Cannot remove a file

dan1234 · August 29, 2010

Hey,

I recently got infected with some maleware/spy ware, and I was able to delete it all, except 1 files. I'm not sure what it is, I've searched for a while now. Any types on how to delete this would be appreciated. And any explenations to what it is, and why it cannot be delete would also be nice:)

Thanks,

Here's the log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4496

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2010-08-28 21:06:27

mbam-log-2010-08-28 (21-06-27).txt

Scan type: Full scan (C:\|)

Objects scanned: 237649

Time elapsed: 23 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

dan1234 · August 29, 2010

EDIT: Tried to edit for spelling. But I'm new to this forums, and I wasn't able to spot the key.

Tips** explanations**

dan1234 · August 29, 2010

EDIT: Tried to edit for spelling. But I'm new to this forums, and I wasn't able to spot the key.
Tips** explanations**

Bump?

screen317 · August 29, 2010

Hi and welcome to Malwarebytes.

Did you really just bump your topic after one hour?

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

dan1234 · August 29, 2010

Hi and welcome to Malwarebytes.
Did you really just bump your topic after one hour?
Next, download DDS by sUBs and save it to your Desktop.
Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Yes I did:) I figured since it was on the 4th page, it might not get any attention. But I guess I was wrong, it's probably just a busy forum>.> Won't happen again;)

DDS (Ver_10-03-17.01) - NTFSX64

Run by User at 22:21:38,53 on 2010-08-28

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.4095.2815 [GMT -4:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Program Files (x86)\Steam\steam.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\User\Downloads\dds(2).scr

C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15153&l=dis

mLocal Page = c:\windows\syswow64\blank.htm

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files (x86)\ask.com\GenericAskToolbar.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll

BHO: c:\windows\syswow64\zt8sh4vq4o.dll: {b1ba40a2-75f2-51bd-f413-04b13a2c8953} - c:\windows\syswow64\zt8sh4vq4o.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files (x86)\ask.com\GenericAskToolbar.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background

uRun: [steam] "c:\program files (x86)\steam\steam.exe" -silent

uRun: [hse897ifdsjf98u3heuidhfdd] c:\users\user\appdata\local\temp\cryv3jo.exe

mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"

mRun: [WinampAgent] "c:\program files (x86)\winamp\winampa.exe"

mRun: [DivXUpdate] "c:\program files (x86)\divx\divx update\DivXUpdate.exe" /CHECKNOW

StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files (x86)\limewire\LimeWire.exe

uPolicies-explorer: NoFolderOptions = 1 (0x1)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files (x86)\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~2\mcafee\sitead~1\McIEPlg.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files (x86)\microsoft office\office12\GrooveSystemServices.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~2\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files (x86)\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL

AppInit_DLLs: c:\windows\syswow64\guard32.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll

BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~2\mcafee\sitead~1\x64\mcieplg.dll

TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~2\mcafee\sitead~1\x64\mcieplg.dll

TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

mRun-x64: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

AppInit_DLLs-X64: c:\windows\system32\guard64.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\stptfe9f.default\

FF - prefs.js: browser.search.selectedEngine - Ask.com

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15150&locale=en_US&q=

FF - component: c:\program files (x86)\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\program files (x86)\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\windows\system32\wat\npWatWeb.dll

---- FIREFOX POLICIES ----

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-3-17 119624]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-2-3 202752]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\sitead~1\mcsacore.exe [2010-5-26 110312]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-2-3 6366720]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-2-2 186880]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-12-19 314400]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2002-1-1 1255736]

=============== Created Last 30 ================

2010-08-28 22:48:06 0 d-----w- c:\users\user\appdata\roaming\Malwarebytes

2010-08-28 22:48:00 0 d-----w- c:\programdata\Malwarebytes

2010-08-28 22:47:59 24664 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-28 22:47:59 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2010-08-28 22:05:17 130 ----a-w- c:\windows\cfplogvw.INI

2010-08-28 21:51:02 5 ----a-w- C:\zrpt.xml

2010-08-28 21:50:58 30000 ----a-w- c:\windows\syswow64\zt8sh4vq4o.dll

2010-08-28 21:50:56 30000 ----a-w- c:\windows\syswow64\g77eyulqw.dll

2010-08-28 21:50:56 0 d-----w- c:\users\user\appdata\roaming\Bitrix Security

2010-08-28 21:50:49 0 d-----w- c:\users\user\appdata\roaming\5B11715387799866231299B1BB60A272

2010-08-28 02:43:48 0 d-----w- c:\program files\DivX

2010-08-28 02:43:33 0 d-----w- c:\program files (x86)\common files\DivX Shared

2010-08-28 02:42:12 0 d-----w- c:\program files (x86)\DivX

2010-08-28 02:41:48 0 d-----w- c:\programdata\DivX

2010-08-24 20:57:28 861184 ----a-w- c:\windows\system32\oleaut32.dll

2010-08-24 20:57:28 571904 ----a-w- c:\windows\syswow64\oleaut32.dll

2010-08-23 21:56:46 0 d-----w- c:\program files (x86)\World of Warcraft Beta

2010-08-09 20:48:18 151 ----a-w- c:\windows\PhotoSnapViewer.INI

2010-08-02 18:31:38 12867584 ----a-w- c:\windows\syswow64\shell32.dll

==================== Find3M ====================

2010-08-28 21:58:20 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat

2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll

2010-07-05 11:53:57 32744 ----a-w- c:\windows\scunin.dat

2010-07-05 11:53:56 70656 ----a-w- c:\windows\ScUnin.exe

2010-07-02 03:07:28 98304 ----a-w- c:\windows\syswow64\CmdLineExt.dll

2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll

2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll

2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll

2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll

2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll

2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll

2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll

2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll

2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll

2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll

2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll

2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe

2010-06-19 07:05:01 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-06-19 06:53:18 52224 ----a-w- c:\windows\system32\rtutils.dll

2010-06-19 06:33:29 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe

2010-06-19 06:33:29 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe

2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll

2010-06-19 04:32:34 3122688 ----a-w- c:\windows\system32\win32k.sys

2010-06-16 06:11:10 340992 ----a-w- c:\windows\system32\schannel.dll

2010-06-16 05:48:35 224256 ----a-w- c:\windows\syswow64\schannel.dll

2010-06-08 06:02:06 1233920 ----a-w- c:\windows\syswow64\msxml3.dll

2010-06-08 05:36:31 1877504 ----a-w- c:\windows\system32\msxml3.dll

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini

2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini

2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat

2009-07-14 04:55:03 32768 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat

2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat

2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 22:23:27,84 ===============

screen317 · August 29, 2010

Hi,

Please update MBAM, run a Quick Scan, and post its log.

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\syswow64\zt8sh4vq4o.dll

c:\users\user\appdata\local\temp\cryv3jo.exe

Post the results in your reply.

Download OTL.exe by OldTimer to your Desktop.

