PopUp Problems

Zoopboing · 10-20-2009, 08:27 PM

So lately I've noticed and abnormally high amount of popups that will randomly appear no matter what sites i visit. Popups to sites like go211, ads for antivirus software which I have never heard of, and a neverending cascade of windows leading to nexplore, and stuff like that. I've also noticed suspicious activity in my ProgramData folder. There are empty folders with names like lelimafu, jiwirido, tutepega, and deluguba (all created within the last few days) along with a file named fanogigi (says to have been created mid july, modified a couple days ago). The folders are multiplying too, the longer I have my computer on. Roughly 25 total at the moment, I deleted some several days ago, although I probably shouldn't have.

--
I ran DDS, all went fine. But when I ran GMER, apparently my computer unexpectedly restarted (I wasn't around to see it happen, I was off elsewhere and came back to the welcome screen, logged in, and found a Windows report thing which said "Problem Event Name: BlueScreen" along with some other file locations and numbers.)

I will post the required text below and attach the "attach" file without the "ark" file because I never got one as a result of the restart. I can also post the data from the restart report screen if you would like.

Thanks a million

[hr]

DDS (Ver_09-10-13.01) - NTFSx86
Run by Sam at 18:16:19.80 on Tue 10/20/2009
Internet Explorer: 7.0.6000.16916
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.994 [GMT -5:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: PC-cillin Internet Security - Spyware Protection *enabled* (Updated) {003DD9A8-02A6-43CF-81BA-5D403CAD001E}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Sam\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Users\Sam\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\mobsync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Sam\Downloads\dds.scr
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070130
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070130
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Aim6]
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "c:\users\sam\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Octoshape Streaming Services] "c:\users\sam\appdata\roaming\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [yozuwuguno] Rundll32.exe "c:\programdata\lelimafu\lelimafu.dll",s
uRun: [82375025] c:\programdata\82375025\82375025.exe
uRun: [bumikikig] Rundll32.exe "c:\progra~2\ziyiwori\ziyiwori.dll",a
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Plugin Install] c:\program files\quicktime\plugins\DeleteMe1.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\sam\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\users\sam\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\eventp~1.lnk - c:\program files\sierra\planner\PLNRnote.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\sam\appdata\roaming\mozilla\firefox\profiles\49ueiim4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\sam\appdata\roaming\mozilla\firefox\profiles\49ueiim4.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\users\sam\appdata\roaming\mozilla\firefox\profiles\49ueiim4.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\sam\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\sam\appdata\roaming\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\users\sam\appdata\roaming\mozilla\firefox\profiles\49ueiim4.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\users\sam\appdata\roaming\mozilla\firefox\profiles\49ueiim4.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\sam\appdata\roaming\mozilla\plugins\npoctoshape.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-25 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-9-25 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-1-29 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-9-25 566872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-23 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-1-29 280392]
S2 gupdate1c987293b338ea4;Google Update Service (gupdate1c987293b338ea4);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-1-29 29744]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]

=============== Created Last 30 ================

2009-10-20 18:11 <DIR> --d----- c:\programdata\ziyiwori
2009-10-20 18:11 <DIR> --d----- c:\programdata\rotapote
2009-10-20 18:11 <DIR> --d----- c:\programdata\jiwirido
2009-10-20 18:11 <DIR> --d----- c:\progra~2\ziyiwori
2009-10-20 18:11 <DIR> --d----- c:\progra~2\rotapote
2009-10-20 18:11 <DIR> --d----- c:\progra~2\jiwirido
2009-10-20 17:11 <DIR> --d----- c:\programdata\nirotona
2009-10-20 17:11 <DIR> --d----- c:\programdata\lobofenu
2009-10-20 17:11 <DIR> --d----- c:\programdata\feretizi
2009-10-20 17:11 <DIR> --d----- c:\progra~2\nirotona
2009-10-20 17:11 <DIR> --d----- c:\progra~2\lobofenu
2009-10-20 17:11 <DIR> --d----- c:\progra~2\feretizi
2009-10-16 23:46 <DIR> --d----- c:\programdata\wumugaka
2009-10-16 23:46 <DIR> --d----- c:\programdata\topipega
2009-10-16 23:46 <DIR> --d----- c:\programdata\fufugose
2009-10-16 23:46 <DIR> --d----- c:\progra~2\wumugaka
2009-10-16 23:46 <DIR> --d----- c:\progra~2\topipega
2009-10-16 23:46 <DIR> --d----- c:\progra~2\fufugose
2009-10-16 23:45 <DIR> --d----- c:\programdata\wojifoge
2009-10-16 23:45 <DIR> --d----- c:\programdata\relipasi
2009-10-16 23:45 <DIR> --d----- c:\programdata\bojolene
2009-10-16 23:45 <DIR> --d----- c:\progra~2\wojifoge
2009-10-16 23:45 <DIR> --d----- c:\progra~2\relipasi
2009-10-16 23:45 <DIR> --d----- c:\progra~2\bojolene
2009-10-16 11:51 <DIR> --d----- c:\windows\SQL9_KB970892_ENU
2009-10-16 11:45 <DIR> --d----- c:\programdata\magohupa
2009-10-16 11:45 <DIR> --d----- c:\progra~2\magohupa
2009-10-15 19:30 <DIR> --d----- c:\users\sam\appdata\roaming\Malwarebytes
2009-10-15 19:29 <DIR> --d----- c:\programdata\Malwarebytes
2009-10-15 19:29 <DIR> --d----- c:\progra~2\Malwarebytes
2009-10-15 13:32 <DIR> --d----- c:\programdata\tutepega
2009-10-15 13:32 <DIR> --d----- c:\progra~2\tutepega
2009-10-15 09:03 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-10-15 09:03 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-10-15 09:03 80,896 a------- c:\windows\system32\MSNP.ax
2009-10-15 09:03 177,152 a------- c:\windows\system32\mpg2splt.ax
2009-10-15 09:03 68,608 a------- c:\windows\system32\Mpeg2Data.ax
2009-10-15 09:03 130,048 a------- c:\windows\system32\drivers\srv2.sys
2009-10-15 09:03 604,672 a------- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 12:54 <DIR> --d----- c:\programdata\lelimafu
2009-10-14 12:54 <DIR> --d----- c:\progra~2\lelimafu

==================== Find3M ====================

2009-09-15 19:11 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-15 19:11 86,016 a------- c:\windows\inf\infstor.dat
2009-09-15 19:11 86,016 a------- c:\windows\inf\infpub.dat
2009-09-10 12:38 216,576 a------- c:\windows\system32\msv1_0.dll
2009-09-05 14:59 138,168 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-05 14:58 189,472 a------- c:\windows\system32\PnkBstrB.exe
2009-09-04 07:38 60,928 a------- c:\windows\system32\msasn1.dll
2009-08-31 10:21 292,352 a------- c:\windows\system32\psisdecd.dll
2009-08-31 10:16 428,032 a------- c:\windows\system32\EncDec.dll
2009-08-28 22:41 1,686,528 a------- c:\windows\system32\gameux.dll
2009-08-28 22:40 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-28 22:40 449,024 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:40 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:40 2,143,744 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 22:40 537,600 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 18:31 4,247,552 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 18:15 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-08-27 09:02 832,512 a------- c:\windows\system32\wininet.dll
2009-08-27 08:57 56,320 a------- c:\windows\system32\iesetup.dll
2009-08-27 08:57 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-27 08:57 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-08-27 08:56 72,704 a------- c:\windows\system32\admparse.dll
2009-08-27 06:24 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-08-27 04:51 48,128 a------- c:\windows\system32\mshtmler.dll
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-14 11:42 167,424 a------- c:\windows\system32\tcpipcfg.dll
2009-08-14 11:40 103,936 a------- c:\windows\system32\netiohlp.dll
2009-08-14 11:40 15,360 a------- c:\windows\system32\netevent.dll
2009-08-14 09:25 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 09:25 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 09:25 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 09:25 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 09:25 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 09:25 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 09:25 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 09:23 22,016 a------- c:\windows\system32\netiougc.exe
2009-08-07 19:51 15,308,424 a------- c:\windows\system32\xlive.dll
2009-08-07 19:51 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-08-05 09:28 3,502,152 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-05 09:28 3,467,864 a------- c:\windows\system32\ntoskrnl.exe
2009-07-01 00:03 139,152 a------- c:\users\sam\appdata\roaming\PnkBstrK.sys
2008-12-11 19:03 350 a--sh--- c:\program files\desktop.ini
2008-11-06 19:36 30 a------- c:\users\sam\jagex_runescape_preferences.dat
2008-06-11 13:52 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:56 1,741 a------- c:\program files\Sound Recorder.lnk
2006-11-02 07:54 1,699 a------- c:\program files\Notepad.lnk
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-04-16 11:07 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-04-16 11:07 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-04-16 11:07 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-01-30 01:36 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:17:44.06 ===============

Zoopboing · 10-23-2009, 08:36 PM

Bump, please.

Ried · 10-24-2009, 12:36 AM

Hello Zoopboing,

I'd like to see if we can get a log from gmer. Please run gmer.exe again, but use the following configuration:

In the right panel, you will see several boxes that have been checked. Uncheck the following ... (this is a bit different from our pre-posting topic instructions)

Devices
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please attach the ark.txt in your next reply

Zoopboing · 10-28-2009, 05:22 PM

Well to start off. I had found SecurityTool on my computer this past weekend. I promptly removed it according to these (http://www.bleepingcomputer.com/viru...-security-tool) directions. No instances of it anymore.

But when I try and run GMER, it says that there are no problems. And when I attempt to save the log, it's a blank file. I unchecked all the boxes specified in the previous post, and I saved it as instructed.

Also, now when I boot up, I get a window that says something like lelimafu.dll or gubavara.dll cannot be found. So I'm assuming there are supposed to be files in the folders that keep spawning. And my Trend Micro PC-Cillin security software will not run.

Ried · 10-28-2009, 10:13 PM

Hi Zoopboing,

The infection wasn't completely removed and that's why you're still having problems.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.

====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Also, you mentioned Trend Micro won't run. Tell me exactly what happens when you try to run it.

Zoopboing · 10-29-2009, 03:00 PM

As related to Trend Micro- when I click into it through my desktop shortcut or programs list, it says it needs admin approval to run the file, and the small icon on my quick launch in the bottom right corner always says loading.

Here's ComboFix.

ComboFix 09-10-28.08 - Sam 10/29/2009 15:43.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1146 [GMT -5:00]
Running from: c:\users\Sam\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
SP: PC-cillin Internet Security - Spyware Protection *disabled* (Updated) {003DD9A8-02A6-43CF-81BA-5D403CAD001E}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-840599722-2395141683-1205820045-500

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 20:52 . 2009-10-29 20:52 -------- d-----w- c:\users\Natalie\AppData\Local\temp
2009-10-29 20:52 . 2009-10-29 20:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-29 20:51 . 2009-10-29 20:51 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-10-29 20:51 . 2009-10-29 20:51 -------- d-----w- c:\users\Bill\AppData\Local\temp
2009-10-29 20:51 . 2009-10-29 20:51 -------- d-----w- c:\users\Barb\AppData\Local\temp
2009-10-29 20:42 . 2006-09-29 19:59 250368 ----a-w- c:\windows\system32\drivers\iastor.sys
2009-10-27 22:02 . 2009-09-10 15:29 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 22:02 . 2009-09-10 17:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-27 22:02 . 2009-09-10 17:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-27 22:02 . 2009-09-10 15:29 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-25 16:28 . 2009-10-25 16:28 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2009-10-24 16:03 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 16:03 . 2009-10-24 16:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 16:03 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 15:41 . 2009-10-24 15:41 -------- d-----w- c:\programdata\wukojohe
2009-10-24 15:41 . 2009-10-24 15:41 -------- d-----w- c:\programdata\nahatona
2009-10-24 15:41 . 2009-10-24 15:41 -------- d-----w- c:\programdata\mopidozu
2009-10-24 15:41 . 2009-10-24 15:41 -------- d-----w- c:\programdata\lonayemu
2009-10-24 15:41 . 2009-10-27 22:18 -------- d-----w- c:\programdata\guvuvara
2009-10-24 15:41 . 2009-10-24 15:41 -------- d-----w- c:\programdata\zinozobu
2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\pogogiso
2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\konemabo
2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\gutodayo
2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\yikujode
2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\vojifuje
2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\muyinepa
2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\yeweyefa
2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\mivimoru
2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\futajido
2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\vubabuku
2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\sajijade
2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\dofakase
2009-10-24 15:36 . 2009-10-24 15:36 -------- d-----w- c:\programdata\pujorila
2009-10-24 15:36 . 2009-10-24 15:36 -------- d-----w- c:\programdata\juhijudu
2009-10-24 15:36 . 2009-10-24 15:36 -------- d-----w- c:\programdata\dagenoja
2009-10-24 15:35 . 2009-10-24 15:35 -------- d-----w- c:\programdata\warihagi
2009-10-24 15:35 . 2009-10-24 15:35 -------- d-----w- c:\programdata\hufowebi
2009-10-24 15:35 . 2009-10-24 15:35 -------- d-----w- c:\programdata\zesanido
2009-10-24 15:35 . 2009-10-24 15:35 -------- d-----w- c:\programdata\pihuyeha
2009-10-21 02:06 . 2009-10-21 02:06 -------- d-----w- c:\programdata\zisuruhi
2009-10-21 02:06 . 2009-10-21 02:06 -------- d-----w- c:\programdata\yihuhote
2009-10-21 02:06 . 2009-10-21 02:06 -------- d-----w- c:\programdata\tusiheku
2009-10-21 02:05 . 2009-10-21 02:05 -------- d-----w- c:\programdata\zinefowo
2009-10-21 02:05 . 2009-10-21 02:05 -------- d-----w- c:\programdata\pijelodo
2009-10-21 02:05 . 2009-10-21 02:05 -------- d-----w- c:\programdata\lupayusa
2009-10-21 01:34 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\tiwamora
2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\nefapifa
2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\lekepegu
2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\yowokifo
2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\mawivawo
2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\deluguba
2009-10-20 23:11 . 2009-10-20 23:11 -------- d-----w- c:\programdata\ziyiwori
2009-10-20 23:11 . 2009-10-20 23:11 -------- d-----w- c:\programdata\rotapote
2009-10-20 23:11 . 2009-10-20 23:11 -------- d-----w- c:\programdata\jiwirido
2009-10-20 22:11 . 2009-10-20 22:11 -------- d-----w- c:\programdata\nirotona
2009-10-20 22:11 . 2009-10-20 22:11 -------- d-----w- c:\programdata\lobofenu
2009-10-20 22:11 . 2009-10-20 22:11 -------- d-----w- c:\programdata\feretizi
2009-10-17 04:46 . 2009-10-17 04:46 -------- d-----w- c:\programdata\wumugaka
2009-10-17 04:46 . 2009-10-17 04:46 -------- d-----w- c:\programdata\topipega
2009-10-17 04:46 . 2009-10-17 04:46 -------- d-----w- c:\programdata\fufugose
2009-10-17 04:45 . 2009-10-17 04:45 -------- d-----w- c:\programdata\wojifoge
2009-10-17 04:45 . 2009-10-17 04:45 -------- d-----w- c:\programdata\relipasi
2009-10-17 04:45 . 2009-10-17 04:45 -------- d-----w- c:\programdata\bojolene
2009-10-16 16:51 . 2009-10-16 16:51 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2009-10-16 16:45 . 2009-10-16 16:45 -------- d-----w- c:\programdata\magohupa
2009-10-16 00:30 . 2009-10-16 00:30 -------- d-----w- c:\users\Sam\AppData\Roaming\Malwarebytes
2009-10-16 00:29 . 2009-10-16 00:29 -------- d-----w- c:\programdata\Malwarebytes
2009-10-15 18:32 . 2009-10-15 18:32 -------- d-----w- c:\programdata\tutepega
2009-10-15 14:03 . 2009-08-31 15:17 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-10-15 14:03 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-15 14:03 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 17:54 . 2009-10-24 15:36 -------- d-----w- c:\programdata\lelimafu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 22:58 . 2009-02-05 00:31 -------- d-----w- c:\programdata\Google Updater
2009-10-25 16:28 . 2008-02-24 03:25 165984 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-24 15:57 . 2007-01-29 23:02 -------- d-----w- c:\programdata\Microsoft Help
2009-10-24 15:57 . 2007-02-11 20:11 165984 ----a-w- c:\users\Sam\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-24 15:53 . 2007-01-29 23:05 -------- d-----w- c:\program files\Microsoft Works
2009-10-16 17:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-16 16:52 . 2007-01-29 23:11 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-16 16:34 . 2007-02-12 04:17 -------- d-----w- c:\program files\Steam
2009-10-14 19:51 . 2007-11-18 02:28 -------- d-----w- c:\program files\Common Files\Steam
2009-10-11 16:28 . 2007-12-14 01:27 -------- d-----w- c:\program files\StepMania
2009-09-23 22:01 . 2007-02-12 03:46 -------- d-----w- c:\program files\AIM6
2009-09-23 22:01 . 2007-02-12 03:46 -------- d-----w- c:\programdata\Viewpoint
2009-09-23 21:58 . 2007-02-12 03:43 -------- d-----w- c:\programdata\AOL Downloads
2009-09-19 00:38 . 2007-02-12 18:59 -------- d-----w- c:\users\Natalie\AppData\Roaming\Apple Computer
2009-09-16 00:33 . 2007-02-12 04:13 -------- d-----w- c:\users\Sam\AppData\Roaming\Apple Computer
2009-09-16 00:20 . 2008-03-27 02:45 -------- d-----w- c:\program files\Safari
2009-09-16 00:18 . 2009-09-16 00:17 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-16 00:18 . 2009-09-16 00:17 -------- d-----w- c:\program files\iTunes
2009-09-16 00:17 . 2009-09-16 00:17 -------- d-----w- c:\program files\iPod
2009-09-16 00:17 . 2007-11-02 20:41 -------- d-----w- c:\program files\Common Files\Apple
2009-09-16 00:15 . 2007-02-12 04:12 -------- d-----w- c:\program files\QuickTime
2009-09-11 01:14 . 2009-09-11 00:11 -------- d-----w- c:\users\Sam\AppData\Roaming\Move Networks
2009-09-10 22:05 . 2007-05-22 21:49 680 ----a-w- c:\users\Sam\AppData\Local\d3d9caps.dat
2009-09-10 17:38 . 2009-10-15 14:05 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 19:59 . 2007-09-14 02:06 138168 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-05 19:58 . 2007-09-14 02:05 189472 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-04 12:38 . 2009-10-15 14:05 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 00:37 . 2009-06-27 03:00 -------- d-----w- c:\users\Guest\AppData\Roaming\Skype
2009-08-31 22:40 . 2009-08-31 22:40 -------- d-----w- c:\users\Guest\AppData\Roaming\Corel
2009-08-31 15:21 . 2009-10-15 14:04 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 15:16 . 2009-10-15 14:04 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-08-29 03:41 . 2009-09-02 22:11 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40 . 2009-09-02 22:11 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-29 00:42 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 00:42 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:31 . 2009-09-02 22:11 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02 . 2009-10-15 14:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57 . 2009-10-15 14:04 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57 . 2009-10-15 14:05 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56 . 2009-10-15 14:04 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24 . 2009-10-15 14:04 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51 . 2009-10-15 14:04 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:16 . 2009-09-08 20:06 213592 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-14 16:42 . 2009-09-08 20:06 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40 . 2009-09-08 20:06 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-09-08 20:06 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-09-08 20:06 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-09-08 20:06 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-09-08 20:06 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-09-08 20:06 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-09-08 20:06 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-09-08 20:06 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25 . 2009-09-08 20:06 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:24 . 2009-09-08 20:06 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 14:23 . 2009-09-08 20:06 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-08 00:51 . 2009-08-08 00:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-08 00:51 . 2009-08-08 00:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-05 14:28 . 2009-10-15 14:04 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-05 14:28 . 2009-10-15 14:04 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2006-11-02 12:56 . 2006-11-02 12:56 1741 ----a-w- c:\program files\Sound Recorder.lnk
2006-11-02 12:54 . 2007-02-11 20:10 1699 ----a-w- c:\program files\Notepad.lnk
2008-07-31 19:00 . 2008-07-31 19:00 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-01-30 06:36 . 2007-01-30 06:36 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-05 39408]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Google Update"="c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"Octoshape Streaming Services"="c:\users\Sam\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-12 70936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-04-12 1006264]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-07-31 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"QuickTime Plugin Install"="c:\program files\QuickTime\Plugins\DeleteMe1.exe" [2007-11-02 49152]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2006-11-02 303104]

c:\users\Sam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-7-20 344064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-29 45056]
Event Planner Reminders.lnk - c:\program files\Sierra\Planner\PLNRnote.exe [2003-3-12 184320]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 5:39 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [1/29/2007 5:58 PM 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/23/2007 5:36 PM 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\System32\drivers\TM_CFW.sys [1/29/2007 5:58 PM 280392]
S2 gupdate1c987293b338ea4;Google Update Service (gupdate1c987293b338ea4);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2009 7:32 PM 133104]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 5:39 PM 345696]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 5:39 PM 566872]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/29/2007 6:05 PM 29744]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-01 22:29]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 00:32]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 00:32]

2009-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840599722-2395141683-1205820045-1003Core.job
- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 21:34]

2009-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840599722-2395141683-1205820045-1003UA.job
- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 21:34]

2009-10-01 c:\windows\Tasks\WebReg Officejet 7400 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070130
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\Sam\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\Sam\AppData\Roaming\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Sam\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-bumikikig - c:\progra~2\guvuvara\guvuvara.dll
HKCU-Run-Aim6 - (no file)
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 15:52
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\S-1-5-21-840599722-2395141683-1205820045-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4c,c0,b8,cc,b2,f3,36,04,b8,0b,c4,3f,3e,52,a6,67,79,aa,21,e4,26,6e,35,
ef,30,1f,0e,0e,6d,84,0f,fb,1c,e4,30,60,fe,d2,d0,69,25,27,f8,30,0c,84,8a,29,\
"??"=hex:17,d2,f9,ec,8b,34,da,77,a8,ed,c4,bc,08,7d,44,ed

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-29 15:54
ComboFix-quarantined-files.txt 2009-10-29 20:54

Pre-Run: 31,022,874,624 bytes free
Post-Run: 34,191,171,584 bytes free

- - End Of File - - 8AD4545FF37019E2F3612953C160945F

Ried · 10-29-2009, 10:51 PM

Hello Zoopboing,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

Folder::
c:\programdata\wukojohe
c:\programdata\nahatona
c:\programdata\mopidozu
c:\programdata\lonayemu
c:\programdata\guvuvara
c:\programdata\zinozobu
c:\programdata\pogogiso
c:\programdata\konemabo
c:\programdata\gutodayo
c:\programdata\yikujode
c:\programdata\vojifuje
c:\programdata\muyinepa
c:\programdata\yeweyefa
c:\programdata\mivimoru
c:\programdata\futajido
c:\programdata\vubabuku
c:\programdata\sajijade
c:\programdata\dofakase
c:\programdata\pujorila
c:\programdata\juhijudu
c:\programdata\dagenoja
c:\programdata\warihagi
c:\programdata\hufowebi
c:\programdata\zesanido
c:\programdata\pihuyeha
c:\programdata\zisuruhi
c:\programdata\yihuhote
c:\programdata\tusiheku
c:\programdata\zinefowo
c:\programdata\pijelodo
c:\programdata\lupayusa
c:\programdata\tiwamora
c:\programdata\nefapifa
c:\programdata\lekepegu
c:\programdata\yowokifo
c:\programdata\mawivawo
c:\programdata\deluguba
c:\programdata\ziyiwori
c:\programdata\rotapote
c:\programdata\jiwirido
c:\programdata\nirotona
c:\programdata\lobofenu
c:\programdata\feretizi
c:\programdata\wumugaka
c:\programdata\topipega
c:\programdata\fufugose
c:\programdata\wojifoge
c:\programdata\relipasi
c:\programdata\bojolene
c:\programdata\magohupa
c:\programdata\tutepega
c:\programdata\lelimafu

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

====================================================

Download Junction.zip and save it to your desktop. Double click the junction.zip and extract to your desktop.

Next, open Notepad and copy/paste the contents in the quote box below, into Notepad.

Quote:

junction -s c:\ > log.txt
notepad log.txt
exit

Save this as junction.bat Choose to "Save type as - All Files" and save it to your desktop.

It should look like this:

Double click Junction folder to open it.
Now drag the junction.bat into the Junction folder
Right click the junction.bat and run as administrator. Allow it to run -it can take a while to complete, so be patient.

Post the log it produces

=======================================

Please go to Virus Total

Copy paste the following full path into the empty box under 'Upload a file'

c:\windows\system32\drivers\iastor.sys
Click 'Send File'
You will see a message 'File has already been analysed'. Click Reanalyse file now.

Copy/paste the results into Notepad and save it to your desktop. Please post the results in your next reply.

==========================

To recap, I'll need the following in your next reply:

C:\ComboFix.txt
Results of junction.bat
Results of Virus Total scan
Update on system behavior.

Zoopboing · 10-30-2009, 02:51 PM

I got to the junction part, but when I extract it, there's a .txt and a .exe but no folder. And when i run the .exe it comes up with the prompt and then disappears after i accept the agreement.

Also, can I turn my virus protection back on?

Ried · 10-30-2009, 09:11 PM

When you double click the junction.zip file, you will see a .txt file and the .exe. Look to your left panel toward the top, and you should see 'Extract all files'. Click that and extract to the desktop.

Yes, re-enable your protection.

Zoopboing · 10-31-2009, 11:09 AM

I got

Quote:

C:\Windows\system32>junction -s c:\ 1>log.txt
'junction' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32>notepad log.txt

and it opened a blank log.

Also, When I click the trend desktop icon it still says

Quote:

Unable to start the program. A previous instance of this program is still exiting. Please wait a moment, and then try again.

Ried · 10-31-2009, 11:11 AM

Did you drag the junction.bat you created, into the extracted Junction folder before running it? The junction.bat must be located in that folder, and run from there in order to work properly.

Zoopboing · 10-31-2009, 11:15 AM

Yes, I have junction.zip, and a folder containing eula.txt, junction.exe and junction.bat all on my desktop. I clicked the junction.bat and from the list selected Run as administrator, and that's what happened.

Also, should the file fanogigi still be in c:\programdata?

Ried · 10-31-2009, 11:22 AM

The junction.bat should not be on the desktop, it should be in the extracted Junction Folder. Is that where it is?

And no, fanogigi should not be in that folder. It was not showing in the ComboFix.txt -- is it still there? If so, delete it.

Zoopboing · 10-31-2009, 11:30 AM

junction.bat is in the junction folder along with .exe and .txt.
The folder is on the desktop, with all 3 files in it.

Should I just delete fanogigi and then empty my recycle bin?

Sorry about the confusion.

Ried · 10-31-2009, 07:43 PM

It works fine for me. Delete the junction.zip and the Junction Folder from your desktop and download the Junction.zip I've attached to this post. Double click and extract all files. Open the Junction Folder and right click the peek.bat to run as administrator and allow it to run. Post the log it produces.

Have you run the CFScript yet? Please post the resultant C:\ComboFix.txt

Have you uploaded that file to Virus Total yet? I need to see those results.

Zoopboing · 11-01-2009, 09:49 AM

Nothing new with peek.bat, same problem.

Also, tried Virus total and after I clicked Send File it led me to a blank page that says "0 bytes size received / Se ha recibido un archivo vacio" at the top.

