GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

2 posters

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o14th January 2010, 11:31 am

more_horiz
Sorry I posted in wrong forum here I go again:
My son-in-law let his Norton AntiVirus expire and so he got a virus he claimed: I started looking at it and suddenly Windows Defender said had trojan FakeSpyPro. So I ran Defender and it found and removed the FakeSpyPro. Then I tried to download updates from windows and 1 minute downloads took hours, it kept increasing the download time so I cancelled, I just updated the critical update and that took hours. So I started research on the trojan, couldn't really find anything from Norton, McAfee, etc. So I decided to download using my computer using flash drive I downloaded "Microsoft Security Essentials" and loaded it and ran into the same problem when it tried to update defintions file. So I did that manually and ran the scan it found two more trojans listed in my subject line it removed those said I was clean. Tried to update again, still took hours for a 1 minute download. So then I followed what I thought was your instructions for posting to the forum but it was Geeks to Go stuff. Anyway, here is what I did: downloaded and ran TFC, Erunt, Malwarebytes Anti-Malware, ran Microsoft Security essentials again (they said run antivirus app), then they said test system , tried to download BitDefender still was taking too long for download, tried to load manually, it never worked, would never scan, so went to next step Gmer a rootkit detection and finally OTC which they say to use instead of HiJackThis. I am posting the history from Defender, Security Essentials, the GMER, MBAM and OTC text reports, these are long so I might have to use another post. You guys helped me last time and I wanted to use you again because you rock. I am sorry I used the other sites cleaning guide, but hopefully you will help me figure out what to do next. Here are the txt file info:
Windows Defender found this Trojan and removed it this is what history showed.
Trojan:Win32/FakeSpyPro
Category:
Trojan
Description:
This program is dangerous and executes commands from an attacker.
Advice:
Remove this software immediately.
Resources:
process:
pid:784
regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\wnfissmn

regkey:
HKCU@S-1-5-21-1446042643-665842434-791521826-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\wnfissmn

runkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\wnfissmn

runkey:
HKCU@S-1-5-21-1446042643-665842434-791521826-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\wnfissmn

file:
C:\Documents and Settings\Administrator\Local Settings\Application Data\unikxe\ggqmsysguard.exe

Windows Security Essentials found these trojan and removed them this is what history showed:

1. TrojanDownloader:win32/Monkif.O
Category: Trojan Downloader
Items:
file:C:\WINDOWS\default32.dll

2. Trojan:Win32/BHO.BO
Category: Trojan
Items:
bho:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
clsid:HKLM\SOFTWARE\CLASSES\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
file:C:\Program Files\Shared\lib.dll
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
regkey:HKLM\SOFTWARE\CLASSES\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
regkey:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0
regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
typelib:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0

3. TrojanDownloader:win32/Monkif.O
Category: Trojan Downloader
Items:
file:C:\WINDOWS\default32.dll

4.Trojan:Win32/BHO.BO
Category: Trojan
Items:
bho:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
clsid:HKLM\SOFTWARE\CLASSES\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
file:C:\Program Files\Shared\lib.dll
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
regkey:HKLM\SOFTWARE\CLASSES\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
regkey:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0
regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
typelib:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0

5.TrojanDownloader:win32/Monkif.O
Category: Trojan Downloader
Items:
clsid:HKCU@S-1-5-21-1446042643-665842434-791521826-500\SOFTWARE\CLASSES\CLSID\{9b019ef8-700d-4bea-be8e-0ebf2ae80806}
clsid:HKCU@S-1-5-21-1446042643-665842434-791521826-500\SOFTWARE\CLASSES\CLSID\{a118e1a2-1fb1-40cf-b0d4-60aeca696728}
file:C:\WINDOWS\default32.dll
More to follow in next post.
Thanks,.
yvonneschaffer

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o Emptyyvonneschaffer 2nd post Got TrojanWin32:FakeSpyPro14th January 2010, 11:36 am

more_horiz
Here is the malwarebytes report.
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/13/2010 2:28:51 AM
mbam-log-2010-01-13 (02-28-31).txt

Scan type: Quick Scan
Objects scanned: 109568
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
more to follow
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IntelinetSecure (Rogue.Intelinet) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Favorites\Free Porn Movies at Cliphunter.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\Administrator\Favorites\Free Porn Tube Movies, Porno Videos & XXX Sex Videos.url (Rogue.Link) -> No action taken.

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o Emptyyvonneschaffer 3rd postGot TrojanWin32:FakeSpyPro14th January 2010, 11:40 am

more_horiz
This is the OTL I ran, but I can run Highjack if you need. The Gmer report is too big, do you need it? Pls let me know.
OTL logfile created on: 1/13/2010 4:23:00 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 525.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.51 Gb Total Space | 45.10 Gb Free Space | 69.92% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 7.50 Gb Free Space | 74.97% Space Free | Partition Type: NTFS
Drive E: | 1.17 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 62.09 Mb Total Space | 1.88 Mb Free Space | 3.02% Space Free | Partition Type: FAT
Drive G: | 3.84 Gb Total Space | 2.43 Gb Free Space | 63.35% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HP19932159792
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/13 00:14:38 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/09/16 15:22:08 | 00,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2009/09/13 18:52:50 | 01,048,392 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/05/21 10:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/12/11 14:01:56 | 00,540,184 | ---- | M] (PDF Complete Inc) -- C:\Program Files\PDF Complete\pdfsvc.exe
PRC - [2007/12/11 14:01:56 | 00,331,800 | ---- | M] (PDF Complete Inc) -- C:\Program Files\PDF Complete\pdfsty.exe
PRC - [2007/08/20 06:38:02 | 16,384,512 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2007/08/08 23:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2007/07/20 10:57:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/05/08 15:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2007/02/10 04:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2007/01/04 18:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/10/30 08:00:00 | 01,116,920 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
PRC - [2006/07/10 10:53:08 | 00,872,448 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe
PRC - [2006/02/19 03:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2006/02/10 06:56:12 | 00,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2002/04/17 12:19:16 | 00,069,632 | ---- | M] (Nova Development.) -- C:\Program Files\Nova Development\Photo Explosion Deluxe\CalCheck.exe


========== Modules (SafeList) ==========

MOD - [2010/01/13 00:14:38 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/09/16 15:22:08 | 00,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/05/21 10:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/01/11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/11 14:01:56 | 00,540,184 | ---- | M] (PDF Complete Inc) [Auto | Running] -- C:\Program Files\PDF Complete\pdfsvc.exe -- (pdfcDispatcher)
SRV - [2007/08/08 23:27:52 | 00,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/07/20 10:57:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2007/05/24 06:08:44 | 00,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2007/02/10 04:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2007/02/10 04:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2007/02/10 04:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/01/04 18:48:52 | 00,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/11/01 10:17:32 | 00,073,728 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2006/10/26 18:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/06/13 16:39:58 | 00,364,544 | ---- | M] (SoftThinks) [Auto | Stopped] -- C:\WINDOWS\SMINST\PCAngel.exe -- (PCA)
SRV - [2005/10/14 01:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=smb&pf=workstation

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1



O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AOL Toolbar BHO) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe (Hewlett-Packard)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe (PDF Complete Inc)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe ()
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Explosion Calendar Checker.lnk = C:\WINDOWS\Installer\{B8F19DA6-0BCD-48FC-9998-C6ACEAEEDEFE}\PhotoExplosionCalendarChecker.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonscripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffscripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonscriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupscriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupscripts = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonscripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffscripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupscripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonscriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupscriptSync = 0
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O12 - Plugin for: .UVR - C:\Program Files\Internet Explorer\Plugins\NPUPano.dll (Ulead Systems, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: )
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/05/21 20:10:13 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16892003295952896)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/13 16:20:34 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/13 14:11:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/01/13 02:19:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/01/13 02:19:47 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/13 02:19:45 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/13 02:19:45 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/13 02:19:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/13 02:17:32 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/13 02:14:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit
[2010/01/13 02:08:00 | 00,000,000 | ---D | C] -- C:\New Folder
[2010/01/11 12:33:01 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\BitDefender
[2010/01/11 12:33:01 | 00,000,000 | ---D | C] -- C:\Program Files\BitDefender
[2010/01/10 23:10:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2010/01/10 00:46:54 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/01/10 00:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2008/12/07 17:43:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2008/09/06 06:19:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/07/11 09:29:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Intuit
[2008/05/21 20:33:44 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/05/21 20:10:11 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/05/21 20:10:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/02/19 02:28:56 | 00,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll

========== Files - Modified Within 14 Days ==========

[2010/01/13 14:50:49 | 04,194,304 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/01/13 14:18:11 | 00,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/13 14:17:04 | 00,591,454 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/13 14:17:04 | 00,491,066 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/13 14:17:04 | 00,089,630 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/13 14:13:07 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/13 14:12:57 | 00,002,445 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Explosion Calendar Checker.lnk
[2010/01/13 14:12:49 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/01/13 14:12:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/13 14:12:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/13 14:12:45 | 10,730,45504 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/13 14:07:17 | 00,000,132 | ---- | M] () -- C:\WINDOWS\System32\rezumatenoi.dat
[2010/01/13 02:19:49 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/13 02:17:32 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/01/13 02:17:32 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/01/13 02:13:05 | 00,000,121 | ---- | M] () -- C:\WINDOWS\bdagent.INI
[2010/01/13 01:00:00 | 00,000,480 | -H-- | M] () -- C:\WINDOWS\tasks\Crystal Clear Pool & Spas. 1221780534.job
[2010/01/13 00:14:38 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/13 00:13:22 | 00,284,915 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/01/12 12:17:07 | 00,000,422 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2010/01/10 00:46:55 | 00,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/01/10 00:27:39 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/08 23:47:07 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2010/01/08 08:22:18 | 00,000,381 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Crystal Clear Pool & Spas..QBW.nd
[2010/01/08 08:22:17 | 22,999,040 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\Crystal Clear Pool & Spas..QBW
[2010/01/08 08:22:17 | 02,555,904 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\Crystal Clear Pool & Spas..QBW.TLG
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/01/13 15:12:06 | 00,284,915 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/01/13 02:19:49 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/13 02:19:31 | 00,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/13 02:17:32 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/01/13 02:17:32 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/01/13 02:13:05 | 00,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2010/01/11 14:06:12 | 00,000,132 | ---- | C] () -- C:\WINDOWS\System32\rezumatenoi.dat
[2010/01/10 00:46:55 | 00,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/01/10 00:27:19 | 00,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/01/08 23:47:07 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/06/13 17:56:49 | 00,000,420 | ---- | C] () -- C:\WINDOWS\ULead32.ini
[2008/06/10 18:23:19 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2008/06/08 15:36:27 | 00,009,216 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/06/06 09:28:25 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2008/06/06 09:21:50 | 00,001,529 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/05/21 20:40:30 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/21 20:27:13 | 00,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/05/21 20:27:13 | 00,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/05/21 20:26:30 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/05/21 20:26:30 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/05/21 20:26:30 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/05/21 20:26:30 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/05/21 20:26:30 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/05/21 20:26:30 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/02/28 14:30:08 | 00,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/07/20 10:57:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/07/20 10:57:00 | 01,478,656 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/07/20 10:57:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/07/20 10:57:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/07/20 10:57:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/07/03 05:22:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/24 22:02:34 | 00,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/24 22:02:34 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2005/10/18 03:49:40 | 00,006,964 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2001/07/07 02:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2008/06/13 18:01:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nova Development
[2008/12/08 01:29:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
[2008/07/09 12:04:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2008/06/13 18:01:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nova Development
[2008/05/21 20:35:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2010/01/13 01:00:00 | 00,000,480 | -H-- | M] () -- C:\WINDOWS\Tasks\Crystal Clear Pool & Spas. 1221780534.job
[2010/01/13 14:18:11 | 00,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/01/13 14:12:49 | 00,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2006/02/27 23:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2006/02/27 18:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/06 06:09:17 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/06 06:09:17 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: AHCIX86.SYS >
[2007/06/12 02:37:56 | 00,122,880 | ---- | M] (ATI Technologies Inc.) MD5=C59E66D1C4827A9AAFA88AABF01A99FA -- C:\SWSetup\HP Backup and Recovery Manager\update\DRIVERS\Storage\ahcix86.sys
[2007/06/12 02:37:56 | 00,122,880 | ---- | M] (ATI Technologies Inc.) MD5=C59E66D1C4827A9AAFA88AABF01A99FA -- C:\WINDOWS\DRIVERS\Storage\ahcix86.sys