Close all windows and double click OTL.exe.
Click Run Scan and let the program run uninterrupted.
It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
You may need to use two posts to get it all.

dan1234 · August 29, 2010

Alright, I updated

Here's the new MBAM log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4497

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2010-08-28 22:40:40

mbam-log-2010-08-28 (22-40-40).txt

Scan type: Quick scan

Objects scanned: 140504

Time elapsed: 2 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Here is the analysis result for c:\windows\syswow64\zt8sh4vq4o.dll

Antivirus Version Last update Result

AhnLab-V3 2010.08.29.00 2010.08.28 Malware/Win32.Generic

AntiVir 8.2.4.46 2010.08.28 TR/Downloader.Gen

Antiy-AVL 2.0.3.7 2010.08.26 -

Authentium 5.2.0.5 2010.08.28 W32/Spyware-WebActiveClick-based!Maximus

Avast 4.8.1351.0 2010.08.28 Win32:Ertfor

Avast5 5.0.594.0 2010.08.28 Win32:Ertfor

AVG 9.0.0.851 2010.08.28 Downloader.Generic10.OGX

BitDefender 7.2 2010.08.29 Generic.Malware.dld!!.D6B81D3D

CAT-QuickHeal 11.00 2010.08.28 -

ClamAV 0.96.2.0-git 2010.08.28 -

Comodo 5892 2010.08.29 -

DrWeb 5.0.2.03300 2010.08.29 Trojan.DisableSR.18

Emsisoft 5.0.0.37 2010.08.28 -

eSafe 7.0.17.0 2010.08.26 -

eTrust-Vet 36.1.7823 2010.08.27 -

F-Prot 4.6.1.107 2010.08.28 W32/Spyware-WebActiveClick-based!Maximus

F-Secure 9.0.15370.0 2010.08.28 Generic.Malware.dld!!.D6B81D3D

Fortinet 4.1.143.0 2010.08.28 -

GData 21 2010.08.29 Generic.Malware.dld!!.D6B81D3D

Ikarus T3.1.1.88.0 2010.08.28 -

Jiangmin 13.0.900 2010.08.28 -

Kaspersky 7.0.0.125 2010.08.29 -

McAfee 5.400.0.1158 2010.08.29 Generic.dx!tok

Microsoft 1.6103 2010.08.28 Trojan:Win32/Ertfor.B

NOD32 5405 2010.08.28 a variant of Win32/TrojanDownloader.Small.NFD

Norman 6.05.11 2010.08.28 -

nProtect 2010-08-28.01 2010.08.28 -

Panda 10.0.2.7 2010.08.28 Trj/CI.A

PCTools 7.0.3.5 2010.08.29 -

Prevx 3.0 2010.08.29 Medium Risk Malware

Rising 22.62.05.03 2010.08.28 Trojan.DL.Win32.Undef.emn

Sophos 4.56.0 2010.08.28 Mal/Generic-L

Sunbelt 6808 2010.08.29 BehavesLike.Win32.Malware (v)

SUPERAntiSpyware 4.40.0.1006 2010.08.28 Trojan.Smitfraud Variant-Gen/Bensorty

Symantec 20101.1.1.7 2010.08.29 -

TheHacker 6.5.2.1.357 2010.08.28 -

TrendMicro 9.120.0.1004 2010.08.28 PAK_Generic.001

TrendMicro-HouseCall 9.120.0.1004 2010.08.29 -

VBA32 3.12.14.0 2010.08.27 -

ViRobot 2010.8.28.4013 2010.08.28 -

VirusBuster 5.0.27.0 2010.08.28 -

MD5: b11fb6205bbec4c4e66694e11abcf192

SHA1: 8b91d46b29c5c136b8630ee9acb5bec18115a135

SHA256: 8c127ab3ff08d0d8060f7c206574576e4041e24adb265621e45fbb19a34148a6

File size: 30000 bytes

Scan date: 2010-08-29 02:36:37 (UTC)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

When I tried running one for c:\users\user\appdata\local\temp\cryv3jo.exe, it said that the file was not found. Not sure why?

Here is the result for OTL

OTL logfile created on: 2010-08-28 23:00:08 - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\User\Desktop

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: yyyy-MM-dd

4,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 73,00% Memory free

8,00 Gb Paging File | 7,00 Gb Available in Paging File | 85,00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 465,66 Gb Total Space | 313,24 Gb Free Space | 67,27% Space Free | Partition Type: NTFS

Drive D: | 637,02 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: USER-PC

Current User Name: User

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Include 64bit Scans

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010-08-28 22:45:36 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe

PRC - [2010-08-25 03:17:37 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\steam.exe

PRC - [2010-08-20 15:45:26 | 001,164,584 | ---- | M] () -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

========== Modules (SafeList) ==========

MOD - [2010-08-28 22:45:36 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe

MOD - [2010-04-01 09:57:36 | 000,015,056 | ---- | M] (McAfee, Inc.) -- c:\Program Files (x86)\McAfee\SiteAdvisor\sahook.dll

MOD - [2010-03-17 12:29:26 | 000,171,552 | ---- | M] (COMODO) -- C:\Windows\SysWOW64\guard32.dll

MOD - [2009-07-13 21:15:21 | 000,014,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\fltLib.dll

MOD - [2009-07-13 21:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx

MOD - [2009-07-13 21:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010-03-17 12:29:26 | 001,083,144 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)

SRV:64bit: - [2010-02-03 00:17:10 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)

SRV:64bit: - [2009-07-13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2010-03-26 11:16:04 | 000,110,312 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe -- (McAfee SiteAdvisor Service)

SRV - [2010-03-18 14:27:14 | 000,138,576 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_64)

SRV - [2010-03-18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2008-12-22 11:52:16 | 000,104,944 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2008-10-25 10:44:08 | 000,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2010-02-03 00:55:18 | 006,366,720 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)

DRV:64bit: - [2010-02-03 00:55:18 | 006,366,720 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atipmdag.sys -- (amdkmdag)

DRV:64bit: - [2010-02-02 23:23:58 | 000,186,880 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)

DRV:64bit: - [2010-01-28 10:33:38 | 000,116,736 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)

DRV:64bit: - [2009-12-19 08:11:40 | 000,314,400 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)

DRV:64bit: - [2009-07-13 21:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)

DRV:64bit: - [2009-07-13 21:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)

DRV:64bit: - [2009-07-13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)

DRV:64bit: - [2009-07-13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)

DRV:64bit: - [2009-07-13 21:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)

DRV:64bit: - [2009-07-13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)

DRV:64bit: - [2009-06-10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)

DRV:64bit: - [2009-06-10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)

DRV:64bit: - [2009-06-10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)

DRV:64bit: - [2009-06-10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)

DRV:64bit: - [2009-06-10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

DRV:64bit: - [2005-03-29 00:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15153&l=dis

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/defaultf.aspx?lang=fr-ca&OCID=iehp

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = fr-ca

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 71 55 18 AE 7B F0 CA 01 [binary data]

IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found

IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"

FF - prefs.js..browser.search.defaultenginename: "Ask.com"

FF - prefs.js..browser.search.order.1: "Ask.com"

FF - prefs.js..browser.search.selectedEngine: "Ask.com"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"

FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198

FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15150&locale=en_US&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010-07-25 08:45:25 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010-07-25 08:45:25 | 000,000,000 | ---D | M]

[2010-07-13 20:29:13 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\mozilla\Extensions

[2010-07-13 20:29:13 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\mozilla\Extensions\mozswing@mozswing.org

[2010-08-27 23:22:52 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\stptfe9f.default\extensions

[2010-05-10 19:07:15 | 000,002,426 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\FireFox\Profiles\stptfe9f.default\searchplugins\askcom.xml

[2010-08-28 14:55:06 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2010-06-27 22:08:42 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

[2010-05-19 10:38:12 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2009-06-10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)

O2 - BHO: (C:\Windows\SysWow64\zt8sh4vq4o.dll) - {B1BA40A2-75F2-51BD-F413-04B13A2C8953} - C:\Windows\SysWOW64\zt8sh4vq4o.dll ()

O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found

O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found

O4:64bit: - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)

O4 - HKLM..\Run: [DivXUpdate] C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()

O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)

O4 - HKLM..\Run: [WinampAgent] C:\Program Files (x86)\Winamp\winampa.exe (Nullsoft, Inc.)

