:14:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\v7020

[2008/11/25 20:12:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\v7040

[2008/11/25 08:53:25 | 02,372,472 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\mbam-setup.exe

[2008/11/24 06:24:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\business card

[2008/11/21 19:46:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\tuffTestpro

[2008/11/17 23:26:03 | 00,007,060 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\SystemSrvPro.htm

[2008/11/17 23:25:53 | 00,806,912 | ---- | C] (Codejock Software) -- C:\WINDOWS\System32\Codejock.CommandBars.9700.ocx

[2008/11/17 23:25:52 | 00,172,032 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPText30.ocx

[2008/11/17 23:25:50 | 00,536,576 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPTab30.ocx

[2008/11/17 23:25:48 | 00,221,184 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPSpin30.ocx

[2008/11/17 23:25:46 | 00,212,992 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPSelection30.ocx

[2008/11/17 23:25:45 | 00,172,032 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPScroll30.ocx

[2008/11/17 23:25:44 | 00,053,248 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPRegSvr20.dll

[2008/11/17 23:25:41 | 00,831,488 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPListView30.ocx

[2008/11/17 23:25:39 | 00,360,448 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPList30.ocx

[2008/11/17 23:25:38 | 00,110,592 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPIML30.ocx

[2008/11/17 23:25:36 | 00,126,976 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPFrame30.ocx

[2008/11/17 23:25:34 | 00,450,560 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPCalendar30.ocx

[2008/11/17 23:25:33 | 00,299,008 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPCombo30.ocx

[2008/11/17 23:25:31 | 00,184,320 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaXPButton30.ocx

[2008/11/17 23:25:27 | 00,200,704 | ---- | C] (CIA, The company) -- C:\WINDOWS\System32\ciaSCls20.dll

[2008/11/17 23:25:21 | 00,692,224 | ---- | C] (CIA, The Company) -- C:\WINDOWS\System32\ciaResSvr20.dll

[2008/11/17 23:25:15 | 00,124,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.ocx

[2008/11/17 23:25:14 | 00,196,608 | ---- | C] (Personal) -- C:\WINDOWS\System32\VBSplitter.ocx

[2008/11/17 23:25:12 | 00,278,528 | ---- | C] (Inner Media, Inc.) -- C:\WINDOWS\System32\duzactx.dll

[2008/11/17 23:25:11 | 00,267,080 | ---- | C] (Teebo Software Solutions) -- C:\WINDOWS\System32\tssProgressBarXP.ocx

[2008/11/17 23:25:07 | 00,732,656 | ---- | C] (WeOnlyDo Software) -- C:\WINDOWS\System32\wodPop3.dll

[2008/11/17 23:25:03 | 00,753,136 | ---- | C] (WeOnlyDo! Software) -- C:\WINDOWS\System32\wodSmtp.dll

[2008/11/17 23:24:55 | 04,845,568 | ---- | C] ( ) -- C:\WINDOWS\sspro.exe

[2008/11/17 23:24:54 | 00,434,176 | ---- | C] (Systems Integration 2) -- C:\WINDOWS\rundys32.exe

[2008/11/17 23:24:54 | 00,131,072 | ---- | C] () -- C:\WINDOWS\winfsysrn.dll

[2008/11/17 23:24:51 | 00,765,952 | ---- | C] (Systems Integration 2) -- C:\WINDOWS\sprscore.exe

[2008/11/17 23:24:51 | 00,002,437 | ---- | C] () -- C:\WINDOWS\dep32ceg.dll

[2008/11/17 23:24:51 | 00,000,000 | ---- | C] () -- C:\WINDOWS\spr32snl.dll

[2008/11/17 23:24:51 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iopb32ul.dll

[2008/11/17 23:24:51 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iopa32ul.dll

[2008/11/17 23:24:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\fontvect

[2008/11/16 23:20:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\business cards

[2008/11/15 23:34:04 | 00,518,019 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\office logo.jpg

[2008/11/15 23:22:44 | 00,393,216 | ---- | C] (FirebirdSQL Project) -- C:\WINDOWS\System32\GDS32.DLL