Here's combofix.txt:

ComboFix 09-10-28.08 - Sam 10/30/2009 15:24.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.869 [GMT -5:00]
Running from: c:\users\Sam\Desktop\ComboFix.exe
Command switches used :: c:\users\Sam\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
SP: PC-cillin Internet Security - Spyware Protection *disabled* (Updated) {003DD9A8-02A6-43CF-81BA-5D403CAD001E}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\bojolene
c:\programdata\bojolene\bojolene.exe
c:\programdata\dagenoja
c:\programdata\dagenoja\dagenoja.dll
c:\programdata\deluguba
c:\programdata\deluguba\deluguba.exe
c:\programdata\dofakase
c:\programdata\dofakase\dofakase.dll
c:\programdata\feretizi
c:\programdata\feretizi\feretizi.dll
c:\programdata\fufugose
c:\programdata\fufugose\fufugose.exe
c:\programdata\futajido
c:\programdata\futajido\futajido.dll
c:\programdata\gutodayo
c:\programdata\gutodayo\gutodayo.dll
c:\programdata\guvuvara
c:\programdata\hufowebi
c:\programdata\hufowebi\hufowebi.exe
c:\programdata\jiwirido
c:\programdata\jiwirido\jiwirido.dll
c:\programdata\juhijudu
c:\programdata\juhijudu\juhijudu.dll
c:\programdata\konemabo
c:\programdata\konemabo\konemabo.exe
c:\programdata\lekepegu
c:\programdata\lekepegu\lekepegu.exe
c:\programdata\lelimafu
c:\programdata\lelimafu\lelimafu.dll.tmp
c:\programdata\lobofenu
c:\programdata\lobofenu\lobofenu.dll
c:\programdata\lonayemu
c:\programdata\lonayemu\lonayemu.exe
c:\programdata\lupayusa
c:\programdata\lupayusa\lupayusa.dll
c:\programdata\magohupa
c:\programdata\magohupa\magohupa.dll
c:\programdata\mawivawo
c:\programdata\mawivawo\mawivawo.dll
c:\programdata\mivimoru
c:\programdata\mivimoru\mivimoru.dll
c:\programdata\mopidozu
c:\programdata\mopidozu\mopidozu.dll
c:\programdata\muyinepa
c:\programdata\muyinepa\muyinepa.dll
c:\programdata\nahatona
c:\programdata\nahatona\nahatona.dll
c:\programdata\nefapifa
c:\programdata\nefapifa\nefapifa.dll
c:\programdata\nirotona
c:\programdata\pihuyeha
c:\programdata\pihuyeha\pihuyeha.dll
c:\programdata\pijelodo
c:\programdata\pijelodo\pijelodo.exe
c:\programdata\pogogiso
c:\programdata\pogogiso\pogogiso.dll
c:\programdata\pujorila
c:\programdata\pujorila\pujorila.dll
c:\programdata\relipasi
c:\programdata\relipasi\relipasi.dll
c:\programdata\rotapote
c:\programdata\rotapote\rotapote.exe
c:\programdata\sajijade
c:\programdata\sajijade\sajijade.exe
c:\programdata\tiwamora
c:\programdata\tiwamora\tiwamora.dll
c:\programdata\topipega
c:\programdata\topipega\topipega.dll
c:\programdata\tusiheku
c:\programdata\tusiheku\tusiheku.dll
c:\programdata\tutepega
c:\programdata\tutepega\tutepega.dll
c:\programdata\vojifuje
c:\programdata\vojifuje\vojifuje.exe
c:\programdata\vubabuku
c:\programdata\vubabuku\vubabuku.dll
c:\programdata\warihagi
c:\programdata\warihagi\warihagi.dll
c:\programdata\wojifoge
c:\programdata\wojifoge\wojifoge.dll
c:\programdata\wukojohe
c:\programdata\wukojohe\wukojohe.exe
c:\programdata\wumugaka
c:\programdata\wumugaka\wumugaka.dll
c:\programdata\yeweyefa
c:\programdata\yeweyefa\yeweyefa.exe
c:\programdata\yihuhote
c:\programdata\yihuhote\yihuhote.exe
c:\programdata\yikujode
c:\programdata\yikujode\yikujode.dll
c:\programdata\yowokifo
c:\programdata\yowokifo\yowokifo.dll
c:\programdata\zesanido
c:\programdata\zesanido\zesanido.dll
c:\programdata\zinefowo
c:\programdata\zinefowo\zinefowo.dll
c:\programdata\zinozobu
c:\programdata\zinozobu\zinozobu.dll
c:\programdata\zisuruhi
c:\programdata\zisuruhi\zisuruhi.dll
c:\programdata\ziyiwori
c:\programdata\ziyiwori\ziyiwori.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-30 20:35 . 2009-10-30 20:35 -------- d-----w- c:\users\Sam\AppData\Local Settings\Roaming\temp
2009-10-30 20:35 . 2009-10-30 20:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-30 20:35 . 2009-10-30 20:35 -------- d-----w- c:\users\Natalie\AppData\Local\temp
2009-10-30 20:35 . 2009-10-30 20:35 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-10-30 20:35 . 2009-10-30 20:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-30 20:35 . 2009-10-30 20:35 -------- d-----w- c:\users\Bill\AppData\Local\temp
2009-10-30 20:35 . 2009-10-30 20:35 -------- d-----w- c:\users\Barb\AppData\Local\temp
2009-10-30 20:24 . 2006-09-29 19:59 250368 ----a-w- c:\windows\system32\drivers\iastor.sys
2009-10-27 22:02 . 2009-09-10 15:29 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 22:02 . 2009-09-10 17:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-27 22:02 . 2009-09-10 17:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-27 22:02 . 2009-09-10 15:29 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-25 16:28 . 2009-10-25 16:28 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2009-10-24 16:03 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 16:03 . 2009-10-24 16:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 16:03 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 01:34 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-16 16:51 . 2009-10-16 16:51 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2009-10-16 00:30 . 2009-10-16 00:30 -------- d-----w- c:\users\Sam\AppData\Roaming\Malwarebytes
2009-10-16 00:29 . 2009-10-16 00:29 -------- d-----w- c:\programdata\Malwarebytes
2009-10-15 14:03 . 2009-08-31 15:17 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-10-15 14:03 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-15 14:03 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 20:18 . 2009-02-05 00:31 -------- d-----w- c:\programdata\Google Updater
2009-10-25 16:28 . 2008-02-24 03:25 165984 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-24 15:57 . 2007-01-29 23:02 -------- d-----w- c:\programdata\Microsoft Help
2009-10-24 15:57 . 2007-02-11 20:11 165984 ----a-w- c:\users\Sam\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-24 15:53 . 2007-01-29 23:05 -------- d-----w- c:\program files\Microsoft Works
2009-10-16 17:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-16 16:52 . 2007-01-29 23:11 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-16 16:34 . 2007-02-12 04:17 -------- d-----w- c:\program files\Steam
2009-10-14 19:51 . 2007-11-18 02:28 -------- d-----w- c:\program files\Common Files\Steam
2009-10-11 16:28 . 2007-12-14 01:27 -------- d-----w- c:\program files\StepMania
2009-09-23 22:01 . 2007-02-12 03:46 -------- d-----w- c:\program files\AIM6
2009-09-23 22:01 . 2007-02-12 03:46 -------- d-----w- c:\programdata\Viewpoint
2009-09-23 21:58 . 2007-02-12 03:43 -------- d-----w- c:\programdata\AOL Downloads
2009-09-19 00:38 . 2007-02-12 18:59 -------- d-----w- c:\users\Natalie\AppData\Roaming\Apple Computer
2009-09-16 00:33 . 2007-02-12 04:13 -------- d-----w- c:\users\Sam\AppData\Roaming\Apple Computer
2009-09-16 00:20 . 2008-03-27 02:45 -------- d-----w- c:\program files\Safari
2009-09-16 00:18 . 2009-09-16 00:17 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-16 00:18 . 2009-09-16 00:17 -------- d-----w- c:\program files\iTunes
2009-09-16 00:17 . 2009-09-16 00:17 -------- d-----w- c:\program files\iPod
2009-09-16 00:17 . 2007-11-02 20:41 -------- d-----w- c:\program files\Common Files\Apple
2009-09-16 00:15 . 2007-02-12 04:12 -------- d-----w- c:\program files\QuickTime
2009-09-11 01:14 . 2009-09-11 00:11 -------- d-----w- c:\users\Sam\AppData\Roaming\Move Networks
2009-09-10 22:05 . 2007-05-22 21:49 680 ----a-w- c:\users\Sam\AppData\Local\d3d9caps.dat
2009-09-10 17:38 . 2009-10-15 14:05 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 19:59 . 2007-09-14 02:06 138168 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-05 19:58 . 2007-09-14 02:05 189472 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-04 12:38 . 2009-10-15 14:05 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 00:37 . 2009-06-27 03:00 -------- d-----w- c:\users\Guest\AppData\Roaming\Skype
2009-08-31 22:40 . 2009-08-31 22:40 -------- d-----w- c:\users\Guest\AppData\Roaming\Corel
2009-08-31 15:21 . 2009-10-15 14:04 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 15:16 . 2009-10-15 14:04 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-08-29 03:41 . 2009-09-02 22:11 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40 . 2009-09-02 22:11 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-29 00:42 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 00:42 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:31 . 2009-09-02 22:11 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02 . 2009-10-15 14:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57 . 2009-10-15 14:04 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57 . 2009-10-15 14:05 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56 . 2009-10-15 14:04 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24 . 2009-10-15 14:04 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51 . 2009-10-15 14:04 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:16 . 2009-09-08 20:06 213592 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-14 16:42 . 2009-09-08 20:06 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40 . 2009-09-08 20:06 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-09-08 20:06 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-09-08 20:06 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-09-08 20:06 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-09-08 20:06 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-09-08 20:06 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-09-08 20:06 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-09-08 20:06 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25 . 2009-09-08 20:06 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:24 . 2009-09-08 20:06 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 14:23 . 2009-09-08 20:06 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-08 00:51 . 2009-08-08 00:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-08 00:51 . 2009-08-08 00:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-05 14:28 . 2009-10-15 14:04 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-05 14:28 . 2009-10-15 14:04 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2006-11-02 12:56 . 2006-11-02 12:56 1741 ----a-w- c:\program files\Sound Recorder.lnk
2006-11-02 12:54 . 2007-02-11 20:10 1699 ----a-w- c:\program files\Notepad.lnk
2008-07-31 19:00 . 2008-07-31 19:00 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-01-30 06:36 . 2007-01-30 06:36 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-29_20.52.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-29 23:19 . 2009-10-29 20:29 59262 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2007-01-29 23:19 . 2009-10-30 20:19 59262 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:05 . 2009-10-29 20:30 63230 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-30 20:19 63230 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-02-11 22:07 . 2009-10-30 20:19 14794 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-840599722-2395141683-1205820045-1003_UserData.bin
- 2007-02-11 20:07 . 2009-10-29 20:27 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-02-11 20:07 . 2009-10-30 20:18 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-02-11 20:07 . 2009-10-29 20:27 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-11 20:07 . 2009-10-30 20:18 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-11 20:07 . 2009-10-30 20:18 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-02-11 20:07 . 2009-10-29 20:27 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-30 20:19 . 2009-10-30 20:19 22528 c:\windows\Installer\2ea24.msi
+ 2009-10-30 20:16 . 2009-10-30 20:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-29 20:27 . 2009-10-29 20:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-30 20:16 . 2009-10-30 20:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-10-29 20:27 . 2009-10-29 20:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-05 39408]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Google Update"="c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"Octoshape Streaming Services"="c:\users\Sam\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-12 70936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-04-12 1006264]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-07-31 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"QuickTime Plugin Install"="c:\program files\QuickTime\Plugins\DeleteMe1.exe" [2007-11-02 49152]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2006-11-02 303104]

c:\users\Sam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-7-20 344064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-29 45056]
Event Planner Reminders.lnk - c:\program files\Sierra\Planner\PLNRnote.exe [2003-3-12 184320]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 5:39 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [1/29/2007 5:58 PM 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/23/2007 5:36 PM 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\System32\drivers\TM_CFW.sys [1/29/2007 5:58 PM 280392]
S2 gupdate1c987293b338ea4;Google Update Service (gupdate1c987293b338ea4);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2009 7:32 PM 133104]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 5:39 PM 345696]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 5:39 PM 566872]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/29/2007 6:05 PM 29744]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-01 22:29]

2009-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 00:32]

2009-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 00:32]

2009-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840599722-2395141683-1205820045-1003Core.job
- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 21:34]

2009-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840599722-2395141683-1205820045-1003UA.job
- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 21:34]

2009-10-01 c:\windows\Tasks\WebReg Officejet 7400 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070130
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 15:35
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\S-1-5-21-840599722-2395141683-1205820045-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4c,c0,b8,cc,b2,f3,36,04,b8,0b,c4,3f,3e,52,a6,67,79,aa,21,e4,26,6e,35,
ef,30,1f,0e,0e,6d,84,0f,fb,1c,e4,30,60,fe,d2,d0,69,25,27,f8,30,0c,84,8a,29,\
"??"=hex:17,d2,f9,ec,8b,34,da,77,a8,ed,c4,bc,08,7d,44,ed

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-30 15:37
ComboFix-quarantined-files.txt 2009-10-30 20:37
ComboFix2.txt 2009-10-29 20:54

Pre-Run: 34,461,970,432 bytes free
Post-Run: 34,423,152,640 bytes free

- - End Of File - - 957CB6CD03CA274FED689823DDDBB684

Ried · 11-01-2009, 03:01 PM

What symptoms remain?

Zoopboing · 11-01-2009, 03:09 PM

I still can't access PC-Cillin.

although the popups appear to be gone

Ried · 11-01-2009, 03:27 PM

I'm wondering if PC-illin is interfering with the running of the peek.bat.

Boot into Safe Modeand run it from there.

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

Right click the peek.bat > Run as Administrator. Post the log.

Zoopboing · 11-01-2009, 03:54 PM

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\ProgramData\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\ProgramData\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

...

...

...

...

...

...

...

...

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0f01bf009f255f391c0424d503f35645_19c7b30e-99c9-4530-b951-47a3445249a6: Access is denied.
...

...

...

...
Failed to open \\?\c:\\ProgramData\Trend Micro\PC-cillin\S-1-5-21-840599722-2395141683-1205820045-1005: Access is denied.

Failed to open \\?\c:\\ProgramData\Trend Micro\PC-cillin\log\pcc_S-1-5-21-840599722-2395141683-1205820045-1004u.log: Access is denied.

Failed to open \\?\c:\\ProgramData\Trend Micro\PC-cillin\log\pcc_S-1-5-21-840599722-2395141683-1205820045-1005u.log: Access is denied.

Failed to open \\?\c:\\ProgramData\Trend Micro\PC-cillin\log\pcc_S-1-5-21-840599722-2395141683-1205820045-1006u.log: Access is denied.

Failed to open \\?\c:\\ProgramData\Trend Micro\PC-cillin\log\pcc_S-1-5-21-840599722-2395141683-1205820045-501u.log: Access is denied.

Failed to open \\?\c:\\ProgramData\Trend Micro\PC-cillin\Temp\scan_S-1-5-21-840599722-2395141683-1205820045-1004.ini: Access is denied.

Failed to open \\?\c:\\ProgramData\Trend Micro\PC-cillin\Temp\scan_S-1-5-21-840599722-2395141683-1205820045-1005.ini: Access is denied.

Failed to open \\?\c:\\ProgramData\Trend Micro\PC-cillin\Temp\spyscan_S-1-5-21-840599722-2395141683-1205820045-1005.ini: Access is denied.

...

.
Failed to open \\?\c:\\System Volume Information\{298ca305-c343-11de-b96c-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{298ca328-c343-11de-b96c-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{5408687c-c4c9-11de-8bf3-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{5d20ce78-c183-11de-97e1-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{673c4538-c63d-11de-8a9c-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{6d94c286-ba78-11de-9ec4-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{7afa7db9-ba71-11de-9ea3-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{826c41b3-c3fc-11de-bae7-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{bff6648a-c0b2-11de-817e-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{bff664a6-c0b2-11de-817e-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{d2387fc4-bdde-11de-a412-0019d12fcdaa}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.
\\?\c:\\Users\All Users: UNKNOWN MICROSOFT REPARSE POINT

\\?\c:\\Users\Default User: JUNCTION
Print Name : C:\Users\Default
Substitute Name: C:\Users\Default

.\\?\c:\\Users\All Users\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\Users\All Users\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\Users\All Users\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\Users\All Users\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\Users\All Users\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\Users\All Users\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

.

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\0f01bf009f255f391c0424d503f35645_19c7b30e-99c9-4530-b951-47a3445249a6: Access is denied.
.

...

...

...

.
Failed to open \\?\c:\\Users\All Users\Trend Micro\PC-cillin\S-1-5-21-840599722-2395141683-1205820045-1005: Access is denied.

Failed to open \\?\c:\\Users\All Users\Trend Micro\PC-cillin\log\pcc_S-1-5-21-840599722-2395141683-1205820045-1004u.log: Access is denied.

Failed to open \\?\c:\\Users\All Users\Trend Micro\PC-cillin\log\pcc_S-1-5-21-840599722-2395141683-1205820045-1005u.log: Access is denied.

Failed to open \\?\c:\\Users\All Users\Trend Micro\PC-cillin\log\pcc_S-1-5-21-840599722-2395141683-1205820045-1006u.log: Access is denied.

Failed to open \\?\c:\\Users\All Users\Trend Micro\PC-cillin\log\pcc_S-1-5-21-840599722-2395141683-1205820045-501u.log: Access is denied.

Failed to open \\?\c:\\Users\All Users\Trend Micro\PC-cillin\Temp\scan_S-1-5-21-840599722-2395141683-1205820045-1004.ini: Access is denied.

Failed to open \\?\c:\\Users\All Users\Trend Micro\PC-cillin\Temp\scan_S-1-5-21-840599722-2395141683-1205820045-1005.ini: Access is denied.

Failed to open \\?\c:\\Users\All Users\Trend Micro\PC-cillin\Temp\spyscan_S-1-5-21-840599722-2395141683-1205820045-1005.ini: Access is denied.
..

...\\?\c:\\Users\Barb\Application Data: JUNCTION
Print Name : C:\Users\Barb\AppData\Roaming
Substitute Name: C:\Users\Barb\AppData\Roaming

\\?\c:\\Users\Barb\Cookies: JUNCTION
Print Name : C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Barb\Local Settings: JUNCTION
Print Name : C:\Users\Barb\AppData\Local
Substitute Name: C:\Users\Barb\AppData\Local

\\?\c:\\Users\Barb\My Documents: JUNCTION
Print Name : C:\Users\Barb\Documents
Substitute Name: C:\Users\Barb\Documents

\\?\c:\\Users\Barb\NetHood: JUNCTION
Print Name : C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Barb\PrintHood: JUNCTION
Print Name : C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Barb\Recent: JUNCTION
Print Name : C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Barb\SendTo: JUNCTION
Print Name : C:\Users\Barb\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Barb\Start Menu: JUNCTION
Print Name : C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Barb\Templates: JUNCTION
Print Name : C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Barb\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Barb\AppData\Local
Substitute Name: C:\Users\Barb\AppData\Local

\\?\c:\\Users\Barb\AppData\Local\History: JUNCTION
Print Name : C:\Users\Barb\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Barb\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Barb\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Barb\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Barb\AppData\Local\Microsoft\Windows\Temporary Internet Files

...

...\\?\c:\\Users\Barb\Documents\My Music: JUNCTION
Print Name : C:\Users\Barb\Music
Substitute Name: C:\Users\Barb\Music

\\?\c:\\Users\Barb\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Barb\Pictures
Substitute Name: C:\Users\Barb\Pictures

\\?\c:\\Users\Barb\Documents\My Videos: JUNCTION
Print Name : C:\Users\Barb\Videos
Substitute Name: C:\Users\Barb\Videos

\\?\c:\\Users\Bill\Application Data: JUNCTION
Print Name : C:\Users\Bill\AppData\Roaming
Substitute Name: C:\Users\Bill\AppData\Roaming

\\?\c:\\Users\Bill\Cookies: JUNCTION
Print Name : C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Bill\Local Settings: JUNCTION
Print Name : C:\Users\Bill\AppData\Local
Substitute Name: C:\Users\Bill\AppData\Local

\\?\c:\\Users\Bill\My Documents: JUNCTION
Print Name : C:\Users\Bill\Documents
Substitute Name: C:\Users\Bill\Documents

\\?\c:\\Users\Bill\NetHood: JUNCTION
Print Name : C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Bill\PrintHood: JUNCTION
Print Name : C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Bill\Recent: JUNCTION
Print Name : C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Bill\SendTo: JUNCTION
Print Name : C:\Users\Bill\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Bill\Start Menu: JUNCTION
Print Name : C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Bill\Templates: JUNCTION
Print Name : C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Bill\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Bill\AppData\Local
Substitute Name: C:\Users\Bill\AppData\Local

\\?\c:\\Users\Bill\AppData\Local\History: JUNCTION
Print Name : C:\Users\Bill\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Bill\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Bill\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Bill\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Bill\AppData\Local\Microsoft\Windows\Temporary Internet Files

...

.\\?\c:\\Users\Bill\Documents\My Music: JUNCTION
Print Name : C:\Users\Bill\Music
Substitute Name: C:\Users\Bill\Music

\\?\c:\\Users\Bill\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Bill\Pictures
Substitute Name: C:\Users\Bill\Pictures

\\?\c:\\Users\Bill\Documents\My Videos: JUNCTION
Print Name : C:\Users\Bill\Videos
Substitute Name: C:\Users\Bill\Videos

\\?\c:\\Users\Default\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Local Settings: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

.\\?\c:\\Users\Default\Documents\My Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos

\\?\c:\\Users\Guest\Application Data: JUNCTION
Print Name : C:\Users\Guest\AppData\Roaming
Substitute Name: C:\Users\Guest\AppData\Roaming

\\?\c:\\Users\Guest\Cookies: JUNCTION
Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Guest\Local Settings: JUNCTION
Print Name : C:\Users\Guest\AppData\Local
Substitute Name: C:\Users\Guest\AppData\Local

\\?\c:\\Users\Guest\My Documents: JUNCTION
Print Name : C:\Users\Guest\Documents
Substitute Name: C:\Users\Guest\Documents

\\?\c:\\Users\Guest\NetHood: JUNCTION
Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Guest\PrintHood: JUNCTION
Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Guest\Recent: JUNCTION
Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Guest\SendTo: JUNCTION
Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Guest\Start Menu: JUNCTION
Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Guest\Templates: JUNCTION
Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Guest\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Guest\AppData\Local
Substitute Name: C:\Users\Guest\AppData\Local

\\?\c:\\Users\Guest\AppData\Local\History: JUNCTION
Print Name : C:\Users\Guest\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Guest\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Guest\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Guest\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Guest\AppData\Local\Microsoft\Windows\Temporary Internet Files

.

...\\?\c:\\Users\Guest\Documents\My Music: JUNCTION
Print Name : C:\Users\Guest\Music
Substitute Name: C:\Users\Guest\Music

\\?\c:\\Users\Guest\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Guest\Pictures
Substitute Name: C:\Users\Guest\Pictures

\\?\c:\\Users\Guest\Documents\My Videos: JUNCTION
Print Name : C:\Users\Guest\Videos
Substitute Name: C:\Users\Guest\Videos

\\?\c:\\Users\Natalie\Application Data: JUNCTION
Print Name : C:\Users\Natalie\AppData\Roaming
Substitute Name: C:\Users\Natalie\AppData\Roaming

\\?\c:\\Users\Natalie\Cookies: JUNCTION
Print Name : C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Natalie\Local Settings: JUNCTION
Print Name : C:\Users\Natalie\AppData\Local
Substitute Name: C:\Users\Natalie\AppData\Local

\\?\c:\\Users\Natalie\My Documents: JUNCTION
Print Name : C:\Users\Natalie\Documents
Substitute Name: C:\Users\Natalie\Documents

\\?\c:\\Users\Natalie\NetHood: JUNCTION
Print Name : C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Natalie\PrintHood: JUNCTION
Print Name : C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Natalie\Recent: JUNCTION
Print Name : C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Natalie\SendTo: JUNCTION
Print Name : C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Natalie\Start Menu: JUNCTION
Print Name : C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Natalie\Templates: JUNCTION
Print Name : C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Natalie\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Natalie\AppData\Local
Substitute Name: C:\Users\Natalie\AppData\Local

\\?\c:\\Users\Natalie\AppData\Local\History: JUNCTION
Print Name : C:\Users\Natalie\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Natalie\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Natalie\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Natalie\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Natalie\AppData\Local\Microsoft\Windows\Temporary Internet Files

...

...

...\\?\c:\\Users\Natalie\Documents\My Music: JUNCTION
Print Name : C:\Users\Natalie\Music
Substitute Name: C:\Users\Natalie\Music

\\?\c:\\Users\Natalie\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Natalie\Pictures
Substitute Name: C:\Users\Natalie\Pictures

\\?\c:\\Users\Natalie\Documents\My Videos: JUNCTION
Print Name : C:\Users\Natalie\Videos
Substitute Name: C:\Users\Natalie\Videos

\\?\c:\\Users\Public\Documents\My Music: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos

.\\?\c:\\Users\Sam\Application Data: JUNCTION
Print Name : C:\Users\Sam\AppData\Roaming
Substitute Name: C:\Users\Sam\AppData\Roaming

\\?\c:\\Users\Sam\Cookies: JUNCTION
Print Name : C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Sam\Local Settings: JUNCTION
Print Name : C:\Users\Sam\AppData\Local
Substitute Name: C:\Users\Sam\AppData\Local

\\?\c:\\Users\Sam\My Documents: JUNCTION
Print Name : C:\Users\Sam\Documents
Substitute Name: C:\Users\Sam\Documents

\\?\c:\\Users\Sam\NetHood: JUNCTION
Print Name : C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Sam\PrintHood: JUNCTION
Print Name : C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Sam\Recent: JUNCTION
Print Name : C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Sam\SendTo: JUNCTION
Print Name : C:\Users\Sam\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Sam\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Sam\Start Menu: JUNCTION
Print Name : C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Sam\Templates: JUNCTION
Print Name : C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Sam\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Sam\AppData\Local
Substitute Name: C:\Users\Sam\AppData\Local

\\?\c:\\Users\Sam\AppData\Local\History: JUNCTION
Print Name : C:\Users\Sam\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Sam\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Sam\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Sam\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Sam\AppData\Local\Microsoft\Windows\Temporary Internet Files

..

...

...

...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\Users\Sam\Documents\My Music: JUNCTION
Print Name : C:\Users\Sam\Music
Substitute Name: C:\Users\Sam\Music

\\?\c:\\Users\Sam\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Sam\Pictures
Substitute Name: C:\Users\Sam\Pictures

\\?\c:\\Users\Sam\Documents\My Videos: JUNCTION
Print Name : C:\Users\Sam\Videos
Substitute Name: C:\Users\Sam\Videos

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.
..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.

10-23-2009, 08:36 PM	#2 (permalink)
Zoopboing Registered User Join Date: Oct 2009 Posts: 23 OS: Vista	Re: PopUp Problems Bump, please.

10-24-2009, 12:36 AM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: PopUp Problems Hello Zoopboing, I'd like to see if we can get a log from gmer. Please run gmer.exe again, but use the following configuration: In the right panel, you will see several boxes that have been checked. Uncheck the following ... (this is a bit different from our pre-posting topic instructions) Devices Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Then click the Scan button & wait for it to finish. Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop Caution Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries Please attach the ark.txt in your next reply __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-28-2009, 05:22 PM	#4 (permalink)
Zoopboing Registered User Join Date: Oct 2009 Posts: 23 OS: Vista	Re: PopUp Problems Well to start off. I had found SecurityTool on my computer this past weekend. I promptly removed it according to these (http://www.bleepingcomputer.com/viru...-security-tool) directions. No instances of it anymore. But when I try and run GMER, it says that there are no problems. And when I attempt to save the log, it's a blank file. I unchecked all the boxes specified in the previous post, and I saved it as instructed. Also, now when I boot up, I get a window that says something like lelimafu.dll or gubavara.dll cannot be found. So I'm assuming there are supposed to be files in the folders that keep spawning. And my Trend Micro PC-Cillin security software will not run.