O4 - HKCU..\Run: [hse897ifdsjf98u3heuidhfdd] C:\Users\User\AppData\Local\Temp\cryv3jo.exe File not found

O4 - HKCU..\Run: [msnmsgr] C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)

O4 - HKCU..\Run: [steam] c:\program files (x86)\steam\steam.exe (Valve Corporation)

O4 - Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files (x86)\LimeWire\LimeWire.exe File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)

O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)

O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found

O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20:64bit: - AppInit_DLLs: (C:\Windows\system32\guard64.dll) - C:\Windows\SysNative\guard64.dll (COMODO)

O20 - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) - C:\Windows\SysWOW64\guard32.dll (COMODO)

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [1998-01-08 23:06:18 | 000,000,040 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]

O33 - MountPoints2\{7900b8cc-feba-11d5-8a44-806e6f6e6963}\Shell - "" = AutoRun

O33 - MountPoints2\{7900b8cc-feba-11d5-8a44-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [1998-01-14 03:11:20 | 000,025,088 | R--- | M] ()

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010-08-28 22:45:35 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe

[2010-08-28 18:48:06 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Malwarebytes

[2010-08-28 18:48:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

[2010-08-28 18:48:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2010-08-28 18:47:59 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2010-08-28 18:47:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2010-08-28 17:50:56 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Bitrix Security

[2010-08-28 17:50:55 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Windows Server

[2010-08-28 17:50:49 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\5B11715387799866231299B1BB60A272

[2010-08-27 22:43:48 | 000,000,000 | ---D | C] -- C:\Program Files\DivX

[2010-08-27 22:43:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DivX Shared

[2010-08-27 22:42:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DivX

[2010-08-27 22:41:48 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX

[2010-08-27 04:53:18 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

[2010-08-24 16:57:28 | 000,861,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\oleaut32.dll

[2010-08-23 17:56:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\World of Warcraft Beta

[2010-08-23 17:10:44 | 000,000,000 | ---D | C] -- C:\Users\User\Desktop\wow beta

[2010-08-12 00:08:33 | 005,507,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe

[2010-08-12 00:08:32 | 003,955,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe

[2010-08-12 00:08:32 | 003,899,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe

[2010-08-12 00:08:29 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll

[2010-08-12 00:08:28 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll

[2010-08-12 00:08:28 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll

[2010-08-12 00:08:28 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll

[2010-08-12 00:08:28 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe

[2010-08-12 00:08:28 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe

[2010-08-12 00:08:27 | 000,052,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rtutils.dll

[2010-08-12 00:08:27 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\rtutils.dll

[2010-08-12 00:08:26 | 000,082,944 | ---- | C] (Radius Inc.) -- C:\Windows\SysWow64\iccvid.dll

[2010-08-09 16:46:12 | 000,000,000 | ---D | C] -- C:\Users\User\Desktop\facebook uploads

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010-08-28 22:57:49 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010-08-28 22:57:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010-08-28 22:57:27 | 3220,574,208 | -HS- | M] () -- C:\hiberfil.sys

[2010-08-28 22:56:40 | 001,572,864 | -HS- | M] () -- C:\Users\User\NTUSER.DAT

[2010-08-28 22:56:18 | 003,741,767 | -H-- | M] () -- C:\Users\User\AppData\Local\IconCache.db

[2010-08-28 22:45:36 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe

[2010-08-28 21:24:37 | 000,015,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2010-08-28 21:24:37 | 000,015,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2010-08-28 18:48:03 | 000,001,009 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010-08-28 18:19:35 | 000,000,130 | ---- | M] () -- C:\Windows\cfplogvw.INI

[2010-08-28 17:58:20 | 001,474,832 | ---- | M] () -- C:\Windows\SysNative\drivers\sfi.dat

[2010-08-28 17:51:06 | 000,000,005 | ---- | M] () -- C:\zrpt.xml

[2010-08-28 17:50:58 | 000,030,000 | ---- | M] () -- C:\Windows\SysWow64\zt8sh4vq4o.dll

[2010-08-28 17:50:56 | 000,030,000 | ---- | M] () -- C:\Windows\SysWow64\g77eyulqw.dll

[2010-08-27 23:09:56 | 000,001,607 | ---- | M] () -- C:\Users\User\Desktop\DivX Movies.lnk

[2010-08-27 22:44:02 | 000,001,112 | ---- | M] () -- C:\Users\Public\Desktop\DivX Plus Player.lnk

[2010-08-27 22:43:46 | 000,001,152 | ---- | M] () -- C:\Users\Public\Desktop\DivX Plus Converter.lnk

[2010-08-26 15:53:15 | 000,000,219 | ---- | M] () -- C:\Users\User\Desktop\Team Fortress 2.url

[2010-08-23 18:52:44 | 000,001,193 | ---- | M] () -- C:\Users\Public\Desktop\World of Warcraft Beta.lnk

[2010-08-12 03:23:56 | 000,413,312 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2010-08-09 17:31:17 | 000,000,151 | ---- | M] () -- C:\Windows\PhotoSnapViewer.INI

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-08-28 18:48:03 | 000,001,009 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010-08-28 18:05:17 | 000,000,130 | ---- | C] () -- C:\Windows\cfplogvw.INI

[2010-08-28 17:51:02 | 000,000,005 | ---- | C] () -- C:\zrpt.xml

[2010-08-28 17:50:58 | 000,030,000 | ---- | C] () -- C:\Windows\SysWow64\zt8sh4vq4o.dll

[2010-08-28 17:50:56 | 000,030,000 | ---- | C] () -- C:\Windows\SysWow64\g77eyulqw.dll

[2010-08-27 23:09:56 | 000,001,607 | ---- | C] () -- C:\Users\User\Desktop\DivX Movies.lnk

[2010-08-27 22:44:02 | 000,001,112 | ---- | C] () -- C:\Users\Public\Desktop\DivX Plus Player.lnk

[2010-08-27 22:43:46 | 000,001,152 | ---- | C] () -- C:\Users\Public\Desktop\DivX Plus Converter.lnk

[2010-08-26 15:53:15 | 000,000,219 | ---- | C] () -- C:\Users\User\Desktop\Team Fortress 2.url

[2010-08-23 17:56:47 | 000,001,193 | ---- | C] () -- C:\Users\Public\Desktop\World of Warcraft Beta.lnk

[2010-08-09 16:48:18 | 000,000,151 | ---- | C] () -- C:\Windows\PhotoSnapViewer.INI

[2010-05-19 03:03:29 | 000,000,268 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

[2010-04-21 20:16:25 | 000,000,084 | ---- | C] () -- C:\Users\User\AppData\Local\DVDPATH.TXT

[2010-04-02 17:17:34 | 000,179,091 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat

[2009-07-13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll

[2009-07-13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

< End of report >

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

And the EXTRA

OTL Extras logfile created on: 2010-08-28 23:00:08 - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\User\Desktop

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: yyyy-MM-dd

4,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 73,00% Memory free

8,00 Gb Paging File | 7,00 Gb Available in Paging File | 85,00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 465,66 Gb Total Space | 313,24 Gb Free Space | 67,27% Space Free | Partition Type: NTFS

Drive D: | 637,02 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: USER-PC

Current User Name: User

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Include 64bit Scans

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)

Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)

Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)

Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)

Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

"{5F94D3B9-2B02-9C37-740B-A59C7B8D17CC}" = ATI Catalyst Install Manager

"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007

"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007

"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting

"{A792E67C-FDA4-A301-0C3C-53BA86EFBB5A}" = ccc-utility64

"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile

"COMODO Internet Security" = COMODO Internet Security

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18

"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor

"{3D6A24EA-A543-6C84-351E-D7646E7AB86E}" = Catalyst Control Center InstallProxy

"{43FFE159-3199-4188-A1CD-629166AD1033}" = Nero 7 Ultra Edition

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{47CAFF95-C3D8-ABF2-70BC-89DE00D8FB19}" = Catalyst Control Center Graphics Light

"{4962EBAC-AE7C-1B22-1EA0-0916A7E40954}" = Catalyst Control Center Graphics Full Existing

"{49A62E2B-B35C-941D-DF48-601207CF14C0}" = Catalyst Control Center Graphics Previews Common

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4B35F00C-E63D-40DC-9839-DF15A33EAC46}" = Grand Theft Auto Vice City

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053

"{6A490E11-6C8A-777C-4E00-43F3CC16A1EC}" = CCC Help English

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{77919701-C3E7-09AA-D2F7-DBF42CD7C13D}" = Catalyst Control Center HydraVision Full

"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client

"{78B2F09F-BDC7-7865-CF4C-233B64A3BE51}" = Catalyst Control Center Graphics Full New

"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III

"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials

"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar

"{87BB78C4-F36D-4D93-A7C7-F80F18219848}" = AMD DnD V1.0.19

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding

"{8FB1B528-E260-451E-9B55-E9152F94B80B}" = Microsoft Games for Windows - LIVE Redistributable

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{E64BA721-2310-4B55-BE5A-2925F9706192}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-002A-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0116-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3

"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars

"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger

"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2

"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype

screen317 · August 29, 2010

Hi,

Before we continue, please go to this website, and complete the form as follows:

Link to topic where this file was requested: http://forums.spywareinfo.com/index.php?showtopic=110045

Browse to the file you want to submit:

Click Browse, and navigate to the following file:

C:\Windows\cfplogvw.INI

Leave any comments, further information about this file, or contact information: From screen317 for SDFix.