[2008/11/15 23:22:44 | 00,393,216 | ---- | C] (FirebirdSQL Project) -- C:\WINDOWS\System32\FBCLIENT.DLL

[2008/11/15 23:22:41 | 00,000,000 | ---D | C] -- C:\Program Files\Firebird

[2008/11/15 23:22:08 | 00,000,000 | ---D | C] -- C:\Program Files\TS Man 1.2

[2008/11/15 08:58:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\helpdesk software

[2008/11/14 21:51:19 | 00,022,528 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\My Documents\mycomputerdied.doc

[2008/11/14 21:06:11 | 00,140,872 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\office logo.eps

[2008/11/14 21:06:04 | 00,029,365 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\office logo.pdf

[2008/11/14 19:51:57 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\My Documents\Welcome to active it help.doc

[2008/11/09 19:39:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ALM

[2008/11/09 19:36:35 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe Media Player

[2008/11/09 19:35:16 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR

[2008/11/03 22:23:00 | 00,095,787 | ---- | C] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\RA080904-114445.pdf

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]

[3 C:\WINDOWS\*.tmp files]

[2008/11/29 08:29:51 | 00,008,812 | -H-- | M] () -- C:\WINDOWS\System32\hunuwuta

[2008/11/29 08:03:20 | 00,000,266 | ---- | M] () -- C:\WINDOWS\wininit.ini

[2008/11/29 07:33:59 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\HijackThis.lnk

[2008/11/29 05:00:00 | 00,000,514 | ---- | M] () -- C:\WINDOWS\tasks\Malwarebytes' Scheduled Scan for bj.job

[2008/11/29 02:57:45 | 00,095,284 | ---- | M] () -- C:\WINDOWS\System32\fokonefo.dll_old

[2008/11/29 02:57:45 | 00,088,116 | ---- | M] () -- C:\WINDOWS\System32\ribegaja.dll_old

[2008/11/28 14:58:08 | 00,002,713 | -HS- | M] () -- C:\WINDOWS\System32\wubajiro.exe

[2008/11/28 06:53:45 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2008/11/28 06:53:43 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2008/11/27 20:56:57 | 00,086,580 | ---- | M] () -- C:\WINDOWS\System32\riguhoyu.dll

[2008/11/27 18:59:45 | 00,000,924 | ---- | M] () -- C:\WINDOWS\win.ini

[2008/11/27 18:59:45 | 00,000,284 | ---- | M] () -- C:\WINDOWS\system.ini

[2008/11/27 18:21:04 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2008/11/27 18:20:53 | 06,634,008 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\SUPERAntiSpyware.exe

[2008/11/26 22:41:55 | 01,581,780 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\SmitfraudFix.exe

[2008/11/26 20:57:37 | 00,101,376 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/11/26 20:55:14 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

[2008/11/26 20:53:28 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2008/11/26 07:03:11 | 00,000,116 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\.zreglib

[2008/11/25 20:58:07 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\Spybot - Search & Destroy.lnk

[2008/11/25 20:57:01 | 14,968,808 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\spybotsd160.exe

[2008/11/25 20:01:40 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2008/11/25 08:53:33 | 02,372,472 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\mbam-setup.exe

[2008/11/25 08:23:40 | 00,000,578 | ---- | M] () -- C:\WINDOWS\M3JPEG.INI

[2008/11/25 07:55:41 | 00,087,092 | ---- | M] () -- C:\WINDOWS\System32\huzukiru.dll

[2008/11/24 09:18:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2008/11/21 23:36:51 | 02,154,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2008/11/20 17:46:05 | 00,001,154 | -H-- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\My Documents\Default.rdp

[2008/11/20 16:27:09 | 00,008,755 | ---- | M] () -- C:\WINDOWS\cfgall.ini

[2008/11/20 06:22:32 | 00,002,437 | ---- | M] () -- C:\WINDOWS\dep32ceg.dll

[2008/11/20 00:17:47 | 02,642,006 | -H-- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Local Settings\Application Data\IconCache.db

[2008/11/16 15:23:49 | 00,022,528 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\My Documents\mycomputerdied.doc

[2008/11/16 09:52:10 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\My Documents\Welcome to active it help.doc

[2008/11/15 23:34:13 | 00,518,019 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\office logo.jpg

[2008/11/15 20:36:19 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LauncherAccess.dt

[2008/11/14 21:06:11 | 00,140,872 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\office logo.eps

[2008/11/14 21:06:04 | 00,029,365 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\office logo.pdf

[2008/11/09 19:41:56 | 00,072,888 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2008/11/07 00:26:59 | 00,000,403 | ---- | M] () -- C:\WINDOWS\MYOBP.INI

[2008/11/07 00:26:53 | 00,000,133 | ---- | M] () -- C:\WINDOWS\SwDrvs.ini

[2008/11/07 00:26:53 | 00,000,039 | ---- | M] () -- C:\WINDOWS\MYOB.INI

[2008/11/05 17:09:19 | 00,476,316 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2008/11/05 17:09:19 | 00,404,936 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2008/11/05 17:09:19 | 00,063,712 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2008/11/03 22:23:02 | 00,095,787 | ---- | M] () -- C:\Documents and Settings\bj.DOMAINSERVER\Desktop\RA080904-114445.pdf

< End of report >

Link to post
Share on other sites

Thank you for the reply. Its been a while no matter how many times I scan, quick or full, malware finds and deletes the trojans but it comes back again. Here is a fresh malware log. I have disabled the realtime protection as it hangs my comptuer when I use Internet, I think due to the trojan. Was working great until last week.

Malwarebytes' Anti-Malware 1.30

Database version: 1443

Windows 5.1.2600 Service Pack 2

3/12/2008 7:44:14 AM

mbam-log-2008-12-03 (07-44-14).txt

Scan type: Quick Scan

Objects scanned: 69131

Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 3

Registry Values Infected: 5

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\hivofupi.dll (Trojan.Vundo) -> Delete on reboot.

c:\WINDOWS\system32\nogopofa.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4002ac4 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmb7331958 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wewapawulu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\nogopofa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\nogopofa.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\hivofupi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ipufovih.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\nogopofa.dll (Trojan.BHO) -> Delete on reboot.

Link to post
Share on other sites

Okay, were not doing too badly...

First, I'd like for you to do this:

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Trend Micro Damage Cleanup Engine


Make sure you read this document to understand how to use the program.

Basically there are 3 parts that need to be downloaded from these links:


  • As an example on 2008-10-17 the files to download are:
    sysclean.com
    |
    lpt605.zip
    |
    ssapiptn697.zip
  • NOTE!
    These file names are examples and you must visit Trend Micro for the very latest files which may have different names.

  • Create a brand new folder to copy these files to.

  • As an example:
    C:\DCE

  • Then open each of the zipped archive files and copy their contents to
    C:\DCE

  • Copy the file
    sysclean.com
    to the new folder
    C:\DCE
    as well.

  • Double-click on the file
    sysclean.com
    that is in the
    C:\DCE
    folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file
    sysclean.log
    that will be left behind by sysclean.

  • This self-extracting archive is a stand-alone fix package that incorporates the Trend Micro VSAPI Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine and Template.

    This tool supports the following features:

    o Terminate all detected malware/spyware instances in memory

    o Remove malware/spyware registry entries

    o Remove malware/spyware entries from system files

    o Scan for and delete all detected malware/spyware copies in all local drives

http://windowshelp.microsoft.com/windows/en-us/help/7050d809-c761-43d4-aae7-587550cd341a1033.mspx' rel="external nofollow">

After following all of those instructions, do a fresh hijackthis scan and provide it's logfile. Next, update MBAM and do a quick scan. I'd like to see that log as well please.

Link to post
Share on other sites

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-12-03, 08:24:37, Auto-clean mode specified.

2008-12-03, 08:24:37, Initialized Rootkit Driver version 2.2.0.1004.

2008-12-03, 08:24:37, Running scanner "C:\DCE\TSC.BIN"...

2008-12-03, 08:24:50, Scanner "C:\DCE\TSC.BIN" has finished running.

2008-12-03, 08:24:50, TSC Log:

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.