10-28-2009, 10:13 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: PopUp Problems Hi Zoopboing, The infection wasn't completely removed and that's why you're still having problems. Download ComboFix from one of these locations: Link 1 Link 2 * IMPORTANT- Save ComboFix.exe to your Desktop ==================================================== Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. ==================================================== Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review. Also, you mentioned Trend Micro won't run. Tell me exactly what happens when you try to run it. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-29-2009, 03:00 PM	#6 (permalink)
Zoopboing Registered User Join Date: Oct 2009 Posts: 23 OS: Vista	Re: PopUp Problems As related to Trend Micro- when I click into it through my desktop shortcut or programs list, it says it needs admin approval to run the file, and the small icon on my quick launch in the bottom right corner always says loading. Here's ComboFix. ComboFix 09-10-28.08 - Sam 10/29/2009 15:43.1.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1146 [GMT -5:00] Running from: c:\users\Sam\Desktop\ComboFix.exe AV: PC-cillin Internet Security - Virus Protection On-access scanning disabled (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: PC-cillin Internet Security - Firewall enabled {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} SP: PC-cillin Internet Security - Spyware Protection disabled (Updated) {003DD9A8-02A6-43CF-81BA-5D403CAD001E} SP: Windows Defender disabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500 c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500 c:\$recycle.bin\S-1-5-21-840599722-2395141683-1205820045-500 . ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 ))))))))))))))))))))))))))))))) . 2009-10-29 20:52 . 2009-10-29 20:52 -------- d-----w- c:\users\Natalie\AppData\Local\temp 2009-10-29 20:52 . 2009-10-29 20:52 -------- d-----w- c:\users\Default\AppData\Local\temp 2009-10-29 20:51 . 2009-10-29 20:51 -------- d-----w- c:\users\Guest\AppData\Local\temp 2009-10-29 20:51 . 2009-10-29 20:51 -------- d-----w- c:\users\Bill\AppData\Local\temp 2009-10-29 20:51 . 2009-10-29 20:51 -------- d-----w- c:\users\Barb\AppData\Local\temp 2009-10-29 20:42 . 2006-09-29 19:59 250368 ----a-w- c:\windows\system32\drivers\iastor.sys 2009-10-27 22:02 . 2009-09-10 15:29 311296 ----a-w- c:\windows\system32\unregmp2.exe 2009-10-27 22:02 . 2009-09-10 17:40 4096 ----a-w- c:\windows\system32\dxmasf.dll 2009-10-27 22:02 . 2009-09-10 17:39 7680 ----a-w- c:\windows\system32\spwmp.dll 2009-10-27 22:02 . 2009-09-10 15:29 8147968 ----a-w- c:\windows\system32\wmploc.DLL 2009-10-25 16:28 . 2009-10-25 16:28 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes 2009-10-24 16:03 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-24 16:03 . 2009-10-24 16:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-24 16:03 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-24 15:41 . 2009-10-24 15:41 -------- d-----w- c:\programdata\wukojohe 2009-10-24 15:41 . 2009-10-24 15:41 -------- d-----w- c:\programdata\nahatona 2009-10-24 15:41 . 2009-10-24 15:41 -------- d-----w- c:\programdata\mopidozu 2009-10-24 15:41 . 2009-10-24 15:41 -------- d-----w- c:\programdata\lonayemu 2009-10-24 15:41 . 2009-10-27 22:18 -------- d-----w- c:\programdata\guvuvara 2009-10-24 15:41 . 2009-10-24 15:41 -------- d-----w- c:\programdata\zinozobu 2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\pogogiso 2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\konemabo 2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\gutodayo 2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\yikujode 2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\vojifuje 2009-10-24 15:38 . 2009-10-24 15:38 -------- d-----w- c:\programdata\muyinepa 2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\yeweyefa 2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\mivimoru 2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\futajido 2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\vubabuku 2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\sajijade 2009-10-24 15:37 . 2009-10-24 15:37 -------- d-----w- c:\programdata\dofakase 2009-10-24 15:36 . 2009-10-24 15:36 -------- d-----w- c:\programdata\pujorila 2009-10-24 15:36 . 2009-10-24 15:36 -------- d-----w- c:\programdata\juhijudu 2009-10-24 15:36 . 2009-10-24 15:36 -------- d-----w- c:\programdata\dagenoja 2009-10-24 15:35 . 2009-10-24 15:35 -------- d-----w- c:\programdata\warihagi 2009-10-24 15:35 . 2009-10-24 15:35 -------- d-----w- c:\programdata\hufowebi 2009-10-24 15:35 . 2009-10-24 15:35 -------- d-----w- c:\programdata\zesanido 2009-10-24 15:35 . 2009-10-24 15:35 -------- d-----w- c:\programdata\pihuyeha 2009-10-21 02:06 . 2009-10-21 02:06 -------- d-----w- c:\programdata\zisuruhi 2009-10-21 02:06 . 2009-10-21 02:06 -------- d-----w- c:\programdata\yihuhote 2009-10-21 02:06 . 2009-10-21 02:06 -------- d-----w- c:\programdata\tusiheku 2009-10-21 02:05 . 2009-10-21 02:05 -------- d-----w- c:\programdata\zinefowo 2009-10-21 02:05 . 2009-10-21 02:05 -------- d-----w- c:\programdata\pijelodo 2009-10-21 02:05 . 2009-10-21 02:05 -------- d-----w- c:\programdata\lupayusa 2009-10-21 01:34 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe 2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\tiwamora 2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\nefapifa 2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\lekepegu 2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\yowokifo 2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\mawivawo 2009-10-21 01:32 . 2009-10-21 01:32 -------- d-----w- c:\programdata\deluguba 2009-10-20 23:11 . 2009-10-20 23:11 -------- d-----w- c:\programdata\ziyiwori 2009-10-20 23:11 . 2009-10-20 23:11 -------- d-----w- c:\programdata\rotapote 2009-10-20 23:11 . 2009-10-20 23:11 -------- d-----w- c:\programdata\jiwirido 2009-10-20 22:11 . 2009-10-20 22:11 -------- d-----w- c:\programdata\nirotona 2009-10-20 22:11 . 2009-10-20 22:11 -------- d-----w- c:\programdata\lobofenu 2009-10-20 22:11 . 2009-10-20 22:11 -------- d-----w- c:\programdata\feretizi 2009-10-17 04:46 . 2009-10-17 04:46 -------- d-----w- c:\programdata\wumugaka 2009-10-17 04:46 . 2009-10-17 04:46 -------- d-----w- c:\programdata\topipega 2009-10-17 04:46 . 2009-10-17 04:46 -------- d-----w- c:\programdata\fufugose 2009-10-17 04:45 . 2009-10-17 04:45 -------- d-----w- c:\programdata\wojifoge 2009-10-17 04:45 . 2009-10-17 04:45 -------- d-----w- c:\programdata\relipasi 2009-10-17 04:45 . 2009-10-17 04:45 -------- d-----w- c:\programdata\bojolene 2009-10-16 16:51 . 2009-10-16 16:51 -------- d-----w- c:\windows\SQL9_KB970892_ENU 2009-10-16 16:45 . 2009-10-16 16:45 -------- d-----w- c:\programdata\magohupa 2009-10-16 00:30 . 2009-10-16 00:30 -------- d-----w- c:\users\Sam\AppData\Roaming\Malwarebytes 2009-10-16 00:29 . 2009-10-16 00:29 -------- d-----w- c:\programdata\Malwarebytes 2009-10-15 18:32 . 2009-10-15 18:32 -------- d-----w- c:\programdata\tutepega 2009-10-15 14:03 . 2009-08-31 15:17 1244672 ----a-w- c:\windows\system32\mcmde.dll 2009-10-15 14:03 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys 2009-10-15 14:03 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL 2009-10-14 17:54 . 2009-10-24 15:36 -------- d-----w- c:\programdata\lelimafu . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-28 22:58 . 2009-02-05 00:31 -------- d-----w- c:\programdata\Google Updater 2009-10-25 16:28 . 2008-02-24 03:25 165984 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT 2009-10-24 15:57 . 2007-01-29 23:02 -------- d-----w- c:\programdata\Microsoft Help 2009-10-24 15:57 . 2007-02-11 20:11 165984 ----a-w- c:\users\Sam\AppData\Local\GDIPFONTCACHEV1.DAT 2009-10-24 15:53 . 2007-01-29 23:05 -------- d-----w- c:\program files\Microsoft Works 2009-10-16 17:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2009-10-16 16:52 . 2007-01-29 23:11 -------- d-----w- c:\program files\Microsoft SQL Server 2009-10-16 16:34 . 2007-02-12 04:17 -------- d-----w- c:\program files\Steam 2009-10-14 19:51 . 2007-11-18 02:28 -------- d-----w- c:\program files\Common Files\Steam 2009-10-11 16:28 . 2007-12-14 01:27 -------- d-----w- c:\program files\StepMania 2009-09-23 22:01 . 2007-02-12 03:46 -------- d-----w- c:\program files\AIM6 2009-09-23 22:01 . 2007-02-12 03:46 -------- d-----w- c:\programdata\Viewpoint 2009-09-23 21:58 . 2007-02-12 03:43 -------- d-----w- c:\programdata\AOL Downloads 2009-09-19 00:38 . 2007-02-12 18:59 -------- d-----w- c:\users\Natalie\AppData\Roaming\Apple Computer 2009-09-16 00:33 . 2007-02-12 04:13 -------- d-----w- c:\users\Sam\AppData\Roaming\Apple Computer 2009-09-16 00:20 . 2008-03-27 02:45 -------- d-----w- c:\program files\Safari 2009-09-16 00:18 . 2009-09-16 00:17 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-16 00:18 . 2009-09-16 00:17 -------- d-----w- c:\program files\iTunes 2009-09-16 00:17 . 2009-09-16 00:17 -------- d-----w- c:\program files\iPod 2009-09-16 00:17 . 2007-11-02 20:41 -------- d-----w- c:\program files\Common Files\Apple 2009-09-16 00:15 . 2007-02-12 04:12 -------- d-----w- c:\program files\QuickTime 2009-09-11 01:14 . 2009-09-11 00:11 -------- d-----w- c:\users\Sam\AppData\Roaming\Move Networks 2009-09-10 22:05 . 2007-05-22 21:49 680 ----a-w- c:\users\Sam\AppData\Local\d3d9caps.dat 2009-09-10 17:38 . 2009-10-15 14:05 216576 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-05 19:59 . 2007-09-14 02:06 138168 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-09-05 19:58 . 2007-09-14 02:05 189472 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-09-04 12:38 . 2009-10-15 14:05 60928 ----a-w- c:\windows\system32\msasn1.dll 2009-09-02 00:37 . 2009-06-27 03:00 -------- d-----w- c:\users\Guest\AppData\Roaming\Skype 2009-08-31 22:40 . 2009-08-31 22:40 -------- d-----w- c:\users\Guest\AppData\Roaming\Corel 2009-08-31 15:21 . 2009-10-15 14:04 292352 ----a-w- c:\windows\system32\psisdecd.dll 2009-08-31 15:16 . 2009-10-15 14:04 428032 ----a-w- c:\windows\system32\EncDec.dll 2009-08-29 03:41 . 2009-09-02 22:11 1686528 ----a-w- c:\windows\system32\gameux.dll 2009-08-29 03:40 . 2009-09-02 22:11 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2009-08-29 00:42 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-08-29 00:42 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-08-28 23:31 . 2009-09-02 22:11 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-27 14:02 . 2009-10-15 14:05 832512 ----a-w- c:\windows\system32\wininet.dll 2009-08-27 13:57 . 2009-10-15 14:04 56320 ----a-w- c:\windows\system32\iesetup.dll 2009-08-27 13:57 . 2009-10-15 14:05 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-27 13:56 . 2009-10-15 14:04 72704 ----a-w- c:\windows\system32\admparse.dll 2009-08-27 11:24 . 2009-10-15 14:04 26624 ----a-w- c:\windows\system32\ieUnatt.exe 2009-08-27 09:51 . 2009-10-15 14:04 48128 ----a-w- c:\windows\system32\mshtmler.dll 2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-08-14 17:16 . 2009-09-08 20:06 213592 ----a-w- c:\windows\system32\drivers\netio.sys 2009-08-14 16:42 . 2009-09-08 20:06 167424 ----a-w- c:\windows\system32\tcpipcfg.dll 2009-08-14 16:40 . 2009-09-08 20:06 103936 ----a-w- c:\windows\system32\netiohlp.dll 2009-08-14 16:40 . 2009-09-08 20:06 15360 ----a-w- c:\windows\system32\netevent.dll 2009-08-14 14:25 . 2009-09-08 20:06 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE 2009-08-14 14:25 . 2009-09-08 20:06 17920 ----a-w- c:\windows\system32\ROUTE.EXE 2009-08-14 14:25 . 2009-09-08 20:06 11264 ----a-w- c:\windows\system32\MRINFO.EXE 2009-08-14 14:25 . 2009-09-08 20:06 27136 ----a-w- c:\windows\system32\NETSTAT.EXE 2009-08-14 14:25 . 2009-09-08 20:06 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE 2009-08-14 14:25 . 2009-09-08 20:06 19968 ----a-w- c:\windows\system32\ARP.EXE 2009-08-14 14:25 . 2009-09-08 20:06 10240 ----a-w- c:\windows\system32\finger.exe 2009-08-14 14:24 . 2009-09-08 20:06 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys 2009-08-14 14:23 . 2009-09-08 20:06 22016 ----a-w- c:\windows\system32\netiougc.exe 2009-08-08 00:51 . 2009-08-08 00:51 15308424 ----a-w- c:\windows\system32\xlive.dll 2009-08-08 00:51 . 2009-08-08 00:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll 2009-08-05 14:28 . 2009-10-15 14:04 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-08-05 14:28 . 2009-10-15 14:04 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe 2006-11-02 12:56 . 2006-11-02 12:56 1741 ----a-w- c:\program files\Sound Recorder.lnk 2006-11-02 12:54 . 2007-02-11 20:10 1699 ----a-w- c:\program files\Notepad.lnk 2008-07-31 19:00 . 2008-07-31 19:00 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2007-01-30 06:36 . 2007-01-30 06:36 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-05 39408] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728] "Google Update"="c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-02 133104] "Octoshape Streaming Services"="c:\users\Sam\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-12 70936] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-04-12 1006264] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960] "pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-07-31 29744] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152] "QuickTime Plugin Install"="c:\program files\QuickTime\Plugins\DeleteMe1.exe" [2007-11-02 49152] "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2006-11-02 303104] c:\users\Sam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-7-20 344064] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-29 45056] Event Planner Reminders.lnk - c:\program files\Sierra\Planner\PLNRnote.exe [2003-3-12 184320] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer"=wdmaud.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 5:39 PM 923216] R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [1/29/2007 5:58 PM 36368] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/23/2007 5:36 PM 24652] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\System32\drivers\TM_CFW.sys [1/29/2007 5:58 PM 280392] S2 gupdate1c987293b338ea4;Google Update Service (gupdate1c987293b338ea4);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2009 7:32 PM 133104] S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 5:39 PM 345696] S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 5:39 PM 566872] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/29/2007 6:05 PM 29744] --- Other Services/Drivers In Memory --- NewlyCreated - MBR Deregistered - mbr [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2009-10-29 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-01 22:29] 2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 00:32] 2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 00:32] 2009-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840599722-2395141683-1205820045-1003Core.job - c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 21:34] 2009-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840599722-2395141683-1205820045-1003UA.job - c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 21:34] 2009-10-01 c:\windows\Tasks\WebReg Officejet 7400 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 02:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070130 uInternet Settings,ProxyOverride = .local IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: turbotax.com FF - ProfilePath - c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query= FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - component: c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll FF - component: c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\extensions\piclens@cooliris.com\components\cooliris.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll FF - plugin: c:\users\Sam\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\users\Sam\AppData\Roaming\Move Networks\plugins\npqmp071504000001.dll FF - plugin: c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll FF - plugin: c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\49ueiim4.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll FF - plugin: c:\users\Sam\AppData\Roaming\Mozilla\plugins\npoctoshape.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - HKCU-Run-bumikikig - c:\progra~2\guvuvara\guvuvara.dll HKCU-Run-Aim6 - (no file) AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-29 15:52 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" [HKEY_USERS\S-1-5-21-840599722-2395141683-1205820045-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:4c,c0,b8,cc,b2,f3,36,04,b8,0b,c4,3f,3e,52,a6,67,79,aa,21,e4,26,6e,35, ef,30,1f,0e,0e,6d,84,0f,fb,1c,e4,30,60,fe,d2,d0,69,25,27,f8,30,0c,84,8a,29,\ "??"=hex:17,d2,f9,ec,8b,34,da,77,a8,ed,c4,bc,08,7d,44,ed [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2009-10-29 15:54 ComboFix-quarantined-files.txt 2009-10-29 20:54 Pre-Run: 31,022,874,624 bytes free Post-Run: 34,191,171,584 bytes free - - End Of File - - 8AD4545FF37019E2F3612953C160945F

10-30-2009, 02:51 PM	#8 (permalink)
Zoopboing Registered User Join Date: Oct 2009 Posts: 23 OS: Vista	Re: PopUp Problems I got to the junction part, but when I extract it, there's a .txt and a .exe but no folder. And when i run the .exe it comes up with the prompt and then disappears after i accept the agreement. Also, can I turn my virus protection back on?

10-30-2009, 09:11 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: PopUp Problems When you double click the junction.zip file, you will see a .txt file and the .exe. Look to your left panel toward the top, and you should see 'Extract all files'. Click that and extract to the desktop. Yes, re-enable your protection. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-31-2009, 11:11 AM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: PopUp Problems Did you drag the junction.bat you created, into the extracted Junction folder before running it? The junction.bat must be located in that folder, and run from there in order to work properly. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-31-2009, 11:15 AM	#12 (permalink)
Zoopboing Registered User Join Date: Oct 2009 Posts: 23 OS: Vista	Re: PopUp Problems Yes, I have junction.zip, and a folder containing eula.txt, junction.exe and junction.bat all on my desktop. I clicked the junction.bat and from the list selected Run as administrator, and that's what happened. Also, should the file fanogigi still be in c:\programdata?

10-31-2009, 11:22 AM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: PopUp Problems The junction.bat should not be on the desktop, it should be in the extracted Junction Folder. Is that where it is? And no, fanogigi should not be in that folder. It was not showing in the ComboFix.txt -- is it still there? If so, delete it. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-31-2009, 11:30 AM	#14 (permalink)
Zoopboing Registered User Join Date: Oct 2009 Posts: 23 OS: Vista	Re: PopUp Problems junction.bat is in the junction folder along with .exe and .txt. The folder is on the desktop, with all 3 files in it. Should I just delete fanogigi and then empty my recycle bin? Sorry about the confusion.

10-31-2009, 07:43 PM	#15 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: PopUp Problems It works fine for me. Delete the junction.zip and the Junction Folder from your desktop and download the Junction.zip I've attached to this post. Double click and extract all files. Open the Junction Folder and right click the peek.bat to run as administrator and allow it to run. Post the log it produces. Have you run the CFScript yet? Please post the resultant C:\ComboFix.txt Have you uploaded that file to Virus Total yet? I need to see those results. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 11-15-2009 at 12:54 PM.

11-01-2009, 03:01 PM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: PopUp Problems What symptoms remain? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-01-2009, 03:09 PM	#18 (permalink)
Zoopboing Registered User Join Date: Oct 2009 Posts: 23 OS: Vista	Re: PopUp Problems I still can't access PC-Cillin. although the popups appear to be gone Last edited by Zoopboing; 11-01-2009 at 03:11 PM.

11-01-2009, 03:27 PM	#19 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: PopUp Problems I'm wondering if PC-illin is interfering with the running of the peek.bat. Boot into Safe Modeand run it from there. 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. Right click the peek.bat > Run as Administrator. Post the log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."