< MD5 for: ATAPI.SYS >
[2006/02/27 23:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2006/02/27 18:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/06 06:09:17 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/06 06:09:17 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 16:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2006/02/27 18:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/07/12 08:35:02 | 00,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\COMPAQ\MISC5\iaStor.sys
[2007/07/12 07:35:02 | 00,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\SWSetup\HP Backup and Recovery Manager\update\DRIVERS\Storage\iaStor.sys
[2007/07/12 07:35:02 | 00,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\DRIVERS\Storage\iaStor.sys
[2007/07/12 08:35:02 | 00,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2006/02/27 18:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/02/27 18:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< >
< End of report >

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o Empty4th post yvonneschaffer Got TrojanWin32:FakeSpyPro14th January 2010, 11:50 am

more_horiz
This is the second OTL report. The GMER txt is over 718kb , I posted first part in the wrong forum before. Let me know what to do next.



OTL Extras logfile created on: 1/13/2010 4:23:00 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 525.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.51 Gb Total Space | 45.10 Gb Free Space | 69.92% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 7.50 Gb Free Space | 74.97% Space Free | Partition Type: NTFS
Drive E: | 1.17 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 62.09 Mb Total Space | 1.88 Mb Free Space | 3.02% Space Free | Partition Type: FAT
Drive G: | 3.84 Gb Total Space | 2.43 Gb Free Space | 63.35% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HP19932159792
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\WINDOWS\SMINST\Scheduler.exe" = C:\WINDOWS\SMINST\Scheduler.exe:*:Enabled:Scheduler -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 14
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2D5F91BD-BB3D-4E8C-B29C-C5BC42E194F1}" = HP Performance Tuning Framework
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{3248F0A8-6813-11D6-A77B-00B0D0150170}" = J2SE Runtime Environment 5.0 Update 17
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{33D6CC28-9F75-4d1b-A11D-98895B3A3729}" = HP Photosmart 330,380,420,470,7800,8000,8200 Series
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35748B06-FCFC-4700-8285-DAD41689E4FE}" = Broadcom TPM Driver Installer
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{48B3FB4D-CE22-488C-8E9F-24EBB77EAC0F}" = Microsoft Security Essentials
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{57B2281D-A34A-4a48-8C68-169B8873659D}" = c4100_Help
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{755EC5E3-FD51-46bd-A57F-7A2D56FBF061}" = PSTAPlugin
"{769A295C-DCF4-41d6-AFBA-7D9394B23AFE}" = PSPrinters08
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{808E5AB1-E98F-4362-AB10-B5B69CB2301C}" = HP Workstation User Guides
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A0A77CDC-2419-4D5C-AD2C-E09E5926B806}" = Microsoft Antimalware
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3455242-DAE0-4523-8242-FD82706ABF4B}" = CameraDrivers
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP1
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B8F19DA6-0BCD-48FC-9998-C6ACEAEEDEFE}" = Photo Explosion Deluxe
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C871525F-7116-4d26-BA6D-215F59B6F88B}" = C4100
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch
"{E86AA946-5CE2-4C21-B660-D2C186B6FDB3}" = Broadcom Management Programs
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F1670367-C07F-411f-A196-79D2C65CBEC0}" = PS8200
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AOL Toolbar" = AOL Toolbar 5.0
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP1
"CCleaner" = CCleaner (remove only)
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"HP Document Viewer" = HP Document Viewer 7.0
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPExtendedCapabilities" = HP Customer Participation Program 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PDF Complete" = PDF Complete
"Pool Studio1.620" = Pool Studio
"PROHYBRIDR" = 2007 Microsoft Office system
"Ulead COOL 360 1.0" = Ulead COOL 360 1.0
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/27/2009 1:42:49 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:00 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:00 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:00 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:20 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:20 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:20 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 11/30/2009 9:46:43 PM | Computer Name = HP19932159792 | Source = QuickBooks | ID = 4
Description =

Error - 12/5/2009 10:55:38 AM | Computer Name = HP19932159792 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16915, faulting
module mshtml.dll, version 7.0.6000.16939, fault address 0x000d79b7.

Error - 12/7/2009 12:00:47 PM | Computer Name = HP19932159792 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16915, faulting
module unknown, version 0.0.0.0, fault address 0x0a497118.

[ System Events ]
Error - 1/7/2010 4:15:35 PM | Computer Name = HP19932159792 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.0.11 on
the Network Card with network address 00215A175768.

Error - 1/7/2010 7:42:52 PM | Computer Name = HP19932159792 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.0.11 on
the Network Card with network address 00215A175768.

Error - 1/8/2010 10:55:23 AM | Computer Name = HP19932159792 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.0.11 on
the Network Card with network address 00215A175768.


< End of report >

P.S. I was able to download Housecall and load it, took a long time, but ran quick scan, found nothing..so I am running full scan now. I really need help since I want to solve this now... Annoyed or Unimpress

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o14th January 2010, 7:23 pm

more_horiz
Hello.

Did you remove what MBAM found? it says no action was taken.

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o14th January 2010, 7:33 pm

more_horiz
Hi Belahzur!
Thnaks for helping me. By the way Housecall didn't find anything.

No, I didn't remove anything? I don't know why it didn't remove them Do you want me to run again? Once again, thanks for the response.

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o14th January 2010, 7:53 pm

more_horiz
Yes please.

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o14th January 2010, 9:04 pm

more_horiz
Hi!
Well I think I messed up again, I sent the wrong report. Will attach one where it found and quantined files. I did an update which seemed to go ok, ran mbam again. Here we go:
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/13/2010 2:28:59 AM
mbam-log-2010-01-13 (02-28-59).txt

Scan type: Quick Scan
Objects scanned: 109568
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\IntelinetSecure (Rogue.Intelinet) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\\Documents and Settings\\Administrator\\Favorites\\Free Porn Movies at Cliphunter.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\\Documents and Settings\\Administrator\\Favorites\\Free Porn Tube Movies, Porno Videos & XXX Sex Videos.url (Rogue.Link) -> Quarantined and deleted successfully.

After updating MBAM here is next run. Should I do a full system scan?

Malwarebytes' Anti-Malware 1.44
Database version: 3564
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/14/2010 11:58:05 AM
mbam-log-2010-01-14 (11-58-05).txt

Scan type: Quick Scan
Objects scanned: 110787
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks again

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o15th January 2010, 12:19 am

more_horiz
Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 14
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 17

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    [2010/01/13 14:07:17 | 00,000,132 | ---- | M] () -- C:\WINDOWS\System32\rezumatenoi.dat


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o15th January 2010, 12:56 am

more_horiz
Removed the java, but also I updated to newest version and also updated Adobe Reader. Hope that's not a problem.
Ran OTL here are the results:

========== OTL ==========
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
C:\WINDOWS\system32\rezumatenoi.dat moved successfully.

OTL by OldTimer - Version 3.1.24.0 log created on 01142010_165137
Thanks again,

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o15th January 2010, 12:58 am

more_horiz
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

How is the machine running now?

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o15th January 2010, 1:20 am

more_horiz
It seems ok, downloads are working now. You really helped me and it looks like it's working. Do I need to do anything else?
I was wondering if you could advise if Windows Defender and Security Essentials are good enough. And should I buy MBAM? I have Norton Internet Security 2010 that I bought before my son-in-law got his problem, but I didn't install it since their web site didn't know about the trojans he had. Let me know what I need to do next. Once again, you solved the problem and quickly. Thank You! Hooray! You guys really do a great job.
Yvonne

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o15th January 2010, 7:33 pm

more_horiz
This should be fine now if no problems remain.

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o15th January 2010, 9:01 pm

more_horiz
Hi!
Yes, it seems fine now. Just wondering if you could answer my question about AntiVirus and MBAm. I trust your opinion more than other forums. Once again, you guys are great!!!
You can mark this as solved.
Thanks,
Yvonne Hooray!

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o16th January 2010, 12:03 am

more_horiz
If you have security essentials installed, don't install Norton, because having 2 antivirus programs running at the same time can be dangerous.
MBAM goes well with anything in general as it's an antispyware and not an antivirus.

descriptionGot TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o EmptyRe: Got TrojanWin32:FakeSpyPro Trojan:win32/BHO.Bo TrojanDownlaoder:Win32/Monkif.o

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum