0

I had a problem a couple weeks back and posted on here. I never followed up though because as I was reading through here I thought I figured it out and got it all fixed. Well recently my computer started acting up again and I am starting to think that it might have something to do with my previous problem.

My computer is running very slowly and recently I was getting pop ups. It was also freezing up a lot. Here are the logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:19 PM, on 10/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\da9adcdf-9bc8-48ad-8b47-b83d9f54c87f.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.57 antivguardian.com
O1 - Hosts: 209.44.111.57 www.antivguardian.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O3 - Toolbar: (no name) - {3BA0B600-4B38-43E5-B104-C6CCF4FA4E29} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Switcher.exe] "C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\da9adcdf-9bc8-48ad-8b47-b83d9f54c87f.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123171086250
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229171027328
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O20 - AppInit_DLLs: pikedahu.dll c:\windows\system32\jiwirido.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 14459 bytes


Malwarebytes' Anti-Malware 1.41
Database version: 2949
Windows 5.1.2600 Service Pack 3

10/12/2009 7:31:40 PM
mbam-log-2009-10-12 (19-31-40).txt

Scan type: Quick Scan
Objects scanned: 108350
Time elapsed: 20 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hayudekom (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\44545022 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\vonomona.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vopuvemi.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vubebiye.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bazoveza.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jihaketi.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


I do not know if I should do anything with the HJT scan. Should I tell it to fix those things or not? How should I proceed with my computer?

Thanks in advance

4
Contributors
40
Replies
41
Views
7 Years
Discussion Span
Last Post by PhilliePhan
0

Hmm, no responses. I guess I should also mention that I am using Windows XP. My comp will now restart on its own, but when it comes back up it has some kind of "protection" like Security tool or WPP

0

Hmm, no responses.

Sorry - It happens.
We are all volunteers with real lives to worry about + most support forums are overwhelmed with requests for help these days.....

Let's just cut to the quick and do this:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Post me the log and we'll see where it leads us.

Cheers :)
PP

0

Here is the Combo-Fix log. Thanks for helping PP

ComboFix 09-10-15.01 - User 10/15/2009 17:38.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.249 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\lydiqoruky.ban
c:\documents and settings\All Users\Application Data\obosecajy.dll
c:\documents and settings\All Users\Application Data\tasit.ban
c:\documents and settings\All Users\Application Data\xyda.bin
c:\documents and settings\All Users\Documents\gasedap.vbs
c:\documents and settings\All Users\Documents\orodofe.sys
c:\documents and settings\All Users\Documents\satyhu.com
c:\documents and settings\User\Application Data\boci._dl
c:\documents and settings\User\Application Data\iniasd.txt
c:\documents and settings\User\Application Data\juligeku.dl
c:\documents and settings\User\Local Settings\Temporary Internet Files\hyqifati.com
c:\documents and settings\User\Local Settings\Temporary Internet Files\mowa.sys
c:\program files\Common Files\aragekosik._sy
c:\windows\Installer\100fd1.msp
c:\windows\Installer\105462c5.msp
c:\windows\Installer\10b25dea.msp
c:\windows\Installer\10fb799d.msp
c:\windows\Installer\1107e1e.msp
c:\windows\Installer\110f5af.msp
c:\windows\Installer\1124762a.msp
c:\windows\Installer\112c2c78.msp
c:\windows\Installer\117b5e56.msp
c:\windows\Installer\11808ec4.msp
c:\windows\Installer\1180c2d4.msp
c:\windows\Installer\1181a861.msp
c:\windows\Installer\11832a7d.msp
c:\windows\Installer\11910fae.msp
c:\windows\Installer\11d6f694.msp
c:\windows\Installer\11d7bef4.msp
c:\windows\Installer\11de18.msp
c:\windows\Installer\1242fea5.msp
c:\windows\Installer\126c5a1b.msp
c:\windows\Installer\12a7bbf3.msp
c:\windows\Installer\1302942d.msp
c:\windows\Installer\132b766c.msp
c:\windows\Installer\138c8c5e.msp
c:\windows\Installer\13b2137c.msp
c:\windows\Installer\13cb4c07.msp
c:\windows\Installer\13e02b98.msp
c:\windows\Installer\13e29bdc.msp
c:\windows\Installer\144ff729.msp
c:\windows\Installer\148f7281.msp
c:\windows\Installer\14904b9b.msp
c:\windows\Installer\1490cd4e.msp
c:\windows\Installer\1491ab89.msp
c:\windows\Installer\14926a06.msp
c:\windows\Installer\1522f93a.msp
c:\windows\Installer\157ac983.msp
c:\windows\Installer\1621e7cd.msp
c:\windows\Installer\16a6ad8c.msp
c:\windows\Installer\16a74c0e.msp
c:\windows\Installer\16a8d917.msp
c:\windows\Installer\16a99041.msp
c:\windows\Installer\16b7b6a1.msp
c:\windows\Installer\16fe01ee.msp
c:\windows\Installer\17445b2.msp
c:\windows\Installer\1769c361.msp
c:\windows\Installer\179310fd.msp
c:\windows\Installer\179a222.msp
c:\windows\Installer\17cd6cfe.msp
c:\windows\Installer\17fcbc.msp
c:\windows\Installer\182963e6.msp
c:\windows\Installer\183ce80.msp
c:\windows\Installer\1851a6f7.msp
c:\windows\Installer\1886a8e.msp
c:\windows\Installer\18b2d071.msp
c:\windows\Installer\18d89b9c.msp
c:\windows\Installer\18e3e3ac.msp
c:\windows\Installer\18f21036.msp
c:\windows\Installer\1909acc5.msp
c:\windows\Installer\197438b5.msp
c:\windows\Installer\198882a.msp
c:\windows\Installer\1988867.msp
c:\windows\Installer\1994cf1.msp
c:\windows\Installer\199ce2.msp
c:\windows\Installer\19b698b6.msp
c:\windows\Installer\19b7056b.msp
c:\windows\Installer\19b893db.msp
c:\windows\Installer\1a49552a.msp
c:\windows\Installer\1aa1368b.msp
c:\windows\Installer\1b4849f7.msp
c:\windows\Installer\1bcda7fe.msp
c:\windows\Installer\1bcdca6b.msp
c:\windows\Installer\1bd063e2.msp
c:\windows\Installer\1c21de58.msp
c:\windows\Installer\1c24632e.msp
c:\windows\Installer\1c4badd.msp
c:\windows\Installer\1c579a9.msp
c:\windows\Installer\1c7ca7e.msp
c:\windows\Installer\1c8fa8ca.msp
c:\windows\Installer\1cc011b.msp
c:\windows\Installer\1cf3e04e.msp
c:\windows\Installer\1d90aa.msp
c:\windows\Installer\1e18225c.msp
c:\windows\Installer\1e31a416.msp
c:\windows\Installer\1e40b48.msp
c:\windows\Installer\1e51f87.msp
c:\windows\Installer\1e6a2d2b.msp
c:\windows\Installer\1edd1212.msp
c:\windows\Installer\1edd635f.msp
c:\windows\Installer\1ede8f4c.msp
c:\windows\Installer\1edf363a.msp
c:\windows\Installer\1f6fe2d9.msp
c:\windows\Installer\1f85c3.msp
c:\windows\Installer\1fb1fb52.msp
c:\windows\Installer\1fc7950b.msp
c:\windows\Installer\20090cc.msp
c:\windows\Installer\206eada8.msp
c:\windows\Installer\20d54bd.msp
c:\windows\Installer\20d8a816.msp
c:\windows\Installer\20d8ac1.msp
c:\windows\Installer\20e4c3d.msp
c:\windows\Installer\20ee6c2b.msp
c:\windows\Installer\20f38a1b.msp
c:\windows\Installer\20f452da.msp
c:\windows\Installer\20f68e91.msp
c:\windows\Installer\20ff818.msp
c:\windows\Installer\210aa4d7.msp
c:\windows\Installer\2119a03.msp
c:\windows\Installer\21485f35.msp
c:\windows\Installer\214ad314.msp
c:\windows\Installer\21b673a1.msp
c:\windows\Installer\21e12c0.msp
c:\windows\Installer\2208580b.msp
c:\windows\Installer\221a3f1d.msp
c:\windows\Installer\23251a3d.msp
c:\windows\Installer\2355ad1d.msp
c:\windows\Installer\2373ae0.msp
c:\windows\Installer\2373b1d.msp
c:\windows\Installer\23a02f26.msp
c:\windows\Installer\2403213a.msp
c:\windows\Installer\240332bf.msp
c:\windows\Installer\2404c759.msp
c:\windows\Installer\248a484.msp
c:\windows\Installer\24eea99d.msp
c:\windows\Installer\2524cfeb.msp
c:\windows\Installer\25953dd7.msp
c:\windows\Installer\2614ceb3.msp
c:\windows\Installer\261a3600.msp
c:\windows\Installer\261b501b.msp
c:\windows\Installer\261d515a.msp
c:\windows\Installer\263c75b.msp
c:\windows\Installer\264a4da.msp
c:\windows\Installer\266ed15d.msp
c:\windows\Installer\2740ef77.msp
c:\windows\Installer\279de3da.msp
c:\windows\Installer\27c5ee3.msp
c:\windows\Installer\284b9c24.msp
c:\windows\Installer\287bd57a.msp
c:\windows\Installer\28b5872.msp
c:\windows\Installer\2929752c.msp
c:\windows\Installer\292a15c1.msp
c:\windows\Installer\292b712b.msp
c:\windows\Installer\2961caae.msp
c:\windows\Installer\2b40facc.msp
c:\windows\Installer\2b422ded.msp
c:\windows\Installer\2b432d1e.msp
c:\windows\Installer\2b6127e.msp
c:\windows\Installer\2b67bf6.msp
c:\windows\Installer\2b82b6ec.msp
c:\windows\Installer\2b94d3d3.msp
c:\windows\Installer\2cc4100f.msp
c:\windows\Installer\2d05ab4.msp
c:\windows\Installer\2d71df3d.msp
c:\windows\Installer\2da25399.msp
c:\windows\Installer\2e2a36e.msp
c:\windows\Installer\2e2a3ab.msp
c:\windows\Installer\2e2a3e8.msp
c:\windows\Installer\2e4fde6a.msp
c:\windows\Installer\2e5071f0.msp
c:\windows\Installer\2e54c01c.msp
c:\windows\Installer\2f719588.msp
c:\windows\Installer\2f915a5.msp
c:\windows\Installer\30673078.msp
c:\windows\Installer\30bb3ded.msp
c:\windows\Installer\30e7a64.msp
c:\windows\Installer\30f751f.msp
c:\windows\Installer\31eaa715.msp
c:\windows\Installer\32284b3.msp
c:\windows\Installer\32c8fc71.msp
c:\windows\Installer\3340ab9.msp
c:\windows\Installer\3376514e.msp
c:\windows\Installer\3376d0af.msp
c:\windows\Installer\33783f91.msp
c:\windows\Installer\342be65.msp
c:\windows\Installer\358d79fa.msp
c:\windows\Installer\35d302c.msp
c:\windows\Installer\35e19e81.msp
c:\windows\Installer\35fb4c7a.msp
c:\windows\Installer\361ce5c.msp
c:\windows\Installer\372a66f.msp
c:\windows\Installer\37ef8b87.msp
c:\windows\Installer\389c966a.msp
c:\windows\Installer\389cf498.msp
c:\windows\Installer\389f6c7d.msp
c:\windows\Installer\38d5e95.msp
c:\windows\Installer\38e6799.msp
c:\windows\Installer\38f736b.msp
c:\windows\Installer\391c23d.msp
c:\windows\Installer\392ca47.msp
c:\windows\Installer\394501c.msp
c:\windows\Installer\39ebcdd8.msp
c:\windows\Installer\39f7542.msp
c:\windows\Installer\3ab3fe13.msp
c:\windows\Installer\3afa8ee5.msp
c:\windows\Installer\3b0829ce.msp
c:\windows\Installer\3b25688f.msp
c:\windows\Installer\3b812e5.msp
c:\windows\Installer\3c0a1.msp
c:\windows\Installer\3ce561a7.msp
c:\windows\Installer\3d159c26.msp
c:\windows\Installer\3dc30595.msp
c:\windows\Installer\3dc409a7.msp
c:\windows\Installer\3dcff0b.msp
c:\windows\Installer\3dd317e6.msp
c:\windows\Installer\3e70ae.msp
c:\windows\Installer\3ee4d8f4.msp
c:\windows\Installer\3fdb7fd6.msp
c:\windows\Installer\402e7a54.msp
c:\windows\Installer\41985bc.msp
c:\windows\Installer\420ba4fe.msp
c:\windows\Installer\4218094.msp
c:\windows\Installer\423bf70d.msp
c:\windows\Installer\42e9d0aa.msp
c:\windows\Installer\42f12fdf.msp
c:\windows\Installer\438d5497.msp
c:\windows\Installer\43f2812.msp
c:\windows\Installer\440b01a0.msp
c:\windows\Installer\4444d96c.msp
c:\windows\Installer\445a5434.msp
c:\windows\Installer\44b55f26.msp
c:\windows\Installer\45009f3f.msp
c:\windows\Installer\457d92d.msp
c:\windows\Installer\4582ccc.msp
c:\windows\Installer\4596fcb.msp
c:\windows\Installer\46d070d.msp
c:\windows\Installer\46f12fa.msp
c:\windows\Installer\46f7c53.msp
c:\windows\Installer\4731f277.msp
c:\windows\Installer\47625ec5.msp
c:\windows\Installer\4778e.msp
c:\windows\Installer\480fb4cb.msp
c:\windows\Installer\481009ff.msp
c:\windows\Installer\49317bf5.msp
c:\windows\Installer\4a272e27.msp
c:\windows\Installer\4aaed5e.msp
c:\windows\Installer\4c583477.msp
c:\windows\Installer\4cf62.msp
c:\windows\Installer\4d344a24.msp
c:\windows\Installer\4d357e4f.msp
c:\windows\Installer\4e57ba8a.msp
c:\windows\Installer\4f78c72f.msp
c:\windows\Installer\50e77e9.msp
c:\windows\Installer\519b22d.msp
c:\windows\Installer\51acf17.msp
c:\windows\Installer\51b5e09.msp
c:\windows\Installer\51d1463.msp
c:\windows\Installer\51d45f3.msp
c:\windows\Installer\51dfc81.msp
c:\windows\Installer\51eadb1.msp
c:\windows\Installer\525c9f64.msp
c:\windows\Installer\5473b478.msp
c:\windows\Installer\549f7a67.msp
c:\windows\Installer\55060c17.msp
c:\windows\Installer\56019.msp
c:\windows\Installer\5601a.msp
c:\windows\Installer\578213d2.msp
c:\windows\Installer\58f50fcf.msp
c:\windows\Installer\599a37f5.msp
c:\windows\Installer\59c5b93a.msp
c:\windows\Installer\59ca2c73.msp
c:\windows\Installer\5afbdad.msp
c:\windows\Installer\5b2899e.msp
c:\windows\Installer\5bcb0.msp
c:\windows\Installer\5dca9986.msp
c:\windows\Installer\5ec07dfc.msp
c:\windows\Installer\5eed0b62.msp
c:\windows\Installer\60044e9.msp
c:\windows\Installer\632c5fd.msp
c:\windows\Installer\63e6d49d.msp
c:\windows\Installer\6413fdf4.msp
c:\windows\Installer\690d7c0e.msp
c:\windows\Installer\693a9596.msp
c:\windows\Installer\69ab653.msp
c:\windows\Installer\6b06ea1.msp
c:\windows\Installer\6bfceaa.msp
c:\windows\Installer\6d07b650.msp
c:\windows\Installer\6e33f673.msp
c:\windows\Installer\6e60ebd9.msp
c:\windows\Installer\6ea8f00.msp
c:\windows\Installer\6ebe1af.msp
c:\windows\Installer\6ef042c.msp
c:\windows\Installer\6f069b8.msp
c:\windows\Installer\70a513f.msp
c:\windows\Installer\728d3.msp
c:\windows\Installer\72e932b.msp
c:\windows\Installer\733b958.msp
c:\windows\Installer\733fb92.msp
c:\windows\Installer\7349820.msp
c:\windows\Installer\735a9911.msp
c:\windows\Installer\736758a.msp
c:\windows\Installer\73872f21.msp
c:\windows\Installer\7446c01.msp
c:\windows\Installer\746da.msp
c:\windows\Installer\76b8141.msp
c:\windows\Installer\78a209c.msp
c:\windows\Installer\78abf1e.msp
c:\windows\Installer\78adc898.msp
c:\windows\Installer\7a29da7.msp
c:\windows\Installer\7a2ef32.msp
c:\windows\Installer\7d85c.msp
c:\windows\Installer\7f62fc1.msp
c:\windows\Installer\80c5d.msp
c:\windows\Installer\80ea50c.msp
c:\windows\Installer\81f8702.msp
c:\windows\Installer\83519f5.msp
c:\windows\Installer\83b1d.msp
c:\windows\Installer\8490979.msp
c:\windows\Installer\85a514d.msp
c:\windows\Installer\869263c.msp
c:\windows\Installer\88362ab.msp
c:\windows\Installer\890ee.msp
c:\windows\Installer\89671c.msp
c:\windows\Installer\8b581e8.msp
c:\windows\Installer\8b68a7e.msp
c:\windows\Installer\8ba34d9.msp
c:\windows\Installer\8c359d.msp
c:\windows\Installer\8de73d7.msp
c:\windows\Installer\9033c58.msp
c:\windows\Installer\90786.msp
c:\windows\Installer\93f89f7.msp
c:\windows\Installer\94794cd.msp
c:\windows\Installer\9654b20.msp
c:\windows\Installer\97f683f.msp
c:\windows\Installer\9866a.msp
c:\windows\Installer\9936649.msp
c:\windows\Installer\9955cba.msp
c:\windows\Installer\995c558.msp
c:\windows\Installer\9d7e5.msp
c:\windows\Installer\9dd168b.msp
c:\windows\Installer\9ed6be1.msp
c:\windows\Installer\a41ba09.msp
c:\windows\Installer\a435be1.msp
c:\windows\Installer\a43a3f6.msp
c:\windows\Installer\a44eafd.msp
c:\windows\Installer\a468f66.msp
c:\windows\Installer\a4a37.msp
c:\windows\Installer\a9b35.msp
c:\windows\Installer\a9bb9b5.msp
c:\windows\Installer\aa509.msp
c:\windows\Installer\ad628c0.msp
c:\windows\Installer\ae6efeb.msp
c:\windows\Installer\ae6f028.msp
c:\windows\Installer\bc301b0.msp
c:\windows\Installer\bd51a41.msp
c:\windows\Installer\bf16f.msp
c:\windows\Installer\c10447f.msp
c:\windows\Installer\c10b79b.msp
c:\windows\Installer\c123a92.msp
c:\windows\Installer\c154292.msp
c:\windows\Installer\c312d2d.msp
c:\windows\Installer\c552520.msp
c:\windows\Installer\c5a609a.msp
c:\windows\Installer\c5af103.msp
c:\windows\Installer\c5b85b1.msp
c:\windows\Installer\c5cb632.msp
c:\windows\Installer\c6ac755.msp
c:\windows\Installer\c85217d.msp
c:\windows\Installer\c9c3fa.msp
c:\windows\Installer\cb08026.msp
c:\windows\Installer\cb11a82.msp
c:\windows\Installer\cc345.msp
c:\windows\Installer\cc99654.msp
c:\windows\Installer\d1ca1ca.msp
c:\windows\Installer\d37d9.msp
c:\windows\Installer\d45ff63.msp
c:\windows\Installer\d5b6cec.msp
c:\windows\Installer\d80e823.msp
c:\windows\Installer\da3fb4.msp
c:\windows\Installer\da9cad0.msp
c:\windows\Installer\ddd97dc.msp
c:\windows\Installer\e04c99d.msp
c:\windows\Installer\e1364c.msp
c:\windows\Installer\e172d.msp
c:\windows\Installer\e29c91c.msp
c:\windows\Installer\e57ef.msp
c:\windows\Installer\e5928.msp
c:\windows\Installer\e660101.msp
c:\windows\Installer\e8baf8c.msp
c:\windows\Installer\e98f0.msp
c:\windows\Installer\ea4e5e5.msp
c:\windows\Installer\eb9d005.msp
c:\windows\Installer\ebbde92.msp
c:\windows\Installer\ebc5662.msp
c:\windows\Installer\eeaf8.msp
c:\windows\Installer\f1f9df8.msp
c:\windows\Installer\f683e03.msp
c:\windows\Installer\f69c03e.msp
c:\windows\Installer\f6aa5cc.msp
c:\windows\Installer\f6b38f3.msp
c:\windows\Installer\f6b6785.msp
c:\windows\Installer\ffcea12.msp
c:\windows\qikihykoxo.ban
c:\windows\sajyridyw.inf
c:\windows\setup.exe
c:\windows\system32\_003052_.tmp.dll
c:\windows\system32\_003053_.tmp.dll
c:\windows\system32\_003054_.tmp.dll
c:\windows\system32\_003055_.tmp.dll
c:\windows\system32\_003062_.tmp.dll
c:\windows\system32\_003063_.tmp.dll
c:\windows\system32\_003064_.tmp.dll
c:\windows\system32\_003065_.tmp.dll
c:\windows\system32\_003067_.tmp.dll
c:\windows\system32\_003068_.tmp.dll
c:\windows\system32\_003071_.tmp.dll
c:\windows\system32\_003072_.tmp.dll
c:\windows\system32\_003074_.tmp.dll
c:\windows\system32\_003075_.tmp.dll
c:\windows\system32\_003076_.tmp.dll
c:\windows\system32\_003078_.tmp.dll
c:\windows\system32\_003079_.tmp.dll
c:\windows\system32\_003081_.tmp.dll
c:\windows\system32\_003082_.tmp.dll
c:\windows\system32\_003086_.tmp.dll
c:\windows\system32\_003087_.tmp.dll
c:\windows\system32\_003089_.tmp.dll
c:\windows\system32\_003091_.tmp.dll
c:\windows\system32\_003092_.tmp.dll
c:\windows\system32\_003094_.tmp.dll
c:\windows\system32\_003095_.tmp.dll
c:\windows\system32\_003096_.tmp.dll
c:\windows\system32\_003097_.tmp.dll
c:\windows\system32\_003098_.tmp.dll
c:\windows\system32\_003101_.tmp.dll
c:\windows\system32\_003102_.tmp.dll
c:\windows\system32\_003103_.tmp.dll
c:\windows\system32\_003104_.tmp.dll
c:\windows\system32\_003105_.tmp.dll
c:\windows\system32\_003110_.tmp.dll
c:\windows\system32\_003112_.tmp.dll
c:\windows\system32\_003113_.tmp.dll
c:\windows\system32\fewudilu.dll
c:\windows\system32\genaleleti.inf
c:\windows\system32\ghNXyccf.ini
c:\windows\system32\ghNXyccf.ini2
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\qawogor.ban
c:\windows\udasi.pif

-- Previous Run --

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 21:21 . 2009-10-15 21:21 -------- d-----w- c:\windows\LastGood
2009-10-15 20:50 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-15 20:50 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-15 20:50 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-10-15 20:50 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-10-15 17:28 . 2008-04-13 17:36 42368 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-10-15 14:27 . 2009-10-15 14:27 11439 ----a-w- c:\windows\yhipi.com
2009-10-15 14:27 . 2009-10-15 14:27 19898 ----a-w- c:\windows\system32\efiqap.dat
2009-10-15 14:27 . 2009-10-15 14:27 19068 ----a-w- c:\windows\system32\serutok.com
2009-10-14 23:10 . 2009-10-14 23:10 9216 ----a-w- C:\svhkapw.exe
2009-10-12 23:44 . 2009-10-12 23:44 -------- d-----w- c:\program files\Trend Micro
2009-10-12 23:07 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 23:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 23:07 . 2009-10-12 23:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 20:05 . 2008-04-13 17:36 42368 -c--a-w- c:\windows\system32\dllcache\agp440.sys
2009-09-29 14:55 . 2009-09-29 14:55 -------- d-----w- c:\documents and settings\User\Application Data\Amazon
2009-09-29 14:49 . 2009-09-29 14:49 -------- d-----w- c:\program files\Amazon
2009-09-22 17:29 . 2009-09-22 17:29 33420 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-22 14:28 . 2009-09-22 14:30 -------- d-----w- c:\program files\iTunes
2009-09-22 14:28 . 2009-09-22 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-22 14:21 . 2009-09-22 14:23 -------- d-----w- c:\program files\QuickTime
2009-09-21 20:10 . 2009-09-21 20:10 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-09-21 20:10 . 2009-09-21 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 20:04 . 2009-01-12 21:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-15 14:27 . 2009-10-15 14:27 12228 ----a-w- c:\program files\Common Files\vinyfilube.lib
2009-10-15 14:25 . 2008-08-21 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-12 21:59 . 2005-08-23 22:00 -------- d-----w- c:\program files\AIM
2009-10-12 21:59 . 2005-10-02 20:34 -------- d-----w- c:\documents and settings\User\Application Data\Aim
2009-10-12 21:58 . 2007-01-22 21:55 -------- d-----w- c:\program files\Common Files\AOL
2009-10-12 21:58 . 2007-01-22 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-09-29 14:55 . 2005-08-05 20:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\Sony Corporation
2009-09-22 17:28 . 2005-08-24 19:16 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer
2009-09-22 14:29 . 2005-10-14 14:49 -------- d-----w- c:\program files\iPod
2009-09-22 14:29 . 2007-09-11 20:41 -------- d-----w- c:\program files\Common Files\Apple
2009-08-19 02:02 . 2005-08-04 16:33 -------- d-----w- c:\program files\Symantec
2009-08-19 02:02 . 2007-08-07 20:54 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-19 02:02 . 2007-08-07 20:54 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-19 02:02 . 2005-08-04 16:33 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-19 02:02 . 2005-08-04 16:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-18 19:11 . 2009-03-22 13:38 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-05 09:01 . 2005-03-09 19:19 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-15_20.58.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-15 21:29 . 2009-10-15 21:29 16384 c:\windows\Temp\Perflib_Perfdata_d60.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\da9adcdf-9bc8-48ad-8b47-b83d9f54c87f.exe" [2009-08-03 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-17 5406720]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-01-21 167936]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-23 126976]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-06-26 771440]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-29 185896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-21 00:48 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-18 20:48 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^PictureGear Studio Media Watcher.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\PictureGear Studio Media Watcher.lnk
backup=c:\windows\pss\PictureGear Studio Media Watcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00B\SymEFA.sys [9/9/2009 4:50 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007020.00B\BHDrvx86.sys [9/9/2009 4:50 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.00B\cchpx86.sys [9/9/2009 4:45 PM 482432]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 12:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 74480]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [9/9/2009 4:47 PM 117640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 10:00 AM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2009 1:07 PM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 7408]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSXpx86.sys [9/16/2009 6:26 PM 329080]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder

2009-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-10-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-15 20:48]

2005-08-04 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-09 00:12]

2005-08-04 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-09 00:12]

2007-10-31 c:\windows\Tasks\WebReg officejet 7200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-11-05 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?ncid=customie8
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 168.94.74.68:8080
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3BA0B600-4B38-43E5-B104-C6CCF4FA4E29} - (no file)
WebBrowser-{3BA0B600-4B38-43E5-B104-C6CCF4FA4E29} - (no file)
AddRemove-SymSetupTemp.{C1C185CA-C531-49F5-A6FA-B838405A049D} - c:\program files\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_5_0_23\Setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 17:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1252)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(2416)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-15 17:57
ComboFix-quarantined-files.txt 2009-10-15 21:55

Pre-Run: 27,734,335,488 bytes free
Post-Run: 27,696,414,720 bytes free

695 --- E O F --- 2009-09-20 18:11

0

Let's check these out:

c:\windows\yhipi.com
c:\windows\system32\efiqap.dat
c:\windows\system32\serutok.com
C:\svhkapw.exe
c:\windows\system32\mlfcache.dat

Go here ---> and use the Browse Button at the top of the page to navigate to each of those items and and Submit them for analysis.
If any come back as malware - and I imagine a few will - just Delete them.

Let me know how that shakes out.

PP :)

Edited by PhilliePhan: The Usual...

0

just a quick one..try to download Malware Bytes.. and scan your system.. check if it will help.. :)

0

PP the only one that came up with malware was the svhkapw. I did delete it. The last one, the mlfcache I could not find in my system32 folder. Why would that be?

Cguan I do have malware bytes downloaded and i did post a log in this thread already.

0

PP the only one that came up with malware was the svhkapw. I did delete it. The last one, the mlfcache I could not find in my system32 folder. Why would that be?

My bad - that's a hidden file. You'll need to enable the viewing of hidden files to find that one.

-- Let me know what you find. I am curious about that one.....

How are things working now?

PP :)

0

ohhh..so sorry i thought you don't have it..is your malware bytes updated? and did you perform quick scan or full scan? update first then do a full scan..if you got thumbdrives or other usb storage and you use it frequently in your pc..most probably it's infected..insert it and include that in your full scan..

or you can try this: http://housecall.trendmicro.com/

0

PP the only one that came up with malware was the svhkapw. I did delete it. The last one, the mlfcache I could not find in my system32 folder. Why would that be? if you know the path for mlfcache..try going to safe mode..then go to command prompt..then at command prompt type: del mlfcache*.*
if you don't know the path go to your root directory like c:\ then type: dir mlfcache /s /a.. it will search for that file in your drive whether it's hidden or not..then if you find it navigate to that directory then delete it..type del mlfcache*.*

but if you're sure that it's in the system32 folder..at command prompt navigate to that folder then type: dir mlcache*.* /a check whether it's their or not..

Goodluck!

0

Well that last hidden file showed no malware.

My computer was running fine yesterday then this morning it would not let me access the internet. Then after running SAS and cleaning some stuff out it restarted and worked. It seems like every other it runs well.

How should I precede from here?

I appreciate everyones help with this

0

Just a quick update. I updated my Windows and now I have WPP, Security Tool, and one other similar virus. Also, MBAM will no longer work but SAS will so I am using that to remove some of the virus' and will get that new combofix scan done some time tonight or tomorrow.

0

Bojo, WPP uses rootkits to replace the trojans usually at reboot. Untill the rootkit is killed you will be deleting the same trojans back and forth, it's unfortunate that Mb-am doesn't run because I don't know if there are other anti malware programs that are as effective as MB?

But one things for sure you will need to follow PP's instructions step by step until this is taken care of or it will just get worse. Try to do ONLY the things he advises and if you want to do anything else ask him if it wouldn't affect the progress he is trying to achieve.

0

Okay well now I have basically no control over my computer. I cannot even open taskmngr. When I try it says it has been disabled by the admin, which is not true. When I try to open any program another pop up occurs. I cannot afford to lose some of the stuff on my comp either.

0

Oh and it does not let me start in safe mode either. Is my comp basically toast?

0

Oh and it does not let me start in safe mode either. Is my comp basically toast?

Not quite yet . . . We really didn't get to finish up from before and a lot can happen in 4 days.

-- Are you able to run your existing combofix? Try that. Post the log if you can run it.

-- Are you posting from the ill computer?

Let me know.


If combofix won't run:

Please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.


PP :)

Edited by PhilliePhan: n/a

0

I am not posting from the ill computer. I tried to run the combo fix and it is asking for the program I would like to open it with. So I tried to go online and dl the findwpp.zip but it will no longer connect to the internet.

0

I am not posting from the ill computer. I tried to run the combo fix and it is asking for the program I would like to open it with. So I tried to go online and dl the findwpp.zip but it will no longer connect to the internet.

-- Do you have a flash drive?

-- Can you get a command prompt on ill machine?
START > RUN > type cmd > OK
or
START > RUN > type command.com > OK

-- Can you RightClick on combofix and Run As administrator?

If not, and you can get a command prompt, type this at the prompt:
%userprofile%\desktop\combo-fix.exe /KillAll ENTER

If you followed my last set of instructions regarding downloading a fresh combofix and did not rename it that time, then remove the dash in combofix for the command.

Please post me the log, if it runs.

PP :)

Edited by PhilliePhan: n/a

0

Just want to make sure before I type all that out. When I type CMD in a screen pops up and I type this after C:\Documents and Settings\User>

Oh and I cannot run it as right click run as admin

0

I also forgot to answer your question about the flash drive. I do not have one but will get one if need be

0

When I type CMD in a screen pops up and I type this after C:\Documents and Settings\User>

Right - that is your command prompt. Just type in the command carefully - make sure all spaces and quotes are included - and hit ENTER.
If you get error messages, let me know.

I also forgot to answer your question about the flash drive. I do not have one but will get one if need be

If we are unable to get your existing combofix to run, you'll need a flash drive to transfer other tools onto the ill machine.

Let me know if combofix runs. Make sure it is still on desktop and that the name matches the command (combofix.exe or combo-fix.exe)

PP :)

0

After typing that all in and hitting enter i got back

'C:\Documents' is not recognized as an internal or external command, operable program or batch file.

0

After typing that all in and hitting enter i got back

'C:\Documents' is not recognized as an internal or external command, operable program or batch file.

Hit START > Run > type cmd > OK
At the prompt, type cd /? and hit enter.

What happens?

0

I long paragraph came up about wanting to change to the parent directory. It goes through how to switch to what drives. Do you need me to retype all of this or do you know what we are looking for?

0

I long paragraph came up about wanting to change to the parent directory. It goes through how to switch to what drives. Do you need me to retype all of this or do you know what we are looking for?

No - just checking that prompt was working properly.
Often I have to use command.com (the DOS shell) because this malware blocks cmd.exe (the native shell).

Do this at the prompt:

Type cd %userprofile%\desktop ENTER

Then Type combo-fix.exe /KillAll ENTER

If combofix runs, post the log.

PP:)

0

Combo-fix seems to be running. My only concern is how to get the log from one comp to the other. All the other comps in my house are Macs, will this be a problem?

0

Combo-fix seems to be running. My only concern is how to get the log from one comp to the other. All the other comps in my house are Macs, will this be a problem?

That's a good question - last time I used a Mac was fifteen years ago.... :)
-- I know there used to be issues with .txt conversion.
Perhaps save the log as .doc or .rtf if it has issues with .txt?

After combofix runs you'll likely be able to get the ill compy back online and that would simplify things a bit....

PP :)

0

Okay my computer restarted. I don't remember it doing that the first time I ran Combo-fix. It actually will not boot. It just keeps restarting. It asks if I want it to start in safe mode should I try that. When I was watching the screen it said it was deleting some files but I assumed they were malware it was deleting

0

Just tried to get it started in safe mode , but I got the blue screen.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.