Repeat with thse files:

C:\zrpt.xml

C:\Windows\SysWow64\zt8sh4vq4o.dll

C:\Windows\SysWow64\g77eyulqw.dll

Next, run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O2 - BHO: (C:\Windows\SysWow64\zt8sh4vq4o.dll) - {B1BA40A2-75F2-51BD-F413-04B13A2C8953} - C:\Windows\SysWOW64\zt8sh4vq4o.dll ()
O4 - HKCU..\Run: [hse897ifdsjf98u3heuidhfdd] C:\Users\User\AppData\Local\Temp\cryv3jo.exe File not found
:Files
C:\Windows\cfplogvw.INI
C:\zrpt.xml
C:\Windows\SysWow64\zt8sh4vq4o.dll
C:\Windows\SysWow64\g77eyulqw.dll
:Commands
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Your computer will restart. Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

dan1234 · August 29, 2010

I think things are running Ok.. The online scanner found 5 Trojans, and was only able to deal with 2 I think. I'm not sure why COMODO did not pick them up before. So am I still infected? And was that the initial problem that you suspected? I'm just a curious guy, and I like to learn, so any info would be appreciated if you have the time.

Alright, I submitted the files you wanted me too, but the first one had a different message then the other ones. So I'm not sure if you want me to do it again. It says it was successful, but I'Ll post it anyways

" Your file was successfully submitted. Please let the user helping you know that you have submitted the file.Query failed : MySQL server has gone away "

Here is the OLT log:

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1BA40A2-75F2-51BD-F413-04B13A2C8953}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BA40A2-75F2-51BD-F413-04B13A2C8953}\ deleted successfully.

C:\Windows\SysWOW64\zt8sh4vq4o.dll moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\hse897ifdsjf98u3heuidhfdd deleted successfully.

========== FILES ==========

C:\Windows\cfplogvw.INI moved successfully.

C:\zrpt.xml moved successfully.

File\Folder C:\Windows\SysWow64\zt8sh4vq4o.dll not found.

C:\Windows\SysWow64\g77eyulqw.dll moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: User

->Temp folder emptied: 2329210642 bytes

->Temporary Internet Files folder emptied: 47804419 bytes

->Java cache emptied: 1972030 bytes

->FireFox cache emptied: 77233220 bytes

->Flash cache emptied: 33757 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2870272 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 19838435 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes

RecycleBin emptied: 1212712824 bytes

Total Files Cleaned = 3

dan1234 · August 29, 2010

Oh, and I just finished another scan with MBAM.. I'm having the same problem:( Cannot delete the file

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4497

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2010-08-29 00:39:35

mbam-log-2010-08-29 (00-39-35).txt

Scan type: Quick scan

Objects scanned: 139011

Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

screen317 · August 29, 2010

Please do not restart your computer until I give you the okay.

Next, please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:filefind
wininit.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

dan1234 · August 29, 2010

I reset it after I did the last MBAM scan, just FYI. Just in case I need to run things again.

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 01:42 on 29/08/2010 by User (Administrator - Elevation successful)

========== filefind ==========

Searching for "wininit.exe"

C:\Windows\System32\wininit.exe --a--- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] D3B8B7528B47109481165D65EDB953BB

C:\Windows\SysWOW64\wininit.exe --a--- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] D3B8B7528B47109481165D65EDB953BB

C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe --a--- 129024 bytes [23:52 13/07/2009] [01:39 14/07/2009] 94355C28C1970635A31B3FE52EB7CEBA

C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe --a--- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] B5C5DCAD3899512020D135600129D665

-=End Of File=-

screen317 · August 29, 2010

Hi,

I would like to confirm this infection before removing it:

Please go to VirusTotal, and upload the following file for analysis:

C:\Windows\System32\wininit.exe

C:\Windows\SysWOW64\wininit.exe

Post the results in your reply.

dan1234 · August 29, 2010

Hey,

Alright for C:\Windows\System32\wininit.exe:

* Table

* Tabulated

* CSV

* HTML

* BBCode

* Show positives only

Antivirus Version Last update Result

AhnLab-V3 2010.08.29.00 2010.08.28 Trojan/Win32.Patched

AntiVir 8.2.4.46 2010.08.29 TR/Spy.96256.30

Antiy-AVL 2.0.3.7 2010.08.26 Trojan/Win32.Patched.gen

Authentium 5.2.0.5 2010.08.29 W32/Patched.B

Avast 4.8.1351.0 2010.08.29 -

Avast5 5.0.594.0 2010.08.29 Win32:Bamital-X

AVG 9.0.0.851 2010.08.29 -

BitDefender 7.2 2010.08.30 Win32.Loader.O

CAT-QuickHeal 11.00 2010.08.28 -

ClamAV 0.96.2.0-git 2010.08.30 -

Comodo 5903 2010.08.29 -

DrWeb 5.0.2.03300 2010.08.30 Win32.Dat.3

Emsisoft 5.0.0.37 2010.08.29 Trojan.Win32.Patched!IK

eSafe 7.0.17.0 2010.08.29 -

eTrust-Vet 36.1.7823 2010.08.27 Win32/Patcher.F

F-Prot 4.6.1.107 2010.08.29 W32/Patched.B

F-Secure 9.0.15370.0 2010.08.29 Win32.Loader.O

Fortinet 4.1.143.0 2010.08.29 -

GData 21 2010.08.30 Win32.Loader.O

Ikarus T3.1.1.88.0 2010.08.29 Trojan.Win32.Patched

Jiangmin 13.0.900 2010.08.29 -

Kaspersky 7.0.0.125 2010.08.30 Trojan.Win32.Patched.kl

McAfee 5.400.0.1158 2010.08.30 Artemis!D3B8B7528B47

Microsoft 1.6103 2010.08.29 -

NOD32 5407 2010.08.29 Win32/Bamital.DX

Norman 6.05.11 2010.08.29 W32/Patched.Q

nProtect 2010-08-29.01 2010.08.29 Win32.Loader.O

Panda 10.0.2.7 2010.08.29 W32/Patched.AC

PCTools 7.0.3.5 2010.08.30 -

Prevx 3.0 2010.08.30 High Risk Cloaked Malware

Rising 22.62.05.03 2010.08.28 Trojan.Win32.Generic.5225A171

Sophos 4.56.0 2010.08.29 -

Sunbelt 6809 2010.08.29 Virus.Win32.Bamital.c (v)

SUPERAntiSpyware 4.40.0.1006 2010.08.29 -

Symantec 20101.1.1.7 2010.08.30 -

TheHacker 6.5.2.1.358 2010.08.29 -

TrendMicro 9.120.0.1004 2010.08.29 -

TrendMicro-HouseCall 9.120.0.1004 2010.08.30 -

VBA32 3.12.14.0 2010.08.27 -

ViRobot 2010.8.28.4013 2010.08.29 Win32.Patched.AF

VirusBuster 5.0.27.0 2010.08.29 -

MD5: d3b8b7528b47109481165d65edb953bb

SHA1: 087b5f64beaf38990e56eba436935404ebfce123

SHA256: 50d5bc0d65bae5c151c6452b71745ebc33886da2dd761b780b69d194659bd139

File size: 96256 bytes

Scan date: 2010-08-29 23:47:56 (UTC)

Antivirus Version Last update Result

AhnLab-V3 2010.08.29.00 2010.08.28 Trojan/Win32.Patched

AntiVir 8.2.4.46 2010.08.29 TR/Spy.96256.30

Antiy-AVL 2.0.3.7 2010.08.26 Trojan/Win32.Patched.gen

Authentium 5.2.0.5 2010.08.29 W32/Patched.B

Avast 4.8.1351.0 2010.08.29 -

Avast5 5.0.594.0 2010.08.29 Win32:Bamital-X

AVG 9.0.0.851 2010.08.29 -

BitDefender 7.2 2010.08.30 Win32.Loader.O

CAT-QuickHeal 11.00 2010.08.28 -

ClamAV 0.96.2.0-git 2010.08.30 -

Comodo 5903 2010.08.29 -

DrWeb 5.0.2.03300 2010.08.30 Win32.Dat.3

Emsisoft 5.0.0.37 2010.08.29 Trojan.Win32.Patched!IK

eSafe 7.0.17.0 2010.08.29 -

eTrust-Vet 36.1.7823 2010.08.27 Win32/Patcher.F

F-Prot 4.6.1.107 2010.08.29 W32/Patched.B

F-Secure 9.0.15370.0 2010.08.29 Win32.Loader.O

Fortinet 4.1.143.0 2010.08.29 -

GData 21 2010.08.30 Win32.Loader.O

Ikarus T3.1.1.88.0 2010.08.29 Trojan.Win32.Patched

Jiangmin 13.0.900 2010.08.29 -

Kaspersky 7.0.0.125 2010.08.30 Trojan.Win32.Patched.kl

McAfee 5.400.0.1158 2010.08.30 Artemis!D3B8B7528B47

Microsoft 1.6103 2010.08.29 -

NOD32 5407 2010.08.29 Win32/Bamital.DX

Norman 6.05.11 2010.08.29 W32/Patched.Q

nProtect 2010-08-29.01 2010.08.29 Win32.Loader.O

Panda 10.0.2.7 2010.08.29 W32/Patched.AC

PCTools 7.0.3.5 2010.08.30 -

Prevx 3.0 2010.08.30 High Risk Cloaked Malware

Rising 22.62.05.03 2010.08.28 Trojan.Win32.Generic.5225A171

Sophos 4.56.0 2010.08.29 -

Sunbelt 6809 2010.08.29 Virus.Win32.Bamital.c (v)

SUPERAntiSpyware 4.40.0.1006 2010.08.29 -

Symantec 20101.1.1.7 2010.08.30 -

TheHacker 6.5.2.1.358 2010.08.29 -

TrendMicro 9.120.0.1004 2010.08.29 -

TrendMicro-HouseCall 9.120.0.1004 2010.08.30 -

VBA32 3.12.14.0 2010.08.27 -

ViRobot 2010.8.28.4013 2010.08.29 Win32.Patched.AF

VirusBuster 5.0.27.0 2010.08.29 -

MD5: d3b8b7528b47109481165d65edb953bb

SHA1: 087b5f64beaf38990e56eba436935404ebfce123

SHA256: 50d5bc0d65bae5c151c6452b71745ebc33886da2dd761b780b69d194659bd139

File size: 96256 bytes

Scan date: 2010-08-29 23:47:56 (UTC)

"Antivirus", "Version", "Last update", "Result"

"AhnLab-V3", "2010.08.29.00", "2010.08.28", "Trojan/Win32.Patched"

"AntiVir", "8.2.4.46", "2010.08.29", "TR/Spy.96256.30"

"Antiy-AVL", "2.0.3.7", "2010.08.26", "Trojan/Win32.Patched.gen"

"Authentium", "5.2.0.5", "2010.08.29", "W32/Patched.B"

"Avast", "4.8.1351.0", "2010.08.29", "-"

"Avast5", "5.0.594.0", "2010.08.29", "Win32:Bamital-X"

"AVG", "9.0.0.851", "2010.08.29", "-"

"BitDefender", "7.2", "2010.08.30", "Win32.Loader.O"

"CAT-QuickHeal", "11.00", "2010.08.28", "-"

"ClamAV", "0.96.2.0-git", "2010.08.30", "-"

"Comodo", "5903", "2010.08.29", "-"

"DrWeb", "5.0.2.03300", "2010.08.30", "Win32.Dat.3"

"Emsisoft", "5.0.0.37", "2010.08.29", "Trojan.Win32.Patched!IK"

"eSafe", "7.0.17.0", "2010.08.29", "-"

"eTrust-Vet", "36.1.7823", "2010.08.27", "Win32/Patcher.F"

"F-Prot", "4.6.1.107", "2010.08.29", "W32/Patched.B"

"F-Secure", "9.0.15370.0", "2010.08.29", "Win32.Loader.O"

"Fortinet", "4.1.143.0", "2010.08.29", "-"

"GData", "21", "2010.08.30", "Win32.Loader.O"

"Ikarus", "T3.1.1.88.0", "2010.08.29", "Trojan.Win32.Patched"

"Jiangmin", "13.0.900", "2010.08.29", "-"

"Kaspersky", "7.0.0.125", "2010.08.30", "Trojan.Win32.Patched.kl"

"McAfee", "5.400.0.1158", "2010.08.30", "Artemis!D3B8B7528B47"

"Microsoft", "1.6103", "2010.08.29", "-"

"NOD32", "5407", "2010.08.29", "Win32/Bamital.DX"

"Norman", "6.05.11", "2010.08.29", "W32/Patched.Q"

"nProtect", "2010-08-29.01", "2010.08.29", "Win32.Loader.O"

"Panda", "10.0.2.7", "2010.08.29", "W32/Patched.AC"

"PCTools", "7.0.3.5", "2010.08.30", "-"

"Prevx", "3.0", "2010.08.30", "High Risk Cloaked Malware"

"Rising", "22.62.05.03", "2010.08.28", "Trojan.Win32.Generic.5225A171"

"Sophos", "4.56.0", "2010.08.29", "-"

"Sunbelt", "6809", "2010.08.29", "Virus.Win32.Bamital.c (v)"

"SUPERAntiSpyware", "4.40.0.1006", "2010.08.29", "-"

"Symantec", "20101.1.1.7", "2010.08.30", "-"

"TheHacker", "6.5.2.1.358", "2010.08.29", "-"

"TrendMicro", "9.120.0.1004", "2010.08.29", "-"

"TrendMicro-HouseCall", "9.120.0.1004", "2010.08.30", "-"

"VBA32", "3.12.14.0", "2010.08.27", "-"

"ViRobot", "2010.8.28.4013", "2010.08.29", "Win32.Patched.AF"

"VirusBuster", "5.0.27.0", "2010.08.29", "-"

"MD5", "d3b8b7528b47109481165d65edb953bb"

"SHA1", "087b5f64beaf38990e56eba436935404ebfce123"

"SHA256", "50d5bc0d65bae5c151c6452b71745ebc33886da2dd761b780b69d194659bd139"

"File size", "96256 bytes"

"Scan date", "2010-08-29 23:47:56 (UTC)"

<tr>

<th>Antivirus</th>

<th>Version</th>

<th>Last update</th>

<th>Result</th>

</tr>

<tr>

<td>AhnLab-V3</td>

<td class="positive">Trojan/Win32.Patched</td>

</tr>

<tr>

<td>AntiVir</td>

</tr>

<tr>

<td>Antiy-AVL</td>

<td class="positive">Trojan/Win32.Patched.gen</td>

</tr>

<tr>

<td>Authentium</td>

<td class="positive">W32/Patched.B</td>

</tr>

<tr>

<td>Avast</td>

</tr>

<tr>

<td>Avast5</td>

<td class="positive">Win32:Bamital-X</td>

</tr>

<tr>

</tr>

<tr>

<td>BitDefender</td>

<td class="positive">Win32.Loader.O</td>

</tr>

<tr>

<td>CAT-QuickHeal</td>

</tr>

<tr>

<td>ClamAV</td>

</tr>

<tr>

<td>Comodo</td>

</tr>

<tr>

<td>DrWeb</td>

</tr>

<tr>

<td>Emsisoft</td>

<td class="positive">Trojan.Win32.Patched!IK</td>

</tr>

<tr>

<td>eSafe</td>

</tr>

<tr>

<td>eTrust-Vet</td>

<td class="positive">Win32/Patcher.F</td>

</tr>

<tr>

<td class="positive">W32/Patched.B</td>

</tr>

<tr>

<td>F-Secure</td>

<td class="positive">Win32.Loader.O</td>

</tr>

<tr>

<td>Fortinet</td>

</tr>

<tr>

<td>GData</td>

<td class="positive">Win32.Loader.O</td>

</tr>

<tr>

<td>Ikarus</td>

<td class="positive">Trojan.Win32.Patched</td>

</tr>

<tr>

<td>Jiangmin</td>

</tr>

<tr>

<td>Kaspersky</td>

<td class="positive">Trojan.Win32.Patched.kl</td>

</tr>

<tr>

<td>McAfee</td>

<td class="positive">Artemis!D3B8B7528B47</td>

</tr>

<tr>

<td>Microsoft</td>

</tr>

<tr>

<td class="positive">Win32/Bamital.DX</td>

</tr>

<tr>

<td>Norman</td>

<td class="positive">W32/Patched.Q</td>

</tr>

<tr>

<td>nProtect</td>

<td class="positive">Win32.Loader.O</td>

</tr>

<tr>

<td>Panda</td>

<td class="positive">W32/Patched.AC</td>

</tr>

<tr>

<td>PCTools</td>

</tr>

<tr>

<td>Prevx</td>

<td class="positive">High Risk Cloaked Malware</td>

</tr>

<tr>

<td>Rising</td>

<td class="positive">Trojan.Win32.Generic.5225A171</td>

</tr>

<tr>

<td>Sophos</td>

</tr>

<tr>

<td>Sunbelt</td>

<td class="positive">Virus.Win32.Bamital.c (v)</td>

</tr>

<tr>

<td>SUPERAntiSpyware</td>

</tr>

<tr>

<td>Symantec</td>

</tr>

<tr>

<td>TheHacker</td>

</tr>

<tr>

<td>TrendMicro</td>

</tr>

<tr>

<td>TrendMicro-HouseCall</td>

</tr>

<tr>

</tr>

<tr>

<td>ViRobot</td>

<td class="positive">Win32.Patched.AF</td>

</tr>

<tr>

<td>VirusBuster</td>

</tr>

<table>

<tr>

<th>Additional information</th>

</tr>

<tr>

</tr>

<tr>

<td><strong>SHA1:</strong> 087b5f64beaf38990e56eba436935404ebfce123</td>

</tr>

<tr>

</tr>

<tr>

<td><strong>File size:</strong> 96256 bytes</td>

</tr>

<tr>

</tr>

</table>

Antivirus results

AhnLab-V3 - 2010.08.29.00 - 2010.08.28 - Trojan/Win32.Patched

AntiVir - 8.2.4.46 - 2010.08.29 - TR/Spy.96256.30

Antiy-AVL - 2.0.3.7 - 2010.08.26 - Trojan/Win32.Patched.gen

Authentium - 5.2.0.5 - 2010.08.29 - W32/Patched.B

Avast - 4.8.1351.0 - 2010.08.29 - -

Avast5 - 5.0.594.0 - 2010.08.29 - Win32:Bamital-X

AVG - 9.0.0.851 - 2010.08.29 - -

BitDefender - 7.2 - 2010.08.30 - Win32.Loader.O

CAT-QuickHeal - 11.00 - 2010.08.28 - -

ClamAV - 0.96.2.0-git - 2010.08.30 - -

Comodo - 5903 - 2010.08.29 - -

DrWeb - 5.0.2.03300 - 2010.08.30 - Win32.Dat.3

Emsisoft - 5.0.0.37 - 2010.08.29 - Trojan.Win32.Patched!IK

eSafe - 7.0.17.0 - 2010.08.29 - -

eTrust-Vet - 36.1.7823 - 2010.08.27 - Win32/Patcher.F

F-Prot - 4.6.1.107 - 2010.08.29 - W32/Patched.B

F-Secure - 9.0.15370.0 - 2010.08.29 - Win32.Loader.O

Fortinet - 4.1.143.0 - 2010.08.29 - -

GData - 21 - 2010.08.30 - Win32.Loader.O

Ikarus - T3.1.1.88.0 - 2010.08.29 - Trojan.Win32.Patched

Jiangmin - 13.0.900 - 2010.08.29 - -

Kaspersky - 7.0.0.125 - 2010.08.30 - Trojan.Win32.Patched.kl

McAfee - 5.400.0.1158 - 2010.08.30 - Artemis!D3B8B7528B47

Microsoft - 1.6103 - 2010.08.29 - -

NOD32 - 5407 - 2010.08.29 - Win32/Bamital.DX

Norman - 6.05.11 - 2010.08.29 - W32/Patched.Q

nProtect - 2010-08-29.01 - 2010.08.29 - Win32.Loader.O

Panda - 10.0.2.7 - 2010.08.29 - W32/Patched.AC

PCTools - 7.0.3.5 - 2010.08.30 - -

Prevx - 3.0 - 2010.08.30 - High Risk Cloaked Malware

Rising - 22.62.05.03 - 2010.08.28 - Trojan.Win32.Generic.5225A171

Sophos - 4.56.0 - 2010.08.29 - -

Sunbelt - 6809 - 2010.08.29 - Virus.Win32.Bamital.c (v)

SUPERAntiSpyware - 4.40.0.1006 - 2010.08.29 - -

Symantec - 20101.1.1.7 - 2010.08.30 - -

TheHacker - 6.5.2.1.358 - 2010.08.29 - -

TrendMicro - 9.120.0.1004 - 2010.08.29 - -

TrendMicro-HouseCall - 9.120.0.1004 - 2010.08.30 - -

VBA32 - 3.12.14.0 - 2010.08.27 - -

ViRobot - 2010.8.28.4013 - 2010.08.29 - Win32.Patched.AF

VirusBuster - 5.0.27.0 - 2010.08.29 - -

File info:

MD5: d3b8b7528b47109481165d65edb953bb

SHA1: 087b5f64beaf38990e56eba436935404ebfce123

SHA256: 50d5bc0d65bae5c151c6452b71745ebc33886da2dd761b780b69d194659bd139

File size: 96256 bytes

Scan date: 2010-08-29 23:47:56 (UTC)

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

And for C:\Windows\SysWOW64\wininit.exe :

Antivirus Version Last update Result

AhnLab-V3 2010.08.29.00 2010.08.28 Trojan/Win32.Patched

AntiVir 8.2.4.46 2010.08.29 TR/Spy.96256.30

Antiy-AVL 2.0.3.7 2010.08.26 Trojan/Win32.Patched.gen

Authentium 5.2.0.5 2010.08.29 W32/Patched.B

Avast 4.8.1351.0 2010.08.29 -

Avast5 5.0.594.0 2010.08.29 Win32:Bamital-X

AVG 9.0.0.851 2010.08.29 -

BitDefender 7.2 2010.08.30 Win32.Loader.O

CAT-QuickHeal 11.00 2010.08.28 -

ClamAV 0.96.2.0-git 2010.08.30 -

Comodo 5903 2010.08.29 -

DrWeb 5.0.2.03300 2010.08.30 Win32.Dat.3

eTrust-Vet 36.1.7823 2010.08.27 Win32/Patcher.F

F-Prot 4.6.1.107 2010.08.29 W32/Patched.B

F-Secure 9.0.15370.0 2010.08.29 Win32.Loader.O

Fortinet 4.1.143.0 2010.08.29 -

GData 21 2010.08.30 Win32.Loader.O

Ikarus T3.1.1.88.0 2010.08.29 Trojan.Win32.Patched

Jiangmin 13.0.900 2010.08.29 -

Kaspersky 7.0.0.125 2010.08.30 Trojan.Win32.Patched.kl

McAfee 5.400.0.1158 2010.08.30 Artemis!D3B8B7528B47

Microsoft 1.6103 2010.08.29 -

NOD32 5407 2010.08.29 Win32/Bamital.DX

Norman 6.05.11 2010.08.29 W32/Patched.Q

nProtect 2010-08-29.01 2010.08.29 Win32.Loader.O

Panda 10.0.2.7 2010.08.29 W32/Patched.AC

PCTools 7.0.3.5 2010.08.30 -

Prevx 3.0 2010.08.30 High Risk Cloaked Malware

Rising 22.62.05.03 2010.08.28 Trojan.Win32.Generic.5225A171

Sophos 4.56.0 2010.08.29 -

Sunbelt 6809 2010.08.29 Virus.Win32.Bamital.c (v)

SUPERAntiSpyware 4.40.0.1006 2010.08.29 -

Symantec 20101.1.1.7 2010.08.30 -

TheHacker 6.5.2.1.358 2010.08.29 -

TrendMicro 9.120.0.1004 2010.08.29 -

TrendMicro-HouseCall 9.120.0.1004 2010.08.30 -

VBA32 3.12.14.0 2010.08.27 -

ViRobot 2010.8.28.4013 2010.08.29 Win32.Patched.AF

VirusBuster 5.0.27.0 2010.08.29 -

MD5: d3b8b7528b47109481165d65edb953bb

SHA1: 087b5f64beaf38990e56eba436935404ebfce123

SHA256: 50d5bc0d65bae5c151c6452b71745ebc33886da2dd761b780b69d194659bd139

File size: 96256 bytes

Scan date: 2010-08-29 23:49:20 (UTC)

dan1234 · August 29, 2010

sorry for the mess. I think I must of crtl-a to select for the first one.

dan1234 · August 30, 2010

Hi,

I'm just wondering if there any update, if those files are safe to remove. I've had my computer lock down since I got infected. I don't dare log on to anything except this forum for fear of key loggers. And sorry if I come off as impatient:( I hope I don't, I just want to get my computer healthy again, asap so I can arrange a few things for school.

Thank you for your time,

screen317 · August 31, 2010

Hi,

I missed your reply yesterday. No, please do not remove those files; we will be replacing them with legitimate copies. Give me a little time to write up a fix and I'll be back with you as soon as possible.

dan1234 · August 31, 2010

Alright, take you time:)

screen317 · September 1, 2010

Hi dan1234,

This case is a bit different since you have a 64bit computer. A little more research is required before we actually fix the infection.

Click Start and type in Internet Explorer (64-bit); click on it when it appears.

From there, navigate to VirusTotal. Upload this file only:

C:\Windows\System32\wininit.exe

Post its results here.

After that, download this version of SystemLook.

Follow the same instructions and copy the same text as in Post 11. Post the results here.

dan1234 · September 1, 2010

Hey,

Is it safe to restart my comp yet? Been on for about 3 days, and it's getting a bit sluggish. And is there antyhing I shouldn't do right now? I don't know if I'l cause the virus to morph, or what it does. A heads up would be nice if you know:)

Here the virus total scan

Antivirus Version Last Update Result

AhnLab-V3 2010.09.01.01 2010.09.01 -

AntiVir 8.2.4.46 2010.09.01 -

Antiy-AVL 2.0.3.7 2010.09.01 -

Authentium 5.2.0.5 2010.09.01 -

Avast 4.8.1351.0 2010.09.01 -

Avast5 5.0.594.0 2010.09.01 -

AVG 9.0.0.851 2010.09.01 -

BitDefender 7.2 2010.09.01 -

CAT-QuickHeal 11.00 2010.09.01 -

ClamAV 0.96.2.0-git 2010.09.01 -

Comodo 5934 2010.09.01 -

DrWeb 5.0.2.03300 2010.09.01 -

Emsisoft 5.0.0.37 2010.09.01 -

eSafe 7.0.17.0 2010.08.30 -

eTrust-Vet 36.1.7830 2010.09.01 -

F-Prot 4.6.1.107 2010.08.31 -

F-Secure 9.0.15370.0 2010.09.01 -

Fortinet 4.1.143.0 2010.09.01 -

GData 21 2010.09.01 -

Ikarus T3.1.1.88.0 2010.09.01 -

Jiangmin 13.0.900 2010.08.30 -

K7AntiVirus 9.63.2406 2010.08.31 -

Kaspersky 7.0.0.125 2010.09.01 -

McAfee 5.400.0.1158 2010.09.01 -

McAfee-GW-Edition 2010.1B 2010.09.01 -

Microsoft 1.6103 2010.09.01 -

NOD32 5414 2010.09.01 -

Norman 6.05.11 2010.09.01 -

nProtect 2010-09-01.01 2010.09.01 -

Panda 10.0.2.7 2010.08.31 -

PCTools 7.0.3.5 2010.09.01 -

Prevx 3.0 2010.09.01 -

Rising 22.63.02.04 2010.09.01 -

Sophos 4.56.0 2010.09.01 -

Sunbelt 6820 2010.09.01 -

SUPERAntiSpyware 4.40.0.1006 2010.09.01 -

Symantec 20101.1.1.7 2010.09.01 -

TheHacker 6.5.2.1.360 2010.09.01 -

TrendMicro 9.120.0.1004 2010.09.01 -

TrendMicro-HouseCall 9.120.0.1004 2010.09.01 -

VBA32 3.12.14.0 2010.09.01 -

ViRobot 2010.8.31.4017 2010.09.01 -

VirusBuster 12.64.11.1 2010.08.31 -

Additional informationShow all

MD5 : 94355c28c1970635a31b3fe52eb7ceba

SHA1 : 2de5c051c0d7d8bcc14b1ca46be8ab9756f29320

SHA256: c4e98f07170cec69cacdd5cedb8927e48a2a299cb1b8cda87526e768af6174f0

ssdeep: 3072:s0B/QTDVkZQSb978a1Hdz87TXm8MysKGNkoIwdytH:PBs/S5QaJdzebdMKA3At

File size : 129024 bytes

First seen: 2009-08-07 06:05:26

Last seen : 2010-09-01 12:14:21

TrID:

Win64 Executable Generic (95.5%)

Generic Win/DOS Executable (2.2%)

DOS Executable Generic (2.2%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

product......: Microsoft_ Windows_ Operating System

description..: Windows Start-Up Application

original name: WinInit.exe

internal name: WinInit

file version.: 6.1.7600.16385 (win7_rtm.090713-1255)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x6290

timedatestamp....: 0x4A5BC8C4 (Mon Jul 13 23:52:36 2009)

machinetype......: 0x8664 (AMD64)

[[ 6 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x12C98, 0x12E00, 6.26, 4b1d75922c295187a544dc1344a4d58d

.rdata, 0x14000, 0x88B8, 0x8A00, 4.40, ce28672e095f88135dfda780ad7d4330

.data, 0x1D000, 0x1080, 0x1000, 0.95, 95367f416fc52bf3ea9c478f4ea5c88e

.pdata, 0x1F000, 0xC78, 0xE00, 4.58, d722109189b024d71a054bc04e79a57f

.rsrc, 0x20000, 0x18F8, 0x1A00, 3.89, 6381f55a186421020e0dd3b70fb4655c

.reloc, 0x22000, 0x37C, 0x400, 4.92, 95b4a22296441fd7ad7b9a7f80ed81e7

[[ 8 import(s) ]]

USER32.dll: ExitWindowsEx, SetWindowStationUser, LoadLocalFonts, CreateDesktopW, SetProcessWindowStation, CloseWindowStation, CreateWindowStationW, CloseDesktop, SetUserObjectSecurity, SwitchDesktop, UpdatePerUserSystemParameters, RecordShutdownReason, GetAsyncKeyState, UnhookWindowsHookEx, SetWindowsHookExW, SetThreadDesktop, RegisterLogonProcess

msvcrt.dll: memcpy, _vsnwprintf, _wcsicmp, wcschr, memmove, __getmainargs, __C_specific_handler, _XcptFilter, _exit, _ismbblead, _cexit, exit, _acmdln, _initterm, _amsg_exit, __setusermatherr, _commode, _fmode, __set_app_type, _terminate@@YAXXZ, memset, wcsstr

ntdll.dll: NtShutdownSystem, RtlDeregisterWaitEx, RtlDestroyEnvironment, NtSetValueKey, NtCreateKey, RtlInitUnicodeString, RtlRegisterWait, RtlAllocateHeap, RtlFreeHeap, EtwEventUnregister, EtwEventEnabled, EtwEventWrite, RtlNtStatusToDosError, EtwEventRegister, NtQuerySystemInformation, RtlSetThreadIsCritical, RtlSetProcessIsCritical, EtwUnregisterTraceGuids, EtwRegisterTraceGuidsW, EtwGetTraceEnableFlags, NtOpenProcessToken, NtCompleteConnectPort, NtCreatePort, NtReplyWaitReceivePort, NtAcceptConnectPort, RtlRemovePrivileges, NtAllocateLocallyUniqueId, RtlUnhandledExceptionFilter, NtQueryInformationProcess, TpSimpleTryPost, RtlAddMandatoryAce, RtlCreateAcl, RtlFreeSid, RtlSetSaclSecurityDescriptor, RtlCreateSecurityDescriptor, RtlAddAce, RtlSetDaclSecurityDescriptor, RtlCopySid, RtlGetDaclSecurityDescriptor, RtlLengthSid, EtwGetTraceEnableLevel, EtwGetTraceLoggerHandle, EtwTraceMessage, NtClose, NtOpenThreadToken, NtPrivilegeCheck, NtPrivilegeObjectAuditAlarm, RtlInitializeCriticalSection, RtlAllocateAndInitializeSid, RtlLeaveCriticalSection, NtQueryInformationToken, RtlEnterCriticalSection, EtwEventWriteStartScenario, EtwEventActivityIdControl, RtlCompareUnicodeString, RtlInitUnicodeStringEx, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlCreateEnvironment, NtCreateEvent, RtlAdjustPrivilege, NtSystemDebugControl, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, NtReplyPort

API_MS_Win_Core_LocalRegistry_L1_1_0.dll: RegGetValueW, RegQueryValueExA, RegQueryInfoKeyA, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, RegSetValueExW, RegQueryValueExW, RegCloseKey, RegOpenKeyExW

RPCRT4.dll: RpcServerInqCallAttributesW, RpcStringFreeW, RpcServerUnregisterIf, RpcEpUnregister, RpcBindingVectorFree, RpcServerUseProtseqW, RpcServerInqDefaultPrincNameW, RpcServerRegisterAuthInfoW, RpcServerInqBindings, UuidFromStringW, RpcEpRegisterW, RpcExceptionFilter, RpcBindingServerFromClient, RpcBindingFree, RpcBindingToStringBindingW, RpcServerListen, RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcRevertToSelf, RpcImpersonateClient, Ndr64AsyncServerCallAll, NdrAsyncServerCall, RpcServerTestCancel, I_RpcBindingIsClientLocal, RpcAsyncAbortCall, Ndr64AsyncClientCall, RpcBindingUnbind, RpcBindingBind, RpcAsyncInitializeHandle, RpcStringBindingParseW, RpcBindingCreateW, RpcAsyncCompleteCall, RpcBindingCopy, RpcAsyncCancelCall, NdrServerCall2, NdrServerCallAll, RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcBindingSetAuthInfoExW, I_RpcExceptionFilter, RpcMgmtIsServerListening, NdrClientCall3

KERNEL32.dll: HeapAlloc, HeapDestroy, HeapCreate, FreeLibrary, GetProcAddress, LoadLibraryW, SetEnvironmentVariableW, GetComputerNameW, HeapFree, SetThreadPriority, GetCurrentProcess, SetPriorityClass, SetThreadExecutionState, SetErrorMode, ResetEvent, SleepEx, CreateThread, WaitForMultipleObjectsEx, GetCurrentThread, QueueUserWorkItem, GetExitCodeProcess, WaitForSingleObject, FindClose, FindFirstFileW, GetWindowsDirectoryW, GetTickCount, CreateProcessW, ResumeThread, SetTimerQueueTimer, GetFileAttributesW, OpenProcess, DeleteTimerQueueTimer, GetProcessHeap, RegDeleteTreeW, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, QueryPerformanceCounter, GetModuleHandleW, SetUnhandledExceptionFilter, GetStartupInfoW, DelayLoadFailureHook, LoadLibraryExA, MoveFileExW, FindVolumeClose, FindNextVolumeW, DeleteFileW, GetDriveTypeW, FindFirstVolumeW, ReadFile, LocalAlloc, CreateFileW, CreateDirectoryW, SetLastError, LocalFree, GetShortPathNameW, lstrcmpiW, ExpandEnvironmentStringsW, GetTimeFormatW, WaitForSingleObjectEx, GetDateFormatW, GetLocalTime, SystemTimeToFileTime, FileTimeToSystemTime, GetVersionExW, FindResourceExW, LoadResource, LockResource, CreateRemoteThread, GetCurrentProcessId, CloseHandle, Sleep, CreateTimerQueueTimer, SetEvent, GetLastError, CreateEventW, HeapSetInformation, lstrlenW

API_MS_Win_Security_LSALookup_L1_1_0.dll: LookupAccountSidLocalW

profapi.dll: -

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

And here's the SystemLook log :

SystemLook 27.08.10 by jpshortstuff

Log created at 08:17 on 01/09/2010 by User

Administrator - Elevation successful

========== filefind ==========

Searching for "wininit.exe"

C:\Windows\System32\wininit.exe --a---- 129024 bytes [23:52 13/07/2009] [01:39 14/07/2009] 94355C28C1970635A31B3FE52EB7CEBA

C:\Windows\SysWOW64\wininit.exe --a---- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] D3B8B7528B47109481165D65EDB953BB

C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe --a---- 129024 bytes [23:52 13/07/2009] [01:39 14/07/2009] 94355C28C1970635A31B3FE52EB7CEBA

C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe --a---- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] B5C5DCAD3899512020D135600129D665

-= EOF =-

screen317 · September 3, 2010

Hi,

Please open Notepad. Copy and paste the following text (starting with @echo off) into the Notepad document.

Navigate to File --> Save As..., and save the file as filecopy.bat (make sure the Save As Type is set to All Files).

Save it to your Desktop.

@echo off
copy C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe c:\wininit.exe
del %0

Now navigate to your Desktop, and double click filecopy.bat

A black window will open and close quickly. This is normal.

Verify that C:\wininit.exe has been created before proceeding.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the script tab and copy/paste the following text there:

DeleteFile:
c:\windows\syswow64\wininit.exe
MoveFile:
C:\wininit.exe c:\windows\syswow64\wininit.exe

Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, post me the report created by Blitzblank.

-screen317

dan1234 · September 3, 2010

I'm a little mixed up with the first part. So what is in note pad should look like this? (minus the quotation marks"

"@echo off copy C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe c:\wininit.exe

del %0"

screen317 · September 5, 2010

Yes, though @echo off, copy..., and del %0 should each be on their own lines, like so:

@echo off

copy C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe c:\wininit.exe

del %0

dan1234 · September 6, 2010

Hey,

It's all done, but BlitzBlank never gave me a report on the reboot. When I did the reboot, I had a black screen with texte in it before windows launched. But apart from that, it was a normal reboot with no report that poped up. Unless it's sent somewhere, I'll look for it.

dan1234 · September 6, 2010

Couldn't find anything, but maybe I just don't know were to look>.> If you know of a place they save their logs, point it out and I'll get it for you:)

Cannot remove a file

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information