Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware galore

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware galore

Unread postby Tetracide » May 14th, 2010, 5:15 pm

Hi there,

I'm getting the following pop up messages once logged onto windows:

"C:\docume~1\nicola~1\locals~1\temp\21431.exe
the NTVDM CPU has encountered an illegal instruction.
CS:056e IP:021e OP:63 75 6d 65 6e Choose close to terminate the application"

and another error message saying

"userini.exe has encountered a problem and needs to close. We are sorry for the inconvenience"

when I click don't send my computer restarts.

here's the hijackThis log...

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:32:45 PM, on 2010/05/14
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\userini.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\douresy.exe
C:\WINDOWS\system32\userini.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\altera\80sp1\quartus\bin\jtagserver.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\douresy.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\Temp\wpv491273836855.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [fuhi] C:\WINDOWS\system32\douresy.exe
O4 - HKLM\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - AppInit_DLLs: winmm.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\program files\altera\80sp1\quartus\bin\jtagserver.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 8940 bytes


and the uninstall list...

And the uninstall list.

Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.7
Adobe® Photoshop® Album Starter Edition 3.0
Amadis AVI/DIVX/WMV/MPEG/MOV/SWF/FLV/MKV/RM/RMVB Video Converte
ASIO4ALL
Compatibility Pack for the 2007 Office system
Creativity Kit for Windows Movie Maker 2
dBpowerAMP Music Converter
FL Studio 6
FL Studio 7
FLV Player
Google Talk (remove only)
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP OrderReminder
IL Download Manager
K-Lite Mega Codec Pack 1.33
LaserJet 1018
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.18)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero Suite
NVIDIA Drivers
ParetoLogic Data Recovery
Prevx1
project dogwaffle
Quartus II 8.0sp1 Web Edition
Realtek AC'97 Audio
Registry Mechanic 6.0
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sentinel System Driver
Skype™ Beta 0.97
Sony Ericsson PC Suite
Striata Reader
Toxic Biohazard
TVersity Media Server 1.0.0.8 RC5
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.6a
Windows Live installer
Windows Live Mail
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip
X3watch 5.0.6

Please help thanks
Nic
Tetracide
Regular Member
 
Posts: 20
Joined: May 13th, 2010, 9:43 am
Advertisement
Register to Remove

Re: Malware galore

Unread postby deltalima » May 17th, 2010, 6:14 am

Hi Tetracide,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please let me know if this computer is used for business purposes.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Malware galore

Unread postby Tetracide » May 17th, 2010, 1:44 pm

Hi Deltalima,
I'm glad you repsonded. My computer is used for personal purposes e.g. For my studies.
BTW Looking forward to working with you.
Tetracide
Regular Member
 
Posts: 20
Joined: May 13th, 2010, 9:43 am

Re: Malware galore

Unread postby deltalima » May 17th, 2010, 2:06 pm

Hi Tetracide,

Download SystemLook and save it to your Desktop.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    winmm.dll
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Defogger
Disable Drivers
Please download DeFogger... by jpshortstuff. Save it to your desktop.
  1. Double click DeFogger.exe to run the tool. The application window will appear.
  2. Click the Disable button to disable your CD Emulation drivers.
  3. Click Yes to continue. A 'Finished!' message will appear. Click OK.
  4. Click OK when DeFogger asks to reboot the machine.
Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with SystemLook.txt, OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Malware galore

Unread postby Tetracide » May 18th, 2010, 4:47 am

Hey Deltalima, About defogger...my PC boots up from the CD-ROM will the disabled drivers effect the boot up process?
Tetracide
Regular Member
 
Posts: 20
Joined: May 13th, 2010, 9:43 am

Re: Malware galore

Unread postby Tetracide » May 18th, 2010, 4:51 am

PS: Here's the systemlook log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 10:44 on 18/05/2010 by Nicolas Saal (Administrator - Elevation successful)

========== filefind ==========

Searching for "winmm.dll"
C:\WINDOWS\$NtServicePackUninstall$\winmm.dll -----c 176128 bytes [17:06 04/01/2010] [22:56 03/08/2004] 90FDAA22F38D9E911F91FA3B8A1F7E5D
C:\WINDOWS\ServicePackFiles\i386\winmm.dll ------ 176128 bytes [18:04 03/09/2008] [03:42 14/04/2008] F1300D0B4C40754A01DF16F350F0EF60
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winmm.dll --a--- 176128 bytes [20:10 02/10/2008] [00:12 14/04/2008] F1300D0B4C40754A01DF16F350F0EF60
C:\WINDOWS\system32\winmm.dll --a--- 176128 bytes [18:03 03/09/2008] [03:42 14/04/2008] F1300D0B4C40754A01DF16F350F0EF60

-=End Of File=-
Tetracide
Regular Member
 
Posts: 20
Joined: May 13th, 2010, 9:43 am

Re: Malware galore

Unread postby deltalima » May 18th, 2010, 5:03 am

Hi Tetracide,

About defogger...my PC boots up from the CD-ROM will the disabled drivers effect the boot up process?


It should not affect the boot process, but for now skip defogger and run OTL and GMER.

Please let me know why the computer needs to boot from CD and not the C: drive.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Malware galore

Unread postby Tetracide » May 18th, 2010, 8:03 am

Its an old problem that goes way back however I actually don't know why it needs to boot from the CD.
Please find the requested logs below.



OTL logfile created on: 2010/05/18 11:15:25 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Nicolas Saal\Desktop\antivirus
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001C09 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 73.40 Gb Total Space | 20.29 Gb Free Space | 27.65% Space Free | Partition Type: NTFS
Drive D: | 19.53 Gb Total Space | 18.96 Gb Free Space | 97.08% Space Free | Partition Type: NTFS
Drive E: | 54.99 Gb Total Space | 0.82 Gb Free Space | 1.49% Space Free | Partition Type: NTFS
Drive F: | 473.56 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 2.92 Gb Total Space | 0.82 Gb Free Space | 28.02% Space Free | Partition Type: NTFS
Drive H: | 74.53 Gb Total Space | 44.23 Gb Free Space | 59.35% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: NIC
Current User Name: Nicolas Saal
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Nicolas Saal\Desktop\antivirus\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Nicolas Saal\Desktop\antivirus\SystemLook.exe ()
PRC - C:\WINDOWS\system32\userini.exe ()
PRC - C:\WINDOWS\services.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\douresy.exe (Four-F)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
PRC - C:\Program Files\TVersity\Media Server\MediaServer.exe ()
PRC - c:\Program Files\Altera\80sp1\quartus\bin\jtagserver.exe ()
PRC - C:\Program Files\X3watch\x3watch.exe (Tiger Green Productions LLC)
PRC - C:\WINDOWS\system32\dwwin.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\cmd.exe (Microsoft Corporation)
PRC - C:\Program Files\Google\Google Talk\googletalk.exe (Google)
PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\Mctray.exe (McAfee, Inc.)
PRC - C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe (Sony Ericsson Mobile Communications AB)
PRC - C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe (Hewlett-Packard)
PRC - C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe (Sony Ericsson Mobile Communications AB)
PRC - C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
PRC - C:\Program Files\Common Files\Teleca Shared\Generic.exe (Teleca Software Solutions)
PRC - C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe (Teleca Software Solutions AB)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Nicolas Saal\Desktop\antivirus\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
SRV - (McAfeeEngineService) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
SRV - (TVersityMediaServer) -- C:\Program Files\TVersity\Media Server\MediaServer.exe ()
SRV - (JTAGServer) -- c:\Program Files\Altera\80sp1\quartus\bin\jtagserver.exe ()
SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)


========== Driver Services (SafeList) ==========

DRV - (ykdktedr) -- C:\WINDOWS\System32\Drivers\ykdktedr.sys ()
DRV - (drmkaudq) -- C:\WINDOWS\system32\drivers\drmkaudq.sys (Microsoft Corporation)
DRV - (DMusicq) -- C:\WINDOWS\system32\drivers\DMusicq.sys (Microsoft Corporation)
DRV - (AsyncMacq) -- C:\WINDOWS\system32\drivers\AsyncMacq.sys (Microsoft Corporation)
DRV - (protect) -- C:\WINDOWS\system32\drivers\protect.sys ()
DRV - (aecq) -- C:\WINDOWS\system32\drivers\aecq.sys (Microsoft Corporation)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (Sntnlusb) -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS (Rainbow Technologies Inc.)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (Rainbow Technologies, Inc.)
DRV - (AlteraByteBlaster) -- C:\WINDOWS\system32\drivers\pgdhdlc.sys (Altera Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (nvata) -- C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA Corporation)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (irsir) -- C:\WINDOWS\system32\drivers\irsir.sys (Microsoft Corporation)
DRV - (VIAPFD) -- C:\WINDOWS\System32\Drivers\VIAPFD.SYS (VIA Technologies. Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1292428093-583907252-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1292428093-583907252-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1292428093-583907252-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/20 22:43:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/23 23:10:38 | 000,000,000 | ---D | M]

[2008/09/03 19:57:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicolas Saal\Application Data\Mozilla\Firefox\Profiles\qm6jwcxp.default\extensions
[2008/09/03 19:57:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/10/04 15:24:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2008/11/15 23:01:41 | 000,067,696 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2008/11/15 23:01:41 | 000,054,376 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2008/11/15 23:01:41 | 000,034,952 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2009/08/31 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2008/11/15 23:01:41 | 000,046,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2008/11/15 23:01:42 | 000,172,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll

O1 HOSTS File: ([2001/08/23 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1292428093-583907252-725345543-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [fuhi] C:\WINDOWS\system32\douresy.exe (Four-F)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe (Hewlett-Packard)
O4 - HKLM..\Run: [RegistryMechanic] File not found
O4 - HKLM..\Run: [services] C:\WINDOWS\services.exe ()
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe (Sony Ericsson Mobile Communications AB)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [userini] C:\WINDOWS\system32\userini.exe ()
O4 - HKLM..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe (Tiger Green Productions LLC)
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe File not found
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [duzvqq] C:\WINDOWS\system32\m9i1za72tk.exe ()
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [hdojaav] C:\WINDOWS\system32\w6ii870v.exe ()
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [lmrnii] C:\WINDOWS\System32\zqg0ccxo.exe File not found
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [MSConfig] C:\Documents and Settings\Nicolas Saal\kuf.exe ()
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [qddzp] C:\WINDOWS\System32\vvbw1svvm.exe File not found
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [userini] C:\WINDOWS\system32\userini.exe ()
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [wwridd] C:\WINDOWS\System32\p83g9c1ttkk.exe File not found
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [xoojv] C:\WINDOWS\System32\6f60ccx.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: userini = C:\WINDOWS\system32\userini.exe ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1292428093-583907252-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1292428093-583907252-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: userini = C:\WINDOWS\system32\userini.exe ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\Nicolas Saal\ctfmon.exe) - C:\Documents and Settings\Nicolas Saal\ctfmon.exe ()
O20 - HKU\S-1-5-21-1292428093-583907252-725345543-1004 Winlogon: Shell - (C:\Documents and Settings\Nicolas Saal\ctfmon.exe) - C:\Documents and Settings\Nicolas Saal\ctfmon.exe ()
O20 - HKU\S-1-5-21-1292428093-583907252-725345543-1004 Winlogon: Shell - (C:\Documents and Settings\Nicolas Saal\Application Data\dxlreu.exe) - C:\Documents and Settings\Nicolas Saal\Application Data\dxlreu.exe File not found
O20 - HKU\S-1-5-21-1292428093-583907252-725345543-1004 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-1292428093-583907252-725345543-1004 Winlogon: Shell - (C:\RECYCLER\S-1-5-21-9164053057-0251519115-740512186-1954\yv8g67.exe) - C:\RECYCLER\S-1-5-21-9164053057-0251519115-740512186-1954\yv8g67.exe ()
O24 - Desktop WallPaper: C:\Documents and Settings\Nicolas Saal\My Documents\My Pictures\Bmps\Garenteed success.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Nicolas Saal\My Documents\My Pictures\Bmps\Garenteed success.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/03 19:04:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/08/23 14:00:00 | 000,000,110 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2010/05/17 19:37:27 | 000,000,379 | ---- | M] () - H:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{21f67e4e-eab6-11d7-bbd8-00016ce7734d}\Shell - "" = AutoRun
O33 - MountPoints2\{21f67e4e-eab6-11d7-bbd8-00016ce7734d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{48115364-52f2-11df-a13d-00016ce7734d}\Shell\auTOpLAY\CoMmAnD - "" = H:\puocs.exe -- File not found
O33 - MountPoints2\{48115364-52f2-11df-a13d-00016ce7734d}\Shell\AutoRun\command - "" = H:\puocs.exe -- File not found
O33 - MountPoints2\{48115364-52f2-11df-a13d-00016ce7734d}\Shell\EXPLORE\cOmmand - "" = H:\puocs.exe -- File not found
O33 - MountPoints2\{48115364-52f2-11df-a13d-00016ce7734d}\Shell\opeN\comMaND - "" = H:\puocs.exe -- File not found
O33 - MountPoints2\{48eab38a-e5f2-11d7-bbcd-00016ce7734d}\Shell - "" = AutoRun
O33 - MountPoints2\{48eab38a-e5f2-11d7-bbcd-00016ce7734d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8518b0e0-e163-11d7-bbc4-00016ce7734d}\Shell\AutoRun\command - "" = USBVAULT\sys.exe
O33 - MountPoints2\{8518b0e0-e163-11d7-bbc4-00016ce7734d}\Shell\explore\command - "" = USBVAULT/sys.exe
O33 - MountPoints2\{8518b0e0-e163-11d7-bbc4-00016ce7734d}\Shell\open\command - "" = USBVAULT/sys.exe
O33 - MountPoints2\{ae1165c0-9d6f-11de-a029-00016ce7734d}\Shell\AutoRun\command - "" = I:\CNN\A\Lic.exe -- File not found
O33 - MountPoints2\{ae1165c0-9d6f-11de-a029-00016ce7734d}\Shell\open\command - "" = I:\CNN\A\Lic.exe -- File not found
O33 - MountPoints2\{bbde9c6e-eda7-11d7-bbe0-00016ce7734d}\Shell - "" = AutoRun
O33 - MountPoints2\{bbde9c6e-eda7-11d7-bbe0-00016ce7734d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bbde9c6e-eda7-11d7-bbe0-00016ce7734d}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found
O33 - MountPoints2\{bbde9c6f-eda7-11d7-bbe0-00016ce7734d}\Shell\AutoRun\command - "" = L:\ravira\ravira32.exe -- File not found
O33 - MountPoints2\{bbde9c6f-eda7-11d7-bbe0-00016ce7734d}\Shell\explore\command - "" = L:\ravira\ravira32.exe -- File not found
O33 - MountPoints2\{bbde9c6f-eda7-11d7-bbe0-00016ce7734d}\Shell\open\command - "" = L:\.\ravira\ravira32.exe -- File not found
O33 - MountPoints2\{ffbc33c1-e07a-11d7-bbc3-00016ce7734d}\Shell\AutoRun\command - "" = J:\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\RisinG.exe -- File not found
O33 - MountPoints2\{ffbc33c1-e07a-11d7-bbc3-00016ce7734d}\Shell\open\command - "" = J:\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\RisinG.exe -- File not found
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/16 15:45:42 | 000,012,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\drmkaudq.sys
[2010/05/16 10:32:30 | 000,012,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\DMusicq.sys
[2010/05/14 22:30:52 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/14 22:17:48 | 000,012,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\AsyncMacq.sys
[2010/05/13 12:58:35 | 000,011,648 | ---- | C] (Prevx Limited, http://www.prevx1.com/) -- C:\WINDOWS\System32\drivers\pxscrmbl.sys
[2010/05/13 10:49:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\Desktop\antivirus
[2010/05/13 10:33:37 | 000,321,024 | ---- | C] (Four-F) -- C:\WINDOWS\System32\zottewoobi.exe
[2010/05/13 10:33:27 | 000,012,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\aecq.sys
[2010/05/13 10:32:37 | 000,321,024 | ---- | C] (Four-F) -- C:\WINDOWS\System32\douresy.exe
[2010/05/12 10:10:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\Desktop\dsp
[2010/05/11 19:35:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\Desktop\NVP
[2010/05/09 17:41:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\My Documents\EEE4054F
[2010/05/08 11:16:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\Desktop\Flash A
[2010/05/05 13:50:54 | 000,000,000 | ---D | C] -- C:\Hard drive backup
[2010/04/29 20:21:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\My Documents\how to
[2010/04/18 15:35:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\My Documents\MEC4054Z
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[21 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/18 11:16:40 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\explorer.exe
[2010/05/18 11:16:40 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2010/05/18 10:38:05 | 000,050,257 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/18 10:37:58 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/18 10:37:53 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/18 10:37:53 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/18 10:37:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/18 07:50:09 | 009,437,184 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\NTUSER.DAT
[2010/05/18 07:50:09 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Nicolas Saal\ntuser.ini
[2010/05/18 07:35:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/18 05:56:08 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{13F77EFD-9F3E-42F6-B936-C65219B5BDFA}.job
[2010/05/17 19:05:23 | 000,055,296 | ---- | M] () -- C:\WINDOWS\System32\userini.exe
[2010/05/17 19:05:00 | 000,045,568 | -H-- | M] () -- C:\WINDOWS\System32\secupdat.dat
[2010/05/17 19:05:00 | 000,045,568 | -H-- | M] () -- C:\Documents and Settings\Nicolas Saal\secupdat.dat
[2010/05/17 19:05:00 | 000,018,432 | -H-- | M] () -- C:\Documents and Settings\Nicolas Saal\kuf.exe
[2010/05/17 19:04:32 | 000,041,984 | RHS- | M] () -- C:\WINDOWS\System32\w6ii870v.exe
[2010/05/17 19:04:16 | 000,041,984 | RHS- | M] () -- C:\WINDOWS\System32\m9i1za72tk.exe
[2010/05/17 18:00:00 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2010/05/17 14:27:47 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/17 14:27:45 | 000,009,728 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/16 22:27:13 | 000,054,272 | ---- | M] () -- C:\WINDOWS\services.exe
[2010/05/16 21:15:20 | 000,040,128 | ---- | M] () -- C:\WINDOWS\System32\drivers\ykdktedr.sys
[2010/05/16 15:45:42 | 000,012,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\drmkaudq.sys
[2010/05/16 10:32:30 | 000,012,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\DMusicq.sys
[2010/05/14 22:30:54 | 000,001,998 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Desktop\HiJackThis.lnk
[2010/05/14 22:17:48 | 000,012,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\AsyncMacq.sys
[2010/05/13 13:27:02 | 000,018,944 | -H-- | M] () -- C:\WINDOWS\System32\drivers\protect.sys
[2010/05/13 12:26:43 | 000,000,051 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/05/13 10:33:27 | 000,012,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\aecq.sys
[2010/05/13 10:32:38 | 000,321,024 | ---- | M] (Four-F) -- C:\WINDOWS\System32\zottewoobi.exe
[2010/05/13 10:32:38 | 000,321,024 | ---- | M] (Four-F) -- C:\WINDOWS\System32\douresy.exe
[2010/05/13 10:28:17 | 000,159,744 | RHS- | M] () -- C:\Documents and Settings\Nicolas Saal\ctfmon.exe
[2010/05/05 17:14:13 | 000,283,714 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Desktop\mod C.rar
[2010/05/05 11:05:55 | 000,284,751 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Desktop\tuts.zip
[2010/05/04 01:19:53 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Desktop\Today Is The Very First Day Of The Rest Of Your Life.doc
[2010/04/30 21:09:53 | 000,329,216 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\My Documents\parlotones.doc
[2010/04/25 18:09:51 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Desktop\PART1.doc
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[21 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/17 19:05:11 | 000,041,984 | RHS- | C] () -- C:\WINDOWS\System32\m9i1za72tk.exe
[2010/05/17 19:05:01 | 000,041,984 | RHS- | C] () -- C:\WINDOWS\System32\w6ii870v.exe
[2010/05/17 19:05:00 | 000,018,432 | -H-- | C] () -- C:\Documents and Settings\Nicolas Saal\kuf.exe
[2010/05/16 22:27:17 | 000,054,272 | ---- | C] () -- C:\WINDOWS\services.exe
[2010/05/16 21:15:20 | 000,040,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\ykdktedr.sys
[2010/05/16 15:45:26 | 000,045,568 | -H-- | C] () -- C:\WINDOWS\System32\secupdat.dat
[2010/05/16 15:45:26 | 000,045,568 | -H-- | C] () -- C:\Documents and Settings\Nicolas Saal\secupdat.dat
[2010/05/16 10:31:23 | 000,055,296 | ---- | C] () -- C:\WINDOWS\System32\userini.exe
[2010/05/14 22:30:54 | 000,001,998 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Desktop\HiJackThis.lnk
[2010/05/13 13:27:02 | 000,018,944 | -H-- | C] () -- C:\WINDOWS\System32\drivers\protect.sys
[2010/05/13 10:53:36 | 000,000,051 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/05/13 10:35:45 | 000,000,060 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Application Data\wiaservg.log
[2010/05/13 10:28:17 | 000,159,744 | RHS- | C] () -- C:\Documents and Settings\Nicolas Saal\ctfmon.exe
[2010/05/05 17:14:13 | 000,283,714 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Desktop\mod C.rar
[2010/05/05 13:51:13 | 000,284,751 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Desktop\tuts.zip
[2010/05/04 01:19:52 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Desktop\Today Is The Very First Day Of The Rest Of Your Life.doc
[2010/04/30 21:09:52 | 000,329,216 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\My Documents\parlotones.doc
[2010/04/26 09:25:26 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Desktop\PART1.doc
[2010/03/15 22:27:12 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/07/28 17:20:51 | 000,106,496 | R--- | C] () -- C:\WINDOWS\System32\VSHP1018.DLL
[2008/12/04 21:37:48 | 000,000,067 | ---- | C] () -- C:\WINDOWS\AVIConverter.INI
[2008/09/06 16:30:22 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/09/04 09:18:47 | 000,157,184 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/09/03 22:15:58 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/03 22:14:56 | 000,225,280 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2008/09/03 22:14:50 | 001,163,264 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2008/09/03 22:14:50 | 001,040,384 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2008/09/03 22:14:50 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/09/03 22:14:50 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2008/09/03 22:14:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2008/09/03 22:14:50 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/09/03 22:14:50 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/09/03 22:14:50 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\vorbisfile.dll
[2008/09/03 22:14:50 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2008/09/03 22:14:49 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2008/09/03 21:32:05 | 000,000,164 | R--- | C] () -- C:\WINDOWS\avrack.ini
[2008/09/03 19:22:54 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/31 14:54:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/03/31 14:54:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/03/31 14:54:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/03/31 14:54:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/03/31 14:54:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/03/31 14:54:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/03/31 14:54:00 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 388169 bytes -> C:\WINDOWS\Temp:temp
< End of report >






OTL Extras logfile created on: 2010/05/18 11:15:25 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Nicolas Saal\Desktop\antivirus
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001C09 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 73.40 Gb Total Space | 20.29 Gb Free Space | 27.65% Space Free | Partition Type: NTFS
Drive D: | 19.53 Gb Total Space | 18.96 Gb Free Space | 97.08% Space Free | Partition Type: NTFS
Drive E: | 54.99 Gb Total Space | 0.82 Gb Free Space | 1.49% Space Free | Partition Type: NTFS
Drive F: | 473.56 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 2.92 Gb Total Space | 0.82 Gb Free Space | 28.02% Space Free | Partition Type: NTFS
Drive H: | 74.53 Gb Total Space | 44.23 Gb Free Space | 59.35% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: NIC
Current User Name: Nicolas Saal
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [TVersity] -- "C:\Program Files\TVersity\Media Server\GUILaunch.exe" -type "folder" -url "%1" -title "" -tags "" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Documents and Settings\Nicolas Saal\Desktop\antivirus\Prevx_2.1.56_Incl_Serial_Freshwap.net\InstallPREVX102001506.exe" = C:\Documents and Settings\Nicolas Saal\Desktop\antivirus\Prevx_2.1.56_Incl_Serial_Freshwap.net\InstallPREVX102001506.exe:*:Enabled:InstallPREVX102001506 -- (Prevx Limited)
"C:\WINDOWS\system32\douresy.exe" = C:\WINDOWS\system32\douresy.exe:*:Disabled:Kernel Mode Driver Manager -- (Four-F)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{13d868cf-47e9-4b3d-9366-a0c60f82e5aa}" = Striata Reader
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26B5D684-75D6-44B9-BBFF-D4100F43092A}" = Sony Ericsson PC Suite
"{2792F12C-3515-4D69-8083-B557AF35F06F}" = LightScribe 1.4.89.1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{5CD3C7F5-4F8F-44DE-AAFF-5E6D9F5C9A40}" = Creativity Kit for Windows Movie Maker 2
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0.7
"{B1C2398C-6FAB-46D1-806C-5942F0829994}" = ParetoLogic Data Recovery
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{F963E257-D531-4AAE-A584-C60EDEB6A6C6}" = Quartus II 8.0sp1 Web Edition
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Amadis AVI/DIVX/WMV/MPEG/MOV/SWF/FLV/MKV/RM/RMVB~B26EE446_is1" = Amadis AVI/DIVX/WMV/MPEG/MOV/SWF/FLV/MKV/RM/RMVB Video Converte
"ASIO4ALL" = ASIO4ALL
"dBpowerAMP Music Converter" = dBpowerAMP Music Converter
"FL Studio 6" = FL Studio 6
"FL Studio 7" = FL Studio 7
"FLV Player1.33T" = FLV Player
"HP OrderReminder" = HP OrderReminder
"HP-LaserJet 1018" = LaserJet 1018
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IL Download Manager" = IL Download Manager
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 1.33
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (2.0.0.18)" = Mozilla Firefox (2.0.0.18)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Rainbow Sentinel Driver" = Sentinel System Driver
"Registry Mechanic_is1" = Registry Mechanic 6.0
"Skype_is1" = Skype™ Beta 0.97
"ST5UNST #1" = project dogwaffle
"Toxic Biohazard" = Toxic Biohazard
"TVersity Media Server " = TVersity Media Server 1.0.0.8 RC5
"VLC media player" = VideoLAN VLC media player 0.8.6a
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"X3watch_is1" = X3watch 5.0.6

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2010/05/17 07:43:14 AM | Computer Name = NIC | Source = Google Update | ID = 20
Description =

Error - 2010/05/17 08:43:14 AM | Computer Name = NIC | Source = Google Update | ID = 20
Description =

Error - 2010/05/17 09:43:14 AM | Computer Name = NIC | Source = Google Update | ID = 20
Description =

Error - 2010/05/17 10:43:14 AM | Computer Name = NIC | Source = Google Update | ID = 20
Description =

Error - 2010/05/17 11:43:15 AM | Computer Name = NIC | Source = Google Update | ID = 20
Description =

Error - 2010/05/17 12:43:14 PM | Computer Name = NIC | Source = Google Update | ID = 20
Description =

Error - 2010/05/17 01:04:46 PM | Computer Name = NIC | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x793900a9.

Error - 2010/05/17 11:38:00 PM | Computer Name = NIC | Source = Google Update | ID = 20
Description =

Error - 2010/05/18 04:51:24 AM | Computer Name = NIC | Source = Application Error | ID = 1000
Description = Faulting application userini.exe, version 0.0.0.0, faulting module
userini.exe, version 0.0.0.0, fault address 0x000042b8.

Error - 2010/05/18 04:53:07 AM | Computer Name = NIC | Source = Application Error | ID = 1000
Description = Faulting application userini.exe, version 0.0.0.0, faulting module
userini.exe, version 0.0.0.0, fault address 0x000042b8.

[ System Events ]
Error - 2010/05/14 04:17:49 PM | Computer Name = NIC | Source = Service Control Manager | ID = 7000
Description = The RAS Asynchronous Media Driver service failed to start due to the
following error: %%1117

Error - 2010/05/16 04:32:29 AM | Computer Name = NIC | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 2010/05/16 04:32:41 AM | Computer Name = NIC | Source = Service Control Manager | ID = 7000
Description = The Microsoft Kernel DLS Syntheiszer service failed to start due to
the following error: %%1117

Error - 2010/05/16 09:45:43 AM | Computer Name = NIC | Source = Service Control Manager | ID = 7000
Description = The Microsoft Kernel DRM Audio Descrambler service failed to start
due to the following error: %%1117

Error - 2010/05/16 04:25:21 PM | Computer Name = NIC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.100 for the Network Card with network
address 00016CE7734D has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 2010/05/17 03:58:31 AM | Computer Name = NIC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.100 for the Network Card with network
address 00016CE7734D has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 2010/05/17 04:08:06 AM | Computer Name = NIC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.100 for the Network Card with network
address 00016CE7734D has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 2010/05/17 01:02:47 PM | Computer Name = NIC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.100 for the Network Card with network
address 00016CE7734D has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 2010/05/17 11:20:10 PM | Computer Name = NIC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.100 for the Network Card with network
address 00016CE7734D has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 2010/05/18 04:39:20 AM | Computer Name = NIC | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).


< End of report >
Tetracide
Regular Member
 
Posts: 20
Joined: May 13th, 2010, 9:43 am

Re: Malware galore

Unread postby Tetracide » May 18th, 2010, 8:08 am

Please find my GMER log attached it contained too many characters to post within the log
You do not have the required permissions to view the files attached to this post.
Tetracide
Regular Member
 
Posts: 20
Joined: May 13th, 2010, 9:43 am

Re: Malware galore

Unread postby deltalima » May 18th, 2010, 8:12 am

Hi Tetracide,

Malwarebytes Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Malware galore

Unread postby Tetracide » May 18th, 2010, 10:25 am

Malwarebytes log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4111

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2010/05/18 04:23:34 PM
mbam-log-2010-05-18 (16-23-34).txt

Scan type: Quick scan
Objects scanned: 133985
Time elapsed: 21 minute(s), 9 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 9
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 73

Memory Processes Infected:
C:\WINDOWS\services.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\services.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykdktedr (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AsyncMacq (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.AutoRun) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services\del (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Documents and Settings\Nicolas Saal\ctfmon.exe,C:\Documents and Settings\Nicolas Saal\Application Data\dxlreu.exe,explorer.exe,C:\RECYCLER\S-1-5-21-9164053057-0251519115-740512186-1954\yv8g67.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-9164053057-0251519115-740512186-1954\yv8g67.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\aecq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\DMusicq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\drmkaudq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ykdktedr.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\AsyncMacq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbem\grpconv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\71108.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\7205.exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\83855.exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\8834.exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\88571.exe (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\892.exe (Trojan.Ddox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\413.exe (Trojan.Ddox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\416400.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\9234211.exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\928527.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\957016.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\197.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\230.exe (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\271885.exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\367.exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\150331.exe (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\~TM10.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\~TM16.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\~TM1B.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\~TM1D.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\~TM6.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\~TMB.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\506.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\5155039.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\55339.exe (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temp\6517.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv241273735763.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv271273735473.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv531274083741.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv841273913086.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv851273735560.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv921274174438.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\661JNAPI\506a100510[1].exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\661JNAPI\506a100510[2].exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\661JNAPI\506a100510[3].exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\661JNAPI\506a100510[4].exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\661JNAPI\31_1[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\661JNAPI\31_1[2].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\661JNAPI\31_1[3].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\661JNAPI\31_1[4].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\661JNAPI\486[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\8NMPGX7X\2[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\B81B6LJ0\dewfdwq[1].exe (Trojan.Ddox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\CYROFL69\486[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\CYROFL69\1[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\E8NZRHKO\486[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\F3M90738\dddwwd[1].exe (Trojan.Ddox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\F3M90738\486[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\HOJO89KN\sec[1].exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\K7S1QDPS\sec[1].exe (Trojan.SpamBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\Local Settings\Temporary Internet Files\Content.IE5\K7S1QDPS\31[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\ndisvvan.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\Nicolas Saal\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\0.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\Temp\wpv491273836855.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas Saal\ctfmon.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\secupdat.dat (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\Default User\secupdat.dat (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\LocalService\secupdat.dat (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\NetworkService\secupdat.dat (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\Nicolas Saal\secupdat.dat (Worm.Autorun) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\secupdat.dat (Worm.Autorun) -> Delete on reboot.
C:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Tetracide
Regular Member
 
Posts: 20
Joined: May 13th, 2010, 9:43 am

Re: Malware galore

Unread postby deltalima » May 18th, 2010, 1:45 pm

Hi Tetracide,

Rootkit

Your computer has multiple infections, including a Rootkit. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

DO NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its rootkit functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

Please let us know what you have decided to do in your next post.

If you wish to continue to clean the machine then

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\douresy.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Now please run a new scan with OTL and post the contents of OTL.txt along with the results from Virustotal in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Malware galore

Unread postby Tetracide » May 18th, 2010, 6:03 pm

Hi Deltalima, I would like us to continue to clean my machine however if I dissconnect it from the internet I won't be able to communicate with you. BTW there are no networked computers linked to mine...On a different note in the past when ever I've tried to reinstall my OS it just installs a second OS instead, with the old OS still present. Do you know how I can avoid this in future?
Also how can I avoid my computer from becoming infected again? I currently have an up-to date McAfee antivirus.

PS: I really appreciate all your effort so far Deltalima.
The requested logs are below:


OTL logfile created on: 2010/05/18 10:55:51 PM - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Nicolas Saal\Desktop\antivirus
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001C09 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 73.40 Gb Total Space | 20.27 Gb Free Space | 27.61% Space Free | Partition Type: NTFS
Drive D: | 19.53 Gb Total Space | 18.96 Gb Free Space | 97.08% Space Free | Partition Type: NTFS
Drive E: | 54.99 Gb Total Space | 0.82 Gb Free Space | 1.49% Space Free | Partition Type: NTFS
Drive F: | 473.56 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 2.92 Gb Total Space | 0.82 Gb Free Space | 28.02% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NIC
Current User Name: Nicolas Saal
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Nicolas Saal\Desktop\antivirus\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\system32\douresy.exe (Four-F)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
PRC - C:\Program Files\TVersity\Media Server\MediaServer.exe ()
PRC - c:\Program Files\Altera\80sp1\quartus\bin\jtagserver.exe ()
PRC - C:\Program Files\X3watch\x3watch.exe (Tiger Green Productions LLC)
PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\Mctray.exe (McAfee, Inc.)
PRC - C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe (Sony Ericsson Mobile Communications AB)
PRC - C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe (Hewlett-Packard)
PRC - C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe (Sony Ericsson Mobile Communications AB)
PRC - C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
PRC - C:\Program Files\Common Files\Teleca Shared\Generic.exe (Teleca Software Solutions)
PRC - C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe (Teleca Software Solutions AB)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Gabest)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Nicolas Saal\Desktop\antivirus\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
SRV - (McAfeeEngineService) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
SRV - (TVersityMediaServer) -- C:\Program Files\TVersity\Media Server\MediaServer.exe ()
SRV - (JTAGServer) -- c:\Program Files\Altera\80sp1\quartus\bin\jtagserver.exe ()
SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)


========== Driver Services (SafeList) ==========

DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (Sntnlusb) -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS (Rainbow Technologies Inc.)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (Rainbow Technologies, Inc.)
DRV - (AlteraByteBlaster) -- C:\WINDOWS\system32\drivers\pgdhdlc.sys (Altera Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (nvata) -- C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA Corporation)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (irsir) -- C:\WINDOWS\system32\drivers\irsir.sys (Microsoft Corporation)
DRV - (VIAPFD) -- C:\WINDOWS\System32\Drivers\VIAPFD.SYS (VIA Technologies. Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1292428093-583907252-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1292428093-583907252-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1292428093-583907252-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/20 22:43:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/23 23:10:38 | 000,000,000 | ---D | M]

[2008/09/03 19:57:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicolas Saal\Application Data\Mozilla\Firefox\Profiles\qm6jwcxp.default\extensions
[2008/09/03 19:57:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/10/04 15:24:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2008/11/15 23:01:41 | 000,067,696 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2008/11/15 23:01:41 | 000,054,376 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2008/11/15 23:01:41 | 000,034,952 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2009/08/31 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2008/11/15 23:01:41 | 000,046,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2008/11/15 23:01:42 | 000,172,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll

O1 HOSTS File: ([2001/08/23 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1292428093-583907252-725345543-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [fuhi] C:\WINDOWS\system32\douresy.exe (Four-F)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe (Hewlett-Packard)
O4 - HKLM..\Run: [RegistryMechanic] File not found
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe (Sony Ericsson Mobile Communications AB)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe (Tiger Green Productions LLC)
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe File not found
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [duzvqq] C:\WINDOWS\system32\m9i1za72tk.exe ()
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [hdojaav] C:\WINDOWS\system32\w6ii870v.exe ()
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [lmrnii] C:\WINDOWS\System32\zqg0ccxo.exe File not found
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [MSConfig] C:\Documents and Settings\Nicolas Saal\kuf.exe ()
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [qddzp] C:\WINDOWS\System32\vvbw1svvm.exe File not found
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [wwridd] C:\WINDOWS\System32\p83g9c1ttkk.exe File not found
O4 - HKU\S-1-5-21-1292428093-583907252-725345543-1004..\Run: [xoojv] C:\WINDOWS\System32\6f60ccx.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1292428093-583907252-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\Nicolas Saal\ctfmon.exe) - C:\Documents and Settings\Nicolas Saal\ctfmon.exe File not found
O20 - HKU\S-1-5-21-1292428093-583907252-725345543-1004 Winlogon: Shell - (硅汰牯牥攮數18) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Nicolas Saal\My Documents\My Pictures\Bmps\Garenteed success.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Nicolas Saal\My Documents\My Pictures\Bmps\Garenteed success.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/03 19:04:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/08/23 14:00:00 | 000,000,110 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{21f67e4e-eab6-11d7-bbd8-00016ce7734d}\Shell - "" = AutoRun
O33 - MountPoints2\{21f67e4e-eab6-11d7-bbd8-00016ce7734d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{48115364-52f2-11df-a13d-00016ce7734d}\Shell\auTOpLAY\CoMmAnD - "" = H:\puocs.exe -- File not found
O33 - MountPoints2\{48115364-52f2-11df-a13d-00016ce7734d}\Shell\AutoRun\command - "" = H:\puocs.exe -- File not found
O33 - MountPoints2\{48115364-52f2-11df-a13d-00016ce7734d}\Shell\EXPLORE\cOmmand - "" = H:\puocs.exe -- File not found
O33 - MountPoints2\{48115364-52f2-11df-a13d-00016ce7734d}\Shell\opeN\comMaND - "" = H:\puocs.exe -- File not found
O33 - MountPoints2\{48eab38a-e5f2-11d7-bbcd-00016ce7734d}\Shell - "" = AutoRun
O33 - MountPoints2\{48eab38a-e5f2-11d7-bbcd-00016ce7734d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8518b0e0-e163-11d7-bbc4-00016ce7734d}\Shell\AutoRun\command - "" = USBVAULT\sys.exe
O33 - MountPoints2\{8518b0e0-e163-11d7-bbc4-00016ce7734d}\Shell\explore\command - "" = USBVAULT/sys.exe
O33 - MountPoints2\{8518b0e0-e163-11d7-bbc4-00016ce7734d}\Shell\open\command - "" = USBVAULT/sys.exe
O33 - MountPoints2\{ae1165c0-9d6f-11de-a029-00016ce7734d}\Shell\AutoRun\command - "" = I:\CNN\A\Lic.exe -- File not found
O33 - MountPoints2\{ae1165c0-9d6f-11de-a029-00016ce7734d}\Shell\open\command - "" = I:\CNN\A\Lic.exe -- File not found
O33 - MountPoints2\{bbde9c6e-eda7-11d7-bbe0-00016ce7734d}\Shell - "" = AutoRun
O33 - MountPoints2\{bbde9c6e-eda7-11d7-bbe0-00016ce7734d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bbde9c6e-eda7-11d7-bbe0-00016ce7734d}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found
O33 - MountPoints2\{bbde9c6f-eda7-11d7-bbe0-00016ce7734d}\Shell\AutoRun\command - "" = L:\ravira\ravira32.exe -- File not found
O33 - MountPoints2\{bbde9c6f-eda7-11d7-bbe0-00016ce7734d}\Shell\explore\command - "" = L:\ravira\ravira32.exe -- File not found
O33 - MountPoints2\{bbde9c6f-eda7-11d7-bbe0-00016ce7734d}\Shell\open\command - "" = L:\.\ravira\ravira32.exe -- File not found
O33 - MountPoints2\{ffbc33c1-e07a-11d7-bbc3-00016ce7734d}\Shell\AutoRun\command - "" = J:\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\RisinG.exe -- File not found
O33 - MountPoints2\{ffbc33c1-e07a-11d7-bbc3-00016ce7734d}\Shell\open\command - "" = J:\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\RisinG.exe -- File not found
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/18 15:45:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\Application Data\Malwarebytes
[2010/05/18 15:45:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/18 15:45:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/18 15:45:41 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/18 15:45:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/14 22:30:52 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/13 12:58:35 | 000,011,648 | ---- | C] (Prevx Limited, http://www.prevx1.com/) -- C:\WINDOWS\System32\drivers\pxscrmbl.sys
[2010/05/13 10:49:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\Desktop\antivirus
[2010/05/13 10:33:37 | 000,321,024 | ---- | C] (Four-F) -- C:\WINDOWS\System32\zottewoobi.exe
[2010/05/13 10:32:37 | 000,321,024 | ---- | C] (Four-F) -- C:\WINDOWS\System32\douresy.exe
[2010/05/12 10:10:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\Desktop\dsp
[2010/05/11 19:35:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\Desktop\NVP
[2010/05/09 17:41:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\My Documents\EEE4054F
[2010/05/08 11:16:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\Desktop\Flash A
[2010/05/05 13:50:54 | 000,000,000 | ---D | C] -- C:\Hard drive backup
[2010/04/29 20:21:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicolas Saal\My Documents\how to
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[21 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/18 22:35:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/18 19:35:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/18 18:00:00 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2010/05/18 16:29:31 | 000,050,257 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/18 16:29:23 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/18 16:29:23 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/18 16:29:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/18 16:27:25 | 009,437,184 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\NTUSER.DAT
[2010/05/18 16:27:25 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Nicolas Saal\ntuser.ini
[2010/05/18 14:50:15 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{13F77EFD-9F3E-42F6-B936-C65219B5BDFA}.job
[2010/05/18 11:16:40 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\explorer.exe
[2010/05/18 11:16:40 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2010/05/17 19:05:00 | 000,018,432 | -H-- | M] () -- C:\Documents and Settings\Nicolas Saal\kuf.exe
[2010/05/17 19:04:32 | 000,041,984 | RHS- | M] () -- C:\WINDOWS\System32\w6ii870v.exe
[2010/05/17 19:04:16 | 000,041,984 | RHS- | M] () -- C:\WINDOWS\System32\m9i1za72tk.exe
[2010/05/17 14:27:47 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/17 14:27:45 | 000,009,728 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/14 22:30:54 | 000,001,998 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Desktop\HiJackThis.lnk
[2010/05/13 12:26:43 | 000,000,051 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/05/13 10:32:38 | 000,321,024 | ---- | M] (Four-F) -- C:\WINDOWS\System32\zottewoobi.exe
[2010/05/13 10:32:38 | 000,321,024 | ---- | M] (Four-F) -- C:\WINDOWS\System32\douresy.exe
[2010/05/05 17:14:13 | 000,283,714 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Desktop\mod C.rar
[2010/05/05 11:05:55 | 000,284,751 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Desktop\tuts.zip
[2010/05/04 01:19:53 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Desktop\Today Is The Very First Day Of The Rest Of Your Life.doc
[2010/04/30 21:09:53 | 000,329,216 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\My Documents\parlotones.doc
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/25 18:09:51 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Nicolas Saal\Desktop\PART1.doc
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[21 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/17 19:05:11 | 000,041,984 | RHS- | C] () -- C:\WINDOWS\System32\m9i1za72tk.exe
[2010/05/17 19:05:01 | 000,041,984 | RHS- | C] () -- C:\WINDOWS\System32\w6ii870v.exe
[2010/05/17 19:05:00 | 000,018,432 | -H-- | C] () -- C:\Documents and Settings\Nicolas Saal\kuf.exe
[2010/05/14 22:30:54 | 000,001,998 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Desktop\HiJackThis.lnk
[2010/05/13 10:53:36 | 000,000,051 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/05/05 17:14:13 | 000,283,714 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Desktop\mod C.rar
[2010/05/05 13:51:13 | 000,284,751 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Desktop\tuts.zip
[2010/05/04 01:19:52 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Desktop\Today Is The Very First Day Of The Rest Of Your Life.doc
[2010/04/30 21:09:52 | 000,329,216 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\My Documents\parlotones.doc
[2010/04/26 09:25:26 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Nicolas Saal\Desktop\PART1.doc
[2010/03/15 22:27:12 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/07/28 17:20:51 | 000,106,496 | R--- | C] () -- C:\WINDOWS\System32\VSHP1018.DLL
[2008/12/04 21:37:48 | 000,000,067 | ---- | C] () -- C:\WINDOWS\AVIConverter.INI
[2008/09/06 16:30:22 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/09/04 09:18:47 | 000,157,184 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/09/03 22:15:58 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/03 22:14:56 | 000,225,280 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2008/09/03 22:14:50 | 001,163,264 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2008/09/03 22:14:50 | 001,040,384 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2008/09/03 22:14:50 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/09/03 22:14:50 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2008/09/03 22:14:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2008/09/03 22:14:50 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/09/03 22:14:50 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/09/03 22:14:50 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\vorbisfile.dll
[2008/09/03 22:14:50 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2008/09/03 22:14:49 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2008/09/03 21:32:05 | 000,000,164 | R--- | C] () -- C:\WINDOWS\avrack.ini
[2008/09/03 19:22:54 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/31 14:54:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/03/31 14:54:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/03/31 14:54:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/03/31 14:54:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/03/31 14:54:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/03/31 14:54:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/03/31 14:54:00 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 388179 bytes -> C:\WINDOWS\Temp:temp
< End of report >


Virus Total results


File douresy.exe_ received on 2010.05.18 20:51:59 (UTC)
Current status: finished

Result: 18/41 (43.90%)


Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 Trojan.Obfuscated!IK
AhnLab-V3 2010.05.18.01 2010.05.18 -
AntiVir 8.2.1.242 2010.05.18 -
Antiy-AVL 2.0.3.7 2010.05.18 -
Authentium 5.2.0.5 2010.05.18 W32/Troj_Obfusc.Q.gen!Eldorado
Avast 4.8.1351.0 2010.05.18 Win32:Bamital-T
Avast5 5.0.332.0 2010.05.18 Win32:Bamital-T
AVG 9.0.0.787 2010.05.18 Injector.OG
BitDefender 7.2 2010.05.18 Gen:Variant.Zbot.7
CAT-QuickHeal 10.00 2010.05.18 -
ClamAV 0.96.0.3-git 2010.05.18 -
Comodo 4875 2010.05.18 -
DrWeb 5.0.2.03300 2010.05.18 Trojan.WinSpy.711
eSafe 7.0.17.0 2010.05.17 -
eTrust-Vet 35.2.7497 2010.05.18 Win32/Tnega.ATS
F-Prot 4.5.1.85 2010.05.18 W32/Troj_Obfusc.Q.gen!Eldorado
F-Secure 9.0.15370.0 2010.05.18 Gen:Variant.Zbot.7
Fortinet 4.1.133.0 2010.05.18 -
GData 21 2010.05.18 Gen:Variant.Zbot.7
Ikarus T3.1.1.84.0 2010.05.18 Trojan.Obfuscated
Jiangmin 13.0.900 2010.05.18 -
Kaspersky 7.0.0.125 2010.05.18 -
McAfee 5.400.0.1158 2010.05.18 Generic Dropper.tp
McAfee-GW-Edition 2010.1 2010.05.18 -
Microsoft 1.5802 2010.05.18 -
NOD32 5125 2010.05.18 a variant of Win32/Kryptik.EIM
Norman 6.04.12 2010.05.18 -
nProtect 2010-05-18.01 2010.05.18 Gen:Variant.Zbot.7
Panda 10.0.2.7 2010.05.18 -
PCTools 7.0.3.5 2010.05.18 -
Prevx 3.0 2010.05.18 Medium Risk Malware
Rising 22.48.01.02 2010.05.18 -
Sophos 4.53.0 2010.05.18 -
Sunbelt 6318 2010.05.18 -
Symantec 20101.1.0.89 2010.05.18 -
TheHacker 6.5.2.0.281 2010.05.17 -
TrendMicro 9.120.0.1004 2010.05.18 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.18 -
VBA32 3.12.12.5 2010.05.18 Trojan.Ahent.0322
ViRobot 2010.5.18.2322 2010.05.18 -
VirusBuster 5.0.27.0 2010.05.18 Trojan.DR.Vidro.Gen
Additional information
File size: 321024 bytes
MD5 : da04c7c0c766eb060ea9d633f119e3b3
SHA1 : 533dcfa374cc0ef3e6b540f65995f84706cc4a1f
SHA256: c7631a241fc1f1bb4549d39db00bb785ad661065edc7e49e2d31069a19cfb3aa
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2860
timedatestamp.....: 0x4BE94829 (Tue May 11 14:06:01 2010)
machinetype.......: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x20B0 0x2200 6.11 dd8568d40257d88a97c49f8cb1e0743a
.rdata 0x4000 0x408 0x600 3.71 c2ceaf116e8a4ba0e1e0a9c36e1a5888
.data 0x5000 0x4B4AA 0x4A800 6.08 546ecb8665fcefc80de302c3109311a2
.rsrc 0x51000 0xA88 0xC00 3.91 67d44a87768aab63598fb5bf89977a1f
.reloc 0x52000 0x578 0x600 3.32 a8e7e4a4efc2d0e835eca295bbbf472f

( 2 imports )

> kernel32.dll: CloseHandle, CreateIoCompletionPort, CreateThread, FindFirstFileA, GetCommandLineA, GetCurrentProcessId, GetCurrentThread, GetDateFormatA, GetLocalTime, GetProcessHeap, GetProfileStringA, GetSystemDefaultLCID, GlobalAlloc, GlobalUnlock, InitializeCriticalSection, LoadLibraryA, SetErrorMode, SetFilePointer, Sleep, WaitForSingleObject, WriteConsoleA, lstrlenA
> user32.dll: EnumChildWindows, GetForegroundWindow, GetLastActivePopup, GetParent, InsertMenuW, IntersectRect, IsWindow, IsWindowVisible, PaintDesktop, PostThreadMessageW, SendDlgItemMessageW, SendMessageW, TranslateMessage, WaitMessage

( 0 exports )

TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Symantec reputation: Suspicious.Insight http://www.symantec.com/security_respon ... 23-0550-99
ssdeep: 6144:A0mzBSUwHwS3xaeltlxwP8so+4BNfdBbZ6hGQ3fqH:A0MSUwxtwMVBN6Qgy
sigcheck: publisher....: Four-F
copyright....: Copyright (c) 2002-2005 Four-F
product......: Kernel Mode Driver Manager
description..: Kernel Mode Driver Manager
original name: KmdManager.exe
internal name: KmdManager
file version.: 1.3.0.0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Prevx Info: http://info.prevx.com/aboutprogramtext. ... 002F3EB325
PEiD : -
RDS : NSRL Reference Data Set
Tetracide
Regular Member
 
Posts: 20
Joined: May 13th, 2010, 9:43 am

Re: Malware galore

Unread postby deltalima » May 19th, 2010, 4:17 am

Hi Tetracide,

I've tried to reinstall my OS it just installs a second OS instead, with the old OS still present


The safest way is to reformat the drive during installation, this will remove the existing operating system and all data to give you a completely fresh install. It is important to ensure all data is backed up to other media before doing this.

Also how can I avoid my computer from becoming infected again?


I will make some recommendations once the computer is clean.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    douresy.exe
    :otl
    O4 - HKLM\..\Run: [fuhi] C:\WINDOWS\system32\douresy.exe
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\WINDOWS\system32\douresy.exe" =-
    :files
    C:\WINDOWS\System32\zottewoobi.exe
    C:\WINDOWS\System32\m9i1za72tk.exe
    C:\WINDOWS\System32\w6ii870v.exe
    C:\WINDOWS\system32\douresy.exe
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Malware galore

Unread postby Tetracide » May 19th, 2010, 4:38 am

Here's the report:

========== PROCESSES ==========
Process douresy.exe killed successfully!
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Run not found.
C:\WINDOWS\system32\douresy.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\douresy.exe deleted successfully.
========== FILES ==========
C:\WINDOWS\System32\zottewoobi.exe moved successfully.
C:\WINDOWS\System32\m9i1za72tk.exe moved successfully.
C:\WINDOWS\System32\w6ii870v.exe moved successfully.
File\Folder C:\WINDOWS\system32\douresy.exe not found.

OTL by OldTimer - Version 3.2.4.1 log created on 05192010_103739
Tetracide
Regular Member
 
Posts: 20
Joined: May 13th, 2010, 9:43 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware