Jump to content

rappbob

Honorary Members
  • Posts

    37
  • Joined

  • Last visited

Everything posted by rappbob

  1. 9:58 PM 8/5/2011ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205) # OnlineScanner.ocx=1.0.0.6528 # api_version=3.0.2 # EOSSerial=3e3c6d3079b32149816b7530bde938d8 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-08-06 01:44:22 # local_time=2011-08-05 09:44:22 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=6.0.6002 NT Service Pack 2 # compatibility_mode=2560 16777215 100 0 0 0 0 0 # compatibility_mode=5892 16776573 100 100 0 149196505 0 0 # compatibility_mode=8192 67108863 100 0 525556 525556 0 0 # scanned=209359 # found=10 # cleaned=10 # scan_time=6129 C:\Qoobox\Quarantine\C\Users\Bob Rapp\AppData\Local\ucepinuk.dll.vir a variant of Win32/Kryptik.RAA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Bob Rapp\AppData\Local\welonip.dll.vir a variant of Win32/Cimag.HT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Bob Rapp\AppData\Roaming\dwm.exe.vir a variant of Win32/Kryptik.RER trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Bob Rapp\AppData\Roaming\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.RER trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{405c600e-f061-4a7c-827e-07e1c6c54c2f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{700a9c8f-78ed-4eca-a302-d850df2205df}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{94e02daf-0928-4cbd-93eb-d6e28dda79d7}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{9a8ff4c4-a7c2-4416-980b-d6adefe155eb}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{a0659a33-c1da-412b-9cbe-e5d0d456bdd3}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Users\Bob Rapp\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\1546992e-2c9c2f75 a variant of Win32/Kryptik.RER trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C Security check Results of screen317's Security Check version 0.99.7 Windows Vista Service Pack 2 (UAC is enabled) Internet Explorer 7 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! ESET Online Scanner v3 WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 23 Out of date Java installed! Adobe Flash Player 10.3.181.26 Adobe Reader 8.3.0 Out of date Adobe Reader installed! ```````````````````````````````` Process Check: objlist.exe by Laurent ``````````End of Log```````````` Seems to be running well. I have another computer with same issues. Can I post the logs here for you and if so which ones to start? Thanks for the help
  2. MBAM from this afternoon Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7387 Windows 6.0.6002 Service Pack 2 Internet Explorer 7.0.6002.18005 8/5/2011 1:54:44 PM mbam-log-2011-08-05 (13-54-44).txt Scan type: Quick scan Objects scanned: 164285 Time elapsed: 5 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{01A71990-AAC5-4ABE-BFF2-4222561C03B3} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01A71990-AAC5-4ABE-BFF2-4222561C03B3} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{01A71990-AAC5-4ABE-BFF2-4222561C03B3} (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\Windows\System32\audiodev32.dll (Trojan.Agent) -> Quarantined and deleted successfully. MBAM from tonight Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7387 Windows 6.0.6002 Service Pack 2 Internet Explorer 7.0.6002.18005 8/5/2011 7:31:46 PM mbam-log-2011-08-05 (19-31-46).txt Scan type: Quick scan Objects scanned: 167719 Time elapsed: 3 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Combofix to follow
  3. Hi, I tried to find that file but it is not on my computer. I can a Combofix this AM and I seem to remember that file being removed? Is that possible? It seems like my searches on Google are now clean. Is there something else I need to do?
  4. Thanks. i think this is what you wanted . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_23 Run by Bob Rapp at 19:04:14 on 2011-07-30 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3002.1443 [GMT -4:00] . AV: Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\WLANExt.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\SMINST\BLService.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\System32\alg.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe C:\Program Files\iPod\bin\iPodService.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\Explorer.exe C:\Program Files\Windows Mail\WinMail.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.excite.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb uInternet Settings,ProxyOverride = *.local BHO: {01a71990-aac5-4abe-bff2-4222561c03b3} - c:\windows\system32\audiodev32.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll {555d4d79-4bd2-4094-a395-cfc534424a05} mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe" mRun: [b2C_AGENT] c:\programdata\lgmobileax\b2c_client\B2CNotiAgent.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\users\bobrap~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\users\bob rapp\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2 mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL LSP: c:\windows\system32\RSLSP.dll Trusted Zone: real.com\rhap-app-4-0 Trusted Zone: real.com\rhapreg DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{53E22188-A601-435A-823A-3AA970CFE51A} : DhcpNameServer = 192.168.1.254 Notify: igfxcui - igfxdev.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\users\bob rapp\appdata\roaming\mozilla\firefox\profiles\2o6881r8.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 52283 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - plugin: c:\users\bob rapp\appdata\roaming\move networks\plugins\npqmp071505000010.dll FF - plugin: c:\users\bob rapp\appdata\roaming\mozilla\plugins\npatgpc.dll . ============= SERVICES / DRIVERS =============== . R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-1 207792] R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-5-21 352656] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-1 112592] R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504] R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-6-28 361808] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-15 24652] R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-28 193840] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-30 112128] S2 CryptSvc32;Cryptographic Services ;c:\windows\system32\kbdinpun32.exe --> c:\windows\system32\KBDINPUN32.exe [?] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-2 41272] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064] S3 rcmirror;rcmirror;c:\windows\system32\drivers\rcmirror.sys [2008-10-8 3328] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-1 359624] S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-1 1141712] . =============== Created Last 30 ================ . 2011-07-30 02:11:27 -------- d-----w- c:\users\bob rapp\appdata\local\temp 2011-07-30 02:04:03 -------- d-----w- C:\$RECYCLE.BIN 2011-07-30 01:51:57 -------- d-----w- C:\ComboFix 2011-07-30 00:03:23 -------- d-----w- C:\Combo-Fix14511C 2011-07-29 22:02:57 -------- d-----w- c:\program files\ESET 2011-07-29 16:41:19 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{63e3acf3-cbb3-4561-8adc-dd714138844c}\mpengine.dll 2011-07-29 15:20:26 -------- d-----w- C:\Combo-Fix8915C 2011-07-29 15:18:13 -------- d-----w- C:\Combo-Fix11053C 2011-07-29 15:14:12 -------- d-----w- C:\Combo-Fix20435C 2011-07-29 12:56:48 -------- d-----w- C:\Combo-Fix2540C 2011-07-29 11:23:59 -------- d-----w- c:\programdata\AVAST Software 2011-07-29 11:23:59 -------- d-----w- c:\program files\AVAST Software 2011-07-28 12:36:09 345600 ----a-w- c:\windows\system32\audiodev32.dll 2011-07-27 17:51:11 0 ----a-w- c:\users\bob rapp\appdata\local\Qfipig.bin 2011-07-27 17:50:38 -------- d-----w- C:\Combo-Fix20452C 2011-07-27 17:49:17 -------- d-----w- c:\users\bob rapp\appdata\roaming\2BEF061B5359845B0CEA5D83697689C1 2011-07-27 13:29:07 -------- d-----w- c:\program files\TweetDeck 2011-07-25 17:11:18 -------- d-----w- C:\Combo-Fix27502C 2011-07-25 17:10:23 -------- d-----w- C:\Combo-Fix32150C 2011-07-25 17:06:21 0 ----a-w- c:\users\bob rapp\appdata\local\xurp.exe 2011-07-25 17:06:21 0 ----a-w- c:\users\bob rapp\appdata\local\wxhw.exe 2011-07-25 17:06:21 0 ----a-w- c:\users\bob rapp\appdata\local\mnkv.exe 2011-07-25 17:06:21 0 ----a-w- c:\users\bob rapp\appdata\local\kfln.exe 2011-07-25 17:06:21 0 ----a-w- c:\programdata\kuir.exe 2011-07-25 17:06:21 0 ----a-w- c:\programdata\jcql.exe 2011-07-25 17:06:21 0 ----a-w- c:\programdata\dxfy.exe 2011-07-25 17:06:21 0 ----a-w- c:\programdata\cwbo.exe 2011-07-22 15:58:28 -------- d-----w- c:\program files\iPod 2011-07-15 15:02:01 -------- d-----w- c:\users\bob rapp\appdata\local\Google 2011-07-13 20:01:00 -------- d-----w- C:\Combo-Fix22399C 2011-07-13 19:59:47 -------- d-----w- C:\Combo-Fix11186C 2011-07-12 20:14:56 2043392 ----a-w- c:\windows\system32\win32k.sys 2011-07-12 20:14:52 49152 ----a-w- c:\windows\system32\csrsrv.dll 2011-07-12 20:14:52 375808 ----a-w- c:\windows\system32\winsrv.dll 2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe 2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll 2011-07-11 20:27:02 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat . ==================== Find3M ==================== . 2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe 2011-06-15 10:35:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-05-21 12:13:46 876032 ----a-w- c:\windows\system32\XpsPrint.dll 2011-05-21 12:13:13 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2011-05-21 12:13:12 542720 ----a-w- c:\windows\apppatch\AcLayers.dll 2011-05-21 12:13:12 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll 2011-05-21 12:13:12 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2011-05-21 12:13:12 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll 2011-05-21 12:13:12 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll 2011-05-10 12:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll 2011-05-10 12:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2011-05-02 17:16:14 739328 ----a-w- c:\windows\system32\inetcomm.dll . ============= FINISH: 19:04:48.31 =============== DDS.zip
  5. Combo log Thanks ComboFix 11-07-29.03 - Bob Rapp 07/29/2011 21:53:48.7.2 - x86 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3002.1847 [GMT -4:00] Running from: c:\users\Bob Rapp\Downloads\ComboFix.exe AV: Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2} SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{405c600e-f061-4a7c-827e-07e1c6c54c2f} c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{405c600e-f061-4a7c-827e-07e1c6c54c2f}\chrome.manifest c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{405c600e-f061-4a7c-827e-07e1c6c54c2f}\chrome\xulcache.jar c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{405c600e-f061-4a7c-827e-07e1c6c54c2f}\defaults\preferences\xulcache.js c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{405c600e-f061-4a7c-827e-07e1c6c54c2f}\install.rdf c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{94e02daf-0928-4cbd-93eb-d6e28dda79d7} c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{94e02daf-0928-4cbd-93eb-d6e28dda79d7}\chrome.manifest c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{94e02daf-0928-4cbd-93eb-d6e28dda79d7}\chrome\xulcache.jar c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{94e02daf-0928-4cbd-93eb-d6e28dda79d7}\defaults\preferences\xulcache.js c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\extensions\{94e02daf-0928-4cbd-93eb-d6e28dda79d7}\install.rdf c:\users\Bob Rapp\kjifhzmlkm.tmp . Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\ERDNT\cache\userinit.exe . . ((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-30 ))))))))))))))))))))))))))))))) . . 2011-07-30 02:02 . 2011-07-30 02:04 -------- d-----w- c:\users\Bob Rapp\AppData\Local\temp 2011-07-30 02:02 . 2011-07-30 02:02 -------- d-----w- c:\users\Public\AppData\Local\temp 2011-07-30 02:02 . 2011-07-30 02:02 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-07-30 00:03 . 2011-07-30 00:21 -------- d-----w- C:\Combo-Fix14511C 2011-07-29 22:02 . 2011-07-29 22:02 -------- d-----w- c:\program files\ESET 2011-07-29 16:41 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{63E3ACF3-CBB3-4561-8ADC-DD714138844C}\mpengine.dll 2011-07-29 15:20 . 2011-07-29 15:38 -------- d-----w- C:\Combo-Fix8915C 2011-07-29 15:18 . 2011-07-29 15:18 -------- d-----w- C:\Combo-Fix11053C 2011-07-29 15:14 . 2011-07-29 15:14 -------- d-----w- C:\Combo-Fix20435C 2011-07-29 12:56 . 2011-07-29 12:57 -------- d-----w- C:\Combo-Fix2540C 2011-07-29 11:23 . 2011-07-29 15:06 -------- d-----w- c:\programdata\AVAST Software 2011-07-29 11:23 . 2011-07-29 11:23 -------- d-----w- c:\program files\AVAST Software 2011-07-28 12:36 . 2011-07-28 12:36 345600 ----a-w- c:\windows\system32\audiodev32.dll 2011-07-27 17:51 . 2011-07-27 17:51 0 ----a-w- c:\users\Bob Rapp\AppData\Local\Qfipig.bin 2011-07-27 17:50 . 2011-07-27 18:21 -------- d-----w- C:\Combo-Fix20452C 2011-07-27 17:49 . 2011-07-28 01:06 -------- d-----w- c:\users\Bob Rapp\AppData\Roaming\2BEF061B5359845B0CEA5D83697689C1 2011-07-27 13:29 . 2011-07-27 13:29 -------- d-----w- c:\program files\TweetDeck 2011-07-25 17:11 . 2011-07-25 17:47 -------- d-----w- C:\Combo-Fix27502C 2011-07-25 17:10 . 2011-07-25 17:10 -------- d-----w- C:\Combo-Fix32150C 2011-07-25 17:06 . 2011-07-25 17:06 0 ----a-w- c:\users\Bob Rapp\AppData\Local\xurp.exe 2011-07-25 17:06 . 2011-07-25 17:06 0 ----a-w- c:\users\Bob Rapp\AppData\Local\wxhw.exe 2011-07-25 17:06 . 2011-07-25 17:06 0 ----a-w- c:\users\Bob Rapp\AppData\Local\mnkv.exe 2011-07-25 17:06 . 2011-07-25 17:06 0 ----a-w- c:\users\Bob Rapp\AppData\Local\kfln.exe 2011-07-25 17:06 . 2011-07-25 17:06 0 ----a-w- c:\programdata\kuir.exe 2011-07-25 17:06 . 2011-07-25 17:06 0 ----a-w- c:\programdata\jcql.exe 2011-07-25 17:06 . 2011-07-25 17:06 0 ----a-w- c:\programdata\dxfy.exe 2011-07-25 17:06 . 2011-07-25 17:06 0 ----a-w- c:\programdata\cwbo.exe 2011-07-22 15:58 . 2011-07-22 15:58 -------- d-----w- c:\program files\iPod 2011-07-22 15:45 . 2011-07-22 15:45 -------- d-----w- c:\program files\Apple Software Update 2011-07-15 15:02 . 2011-07-15 20:07 -------- d-----w- c:\users\Bob Rapp\AppData\Local\Google 2011-07-13 20:01 . 2011-07-13 20:22 -------- d-----w- C:\Combo-Fix22399C 2011-07-13 19:59 . 2011-07-13 20:00 -------- d-----w- C:\Combo-Fix11186C 2011-07-12 20:14 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys 2011-07-12 20:14 . 2011-04-20 15:55 375808 ----a-w- c:\windows\system32\winsrv.dll 2011-07-12 20:14 . 2011-04-20 15:50 49152 ----a-w- c:\windows\system32\csrsrv.dll 2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe 2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll 2011-07-11 20:27 . 2011-07-11 20:27 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-07-06 23:52 . 2011-06-02 14:33 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-06 23:52 . 2011-06-02 14:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-15 10:35 . 2011-05-30 11:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-05-24 23:14 . 2009-10-03 10:20 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-05-21 12:13 . 2011-05-21 12:13 876032 ----a-w- c:\windows\system32\XpsPrint.dll 2011-05-21 12:13 . 2011-05-21 12:13 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2011-05-21 12:13 . 2011-05-21 12:13 542720 ----a-w- c:\windows\apppatch\AcLayers.dll 2011-05-21 12:13 . 2011-05-21 12:13 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll 2011-05-21 12:13 . 2011-05-21 12:13 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2011-05-21 12:13 . 2011-05-21 12:13 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll 2011-05-21 12:13 . 2011-05-21 12:13 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll 2011-05-10 12:06 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll 2011-05-10 12:06 . 2011-05-10 12:06 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2011-05-02 17:16 . 2011-06-15 06:41 739328 ----a-w- c:\windows\system32\inetcomm.dll 2011-07-08 07:16 . 2011-07-15 16:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01A71990-AAC5-4ABE-BFF2-4222561C03B3}] 2011-07-28 12:36 345600 ----a-w- c:\windows\System32\audiodev32.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896] "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-12 202032] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2009-03-11 468264] "B2C_AGENT"="c:\programdata\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2010-09-27 391096] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736] . c:\users\Bob Rapp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] OneNote Table Of Contents.onetoc2 [2010-6-9 3656] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\startupfolder\C:^Users^Bob Rapp^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk] path=c:\users\Bob Rapp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnk.Startup backupExtension=.Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster] 2009-03-30 00:49 2906440 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark] 2007-11-14 17:52 434176 ----a-w- c:\program files\Spark\Spark.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3059592001-512770679-1532482464-1000] "EnableNotifications"=dword:00000001 "EnableNotificationsRef"=dword:00000001 . R2 CryptSvc32;Cryptographic Services ;c:\windows\system32\KBDINPUN32.exe [x] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272] R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064] R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2008-10-08 3328] R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624] S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-09 207792] S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [2011-04-21 352656] S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592] S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840] S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-30 112128] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder . 2011-07-28 c:\windows\Tasks\HPCeeScheduleForBob Rapp.job - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-06-28 03:03] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.excite.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 LSP: c:\windows\system32\RSLSP.dll Trusted Zone: real.com\rhap-app-4-0 Trusted Zone: real.com\rhapreg TCP: DhcpNameServer = 192.168.1.254 FF - ProfilePath - c:\users\Bob Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\2o6881r8.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 52283 FF - prefs.js: network.proxy.type - 0 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-07-29 22:04 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLANExt.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\windows\system32\DRIVERS\xaudio.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\system32\igfxsrvc.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe c:\program files\Windows Media Player\wmpnscfg.exe c:\program files\Windows Media Player\wmpnetwk.exe . ************************************************************************** . Completion time: 2011-07-29 22:11:24 - machine was rebooted ComboFix-quarantined-files.txt 2011-07-30 02:10 ComboFix2.txt 2011-07-30 00:21 ComboFix3.txt 2011-07-29 15:38 ComboFix4.txt 2011-07-29 13:12 ComboFix5.txt 2011-07-30 01:52 . Pre-Run: 98,791,391,232 bytes free Post-Run: 98,520,735,744 bytes free . Current=1 Default=1 Failed=0 LastKnownGood=56 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56 - - End Of File - - 948F855DCF61BB7F7C67B134AE3808A4
  6. MBAM log Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7298 Windows 6.0.6002 Service Pack 2 Internet Explorer 7.0.6002.18005 7/29/2011 9:27:10 PM mbam-log-2011-07-29 (21-27-10).txt Scan type: Quick scan Objects scanned: 163574 Time elapsed: 3 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  7. Hi guys. It appears I have the google virus. Please let me know what scans to run. i have tried Malware bytes, TSS, Combo, and Est. I removed some trojans but the problem still exists. Thank you.
  8. New Member * Group: Members Posts: 27 Joined: 8-August 09 Member No.: 17,343 Gang, You helped me in the past. Hope you can again. i have the virus that propmts me to buy anti virus software. Malware wont run, neither will combofix. Here is my rootkits log ty Rapp ROOTREPEAL
  9. Gang, You helped me in the past. Hope you can again. i have the virus that propmts me to buy anti virus software. Malware wont run, neither will combofix. Here is my rootkits log ty Rapp ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/01/21 18:46 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF398F000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8ECE000 Size: 8192 File Visible: No Signed: - Status: - Name: H8SRTdqgomylteh.sys Image Path: C:\WINDOWS\system32\drivers\H8SRTdqgomylteh.sys Address: 0xF3B3F000 Size: 114688 File Visible: - Signed: - Status: Hidden from the Windows API! Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF0B95000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\WINDOWS\system32\H8SRTiqabvdaxfg.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\H8SRTpkhbakbeso.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\H8SRTrnrkctttll.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\H8SRTwljomqxiqx.dat Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\H8SRTyiyumrqumo.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\Temp\H8SRT603b.tmp Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\drivers\H8SRTdqgomylteh.sys Status: Invisible to the Windows API! Path: C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll Status: Invisible to the Windows API! Path: C:\Documents and Settings\Robert Rapp\Cookies\robert_rapp@questionmarket[2].txt Status: Locked to the Windows API! Path: C:\Documents and Settings\Robert Rapp\Cookies\robert_rapp@network.dsidemarketing[1].txt Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\Robert Rapp\Local Settings\Temp\H8SRTcecf.tmp Status: Invisible to the Windows API! Path: C:\Documents and Settings\Robert Rapp\Local Settings\Temp\h8srtmainqt.dll Status: Invisible to the Windows API! Stealth Objects ------------------- Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: services.exe (PID: 840) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: lsass.exe (PID: 852) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: svchost.exe (PID: 996) Address: 0x00890000 Size: 36864 Object: Hidden Module [Name: H8SRTyiyumrqumo.dll] Process: svchost.exe (PID: 996) Address: 0x00930000 Size: 65536 Object: Hidden Module [Name: H8SRTpkhbakbeso.dll] Process: svchost.exe (PID: 996) Address: 0x02670000 Size: 86016 Object: Hidden Module [Name: H8SRTpkhbakbeso.dll] Process: svchost.exe (PID: 996) Address: 0x10000000 Size: 86016 Object: Hidden Module [Name: H8SRTpkhbakbeso.dll] Process: svchost.exe (PID: 1104) Address: 0x10000000 Size: 86016 Object: Hidden Module [Name: H8SRTpkhbakbeso.dll] Process: svchost.exe (PID: 1148) Address: 0x10000000 Size: 86016 Object: Hidden Module [Name: H8SRTpkhbakbeso.dll] Process: svchost.exe (PID: 1220) Address: 0x10000000 Size: 86016 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: spoolsv.exe (PID: 1572) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTpkhbakbeso.dll] Process: svchost.exe (PID: 1656) Address: 0x10000000 Size: 86016 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: AppleMobileDeviceService.exe (PID: 1688) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: jqs.exe (PID: 1732) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: HPZipm12.exe (PID: 1772) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTpkhbakbeso.dll] Process: svchost.exe (PID: 1864) Address: 0x10000000 Size: 86016 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: wdfmgr.exe (PID: 1912) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: Explorer.EXE (PID: 1952) Address: 0x00c30000 Size: 36864 Object: Hidden Module [Name: H8SRTpkhbakbeso.dll] Process: Explorer.EXE (PID: 1952) Address: 0x10000000 Size: 86016 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: hpcmpmgr.exe (PID: 428) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: HPWuSchd2.exe (PID: 464) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: jusched.exe (PID: 484) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: WkUFind.exe (PID: 496) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: iTunesHelper.exe (PID: 532) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: msmsgs.exe (PID: 544) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: ctfmon.exe (PID: 552) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: GoogleToolbarNotifier.exe (PID: 564) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: extrac64_cab.exe (PID: 620) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: hpqtra08.exe (PID: 716) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: WMP11CFG.exe (PID: 1048) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: iPodService.exe (PID: 2264) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: hpqSTE08.exe (PID: 3764) Address: 0x00970000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: winhlp64.exe (PID: 3912) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTiqabvdaxfg.dll] Process: firefox.exe (PID: 920) Address: 0x00d50000 Size: 151552 Object: Hidden Module [Name: H8SRTpkhbakbeso.dll] Process: firefox.exe (PID: 920) Address: 0x10000000 Size: 86016 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: RootRepeal.exe (PID: 1832) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTrnrkctttll.dll] Process: mdefense.exe (PID: 2664) Address: 0x10000000 Size: 36864 Object: Hidden Module [Name: H8SRTiqabvdaxfg.dll] Process: iexplore.exe (PID: 2644) Address: 0x00d90000 Size: 151552 Object: Hidden Module [Name: H8SRTpkhbakbeso.dll] Process: iexplore.exe (PID: 2644) Address: 0x10000000 Size: 86016 Hidden Services ------------------- Service Name: H8SRTd.sys Image Path: C:\WINDOWS\system32\drivers\H8SRTdqgomylteh.sys ==EOF==
  10. something about no permission to access that file?
  11. Scanning Report Tuesday, August 25, 2009 17:02:17 - 17:38:07 Computer name: TRADERPC7 Scanning type: Scan system for malware, spyware and rootkits Target: C:\ 2 malware found TrackingCookie.Adinterax (spyware) * System (Disinfected) Trojan.Vundo.GMM (virus) * C:\SYSTEM VOLUME INFORMATION\_RESTORE{168AD27E-2AD1-4630-8170-1549880F4EC9}\RP622\A0098021.DLL (Renamed & Submitted) Statistics Scanned: * Files: 33594 * System: 2653 * Not scanned: 16 Actions: * Disinfected: 1 * Renamed: 1 * Deleted: 0 * Not cleaned: 0 * Submitted: 1 Files not scanned: * C:\PAGEFILE.SYS * C:\HIBERFIL.SYS * C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE * C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE * C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\WININI.EXE * C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\WINLOGON.EXE * C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE * C:\DOCUMENTS AND SETTINGS\TRADER\LOCAL SETTINGS\TEMP\ETILQS_SGMQIGP8M0P1RDY1KHFC * C:\DOCUMENTS AND SETTINGS\TRADER\DESKTOP\ROOTREPEAL.EXE * C:\DOCUMENTS AND SETTINGS\TRADER\DESKTOP\ROOTREPEAL\ROOTREPEAL.EXE Options Scanning engines: Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use advanced heuristics Copyright
  12. IE 7 wont launch and the IE 8 upgrade fails. any thoughts?
  13. I was on phone and reposted twice. i missed your combofix request. i din not refresh brower. Here is the combofix log ComboFix 09-08-20.07 - trader 08/21/2009 19:08.4.2 - NTFSx86 Running from: c:\documents and settings\trader\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\trader\Desktop\cfscript.txt * Created a new restore point file zipped: c:\docume~1\alluse~1\applic~1\iceb.dll file zipped: c:\docume~1\alluse~1\applic~1\jedyjuqo.scr file zipped: c:\docume~1\alluse~1\applic~1\ocide.com file zipped: c:\docume~1\alluse~1\applic~1\oqikikutu.reg file zipped: c:\docume~1\alluse~1\applic~1\ronamon.vbs file zipped: c:\docume~1\alluse~1\applic~1\wada.exe file zipped: c:\docume~1\trader\applic~1\afozahop.bin file zipped: c:\docume~1\trader\applic~1\ecukyhe.vbs file zipped: c:\docume~1\trader\applic~1\fepulo.pif file zipped: c:\docume~1\trader\applic~1\lajofeja.scr file zipped: c:\docume~1\trader\applic~1\qymine.exe file zipped: c:\docume~1\trader\applic~1\uhevin.vbs file zipped: c:\docume~1\trader\applic~1\upejeh.dat file zipped: c:\docume~1\trader\applic~1\zypabihic.dll file zipped: c:\program files\common files\acesyfoxex.bin file zipped: c:\program files\common files\agupat.vbs file zipped: c:\program files\common files\baxos._sy file zipped: c:\program files\common files\gyjy.dl file zipped: c:\program files\common files\izivif.db file zipped: c:\program files\common files\oxyzuceb.com file zipped: c:\program files\common files\qodu.scr file zipped: c:\program files\common files\ubipos._sy file zipped: c:\windows\avydihany.dl file zipped: c:\windows\avywody._dl file zipped: c:\windows\basovyb.pif file zipped: c:\windows\boka.exe file zipped: c:\windows\boxofa._sy file zipped: c:\windows\duporimu.dll file zipped: c:\windows\dylopuke.dl file zipped: c:\windows\dyzihe.lib file zipped: c:\windows\eruxotogy.reg file zipped: c:\windows\ezilepuv.dl file zipped: c:\windows\furu._dl file zipped: c:\windows\hydycy._sy file zipped: c:\windows\imazukacuf._dl file zipped: c:\windows\korehomaxo.vbs file zipped: c:\windows\nituze.reg file zipped: c:\windows\odunefyc.sys file zipped: c:\windows\ogixyg._sy file zipped: c:\windows\oleluvily.inf file zipped: c:\windows\onol.dat file zipped: c:\windows\rihajacexi.vbs file zipped: c:\windows\socedijaj.inf file zipped: c:\windows\system32\amyfecyzi.vbs file zipped: c:\windows\system32\aqys.inf file zipped: c:\windows\system32\elixoha.inf file zipped: c:\windows\system32\hyzovus.dl file zipped: c:\windows\system32\ilesavy.inf file zipped: c:\windows\system32\jopepekeva._dl file zipped: c:\windows\system32\kozimitel.inf file zipped: c:\windows\system32\mulafa._sy file zipped: c:\windows\system32\susitu._sy file zipped: c:\windows\system32\UACvoevdkvnsr.db file zipped: c:\windows\system32\ufuwi.com file zipped: c:\windows\system32\usobac._sy file zipped: c:\windows\tivatuq.pif file zipped: c:\windows\xatah.inf file zipped: c:\windows\ycefofu.dl . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\alluse~1\applic~1\iceb.dll c:\docume~1\alluse~1\applic~1\jedyjuqo.scr c:\docume~1\alluse~1\applic~1\ocide.com c:\docume~1\alluse~1\applic~1\oqikikutu.reg c:\docume~1\alluse~1\applic~1\ronamon.vbs c:\docume~1\alluse~1\applic~1\wada.exe c:\docume~1\trader\applic~1\afozahop.bin c:\docume~1\trader\applic~1\ecukyhe.vbs c:\docume~1\trader\applic~1\fepulo.pif c:\docume~1\trader\applic~1\lajofeja.scr c:\docume~1\trader\applic~1\qymine.exe c:\docume~1\trader\applic~1\uhevin.vbs c:\docume~1\trader\applic~1\upejeh.dat c:\docume~1\trader\applic~1\zypabihic.dll c:\program files\common files\acesyfoxex.bin c:\program files\common files\agupat.vbs c:\program files\common files\baxos._sy c:\program files\common files\gyjy.dl c:\program files\common files\izivif.db c:\program files\common files\oxyzuceb.com c:\program files\common files\qodu.scr c:\program files\common files\ubipos._sy c:\windows\avydihany.dl c:\windows\avywody._dl c:\windows\basovyb.pif c:\windows\boka.exe c:\windows\boxofa._sy c:\windows\duporimu.dll c:\windows\dylopuke.dl c:\windows\dyzihe.lib c:\windows\eruxotogy.reg c:\windows\ezilepuv.dl c:\windows\furu._dl c:\windows\hydycy._sy c:\windows\imazukacuf._dl c:\windows\korehomaxo.vbs c:\windows\nituze.reg c:\windows\odunefyc.sys c:\windows\ogixyg._sy c:\windows\oleluvily.inf c:\windows\onol.dat c:\windows\rihajacexi.vbs c:\windows\socedijaj.inf c:\windows\system32\amyfecyzi.vbs c:\windows\system32\aqys.inf c:\windows\system32\elixoha.inf c:\windows\system32\hyzovus.dl c:\windows\system32\ilesavy.inf c:\windows\system32\jopepekeva._dl c:\windows\system32\kozimitel.inf c:\windows\system32\mulafa._sy c:\windows\system32\susitu._sy c:\windows\system32\UACvoevdkvnsr.db c:\windows\system32\ufuwi.com c:\windows\system32\usobac._sy c:\windows\tivatuq.pif c:\windows\xatah.inf c:\windows\ycefofu.dl . ((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 ))))))))))))))))))))))))))))))) . 2009-08-20 20:27 . 2009-08-20 20:27 -------- d-----w- C:\rsit 2009-08-19 23:59 . 2009-08-19 23:59 -------- d-----w- c:\program files\ESET 2009-08-19 22:37 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-08-19 21:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-08-17 20:45 . 2009-08-17 20:45 -------- d-----w- c:\windows\system32\wbem\Repository 2009-08-17 20:45 . 2009-08-17 20:46 -------- d-----w- c:\windows\system32\wbem\autorecover 2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\repository.old 2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\autorecover.old 2009-08-08 19:27 . 2009-08-08 21:37 -------- d-----w- c:\program files\Carbonite 2009-08-08 19:26 . 2009-08-08 19:26 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-08-08 18:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-08 18:16 . 2009-08-08 18:16 -------- d-----w- c:\program files\Trend Micro 2009-08-08 16:17 . 2009-08-08 16:19 -------- d-----w- c:\program files\Windows Live Safety Center 2009-08-08 15:58 . 2009-08-08 15:58 14448 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\ubumufo.reg 2009-08-08 15:58 . 2009-08-08 15:58 11642 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\fabek.bin 2009-08-08 15:43 . 2009-08-08 16:48 15 ----a-w- c:\documents and settings\trader\settings.dat 2009-08-08 15:39 . 2009-08-08 15:39 -------- d--h--w- c:\windows\PIF 2009-08-08 15:23 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-08 15:23 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-08 14:45 . 2009-08-08 14:45 -------- d-----w- c:\documents and settings\trader\Application Data\Malwarebytes 2009-08-08 02:08 . 2009-08-08 02:08 18998 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\aqaregefe.dat 2009-08-08 02:08 . 2009-08-08 02:08 14847 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\soqo.scr 2009-08-08 02:03 . 2009-08-08 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-08 02:03 . 2009-08-20 20:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-08 00:05 . 2009-08-08 00:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-07 21:59 . 2009-08-07 21:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla 2009-08-07 20:19 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-08-07 20:19 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-08-07 20:19 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-08-07 20:18 . 2009-08-11 12:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\program files\Common Files\PC Tools 2009-08-07 20:18 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-08-07 20:18 . 2009-08-12 11:33 -------- d-----w- c:\program files\Spyware Doctor 2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\trader\Application Data\PC Tools 2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-08-05 11:57 . 2009-08-05 11:57 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-21 21:22 . 2007-07-16 14:26 -------- d-----w- c:\program files\mIRC 2009-08-21 13:03 . 2009-05-05 22:30 2836 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-21 07:09 . 2009-04-21 12:53 -------- d-----w- c:\program files\KaVoom! KM 2009-08-14 01:30 . 2006-06-14 17:31 13104 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-08 19:26 . 2007-07-18 14:00 -------- d-----w- c:\program files\Java 2009-08-08 01:57 . 2006-05-15 15:25 -------- d-----w- c:\program files\Blackwood 2009-08-08 01:56 . 2006-06-12 14:49 -------- d-----w- c:\program files\PokerStars 2009-08-05 11:57 . 2009-06-19 12:39 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-08-05 11:57 . 2009-06-19 12:39 38208 ----a-w- c:\documents and settings\trader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-25 09:23 . 2009-05-27 20:28 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-17 19:01 . 2004-08-12 13:17 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-12 16:21 . 2004-08-12 13:34 233472 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-08 23:19 . 2009-07-08 23:19 -------- d-----w- c:\program files\TweetDeck 2009-07-03 17:09 . 2004-08-12 13:33 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:36 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2004-08-12 13:31 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2004-08-12 13:30 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2004-08-12 13:17 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2006-02-10 13:56 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2004-08-12 13:33 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2004-08-12 13:26 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-27 20:23 . 2009-05-27 20:23 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_13\lzma.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-5-25 1524776] KaVoom! KM.lnk - c:\program files\KaVoom! KM\KaVoomKM.exe [2007-1-31 1679360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\eSignal\\winros.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"= R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2007-12-13 10752] R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752] S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936] S2 KaVoom! KM;KaVoom! KM;c:\program files\KaVoom! KM\kavoomkm.exe [2007-01-31 1679360] S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\system32\DRIVERS\s3sav4m.sys [2001-08-17 77824] S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [2007-12-13 27008] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.google.com IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html FF - ProfilePath - c:\documents and settings\trader\Application Data\Mozilla\Firefox\Profiles\xm8ek33n.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-21 19:13 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . Completion time: 2009-08-21 19:15 ComboFix-quarantined-files.txt 2009-08-21 23:15 ComboFix2.txt 2009-08-19 22:58 Pre-Run: 30,698,315,776 bytes free Post-Run: 30,646,530,048 bytes free 258 --- E O F --- 2009-08-21 07:02 Upload was successful
  14. ither log in case i posted wrong one DDS (Ver_09-07-30.01) - NTFSx86 Run by trader at 17:24:14.42 on Fri 08/21/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15 ============== Running Processes =============== ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.google.com TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kavoom~1.lnk - c:\program files\kavoom! km\KaVoomKM.exe IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://12.1.57.15/vdesk/terminal/urxvpn.cab#version=6020,2008,0222,2309 DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://12.1.57.15/vdesk/terminal/urTermProxy.cab#version=6020,2008,0212,2002 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://12.1.57.15/vdesk/terminal/urxhost.cab Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\trader\applic~1\mozilla\firefox\profiles\xm8ek33n.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ 2009-08-19 19:59 <DIR> --d----- c:\program files\ESET 2009-08-19 18:38 227,840 a------- c:\windows\system32\wbem\SET1D.tmp 2009-08-19 18:38 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx 2009-08-19 18:37 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll 2009-08-19 18:00 <DIR> -cd----- c:\windows\system32\dllcache\cache 2009-08-19 17:41 50,176 a------- c:\windows\system32\proquota.exe 2009-08-19 17:32 <DIR> --d----- C:\cmdcons 2009-08-17 16:45 <DIR> --d----- c:\windows\system32\wbem\Repository 2009-08-17 16:45 <DIR> --d----- c:\windows\system32\wbem\autorecover 2009-08-17 16:34 <DIR> --d----- c:\windows\system32\wbem\repository.old 2009-08-17 16:34 <DIR> --d----- c:\windows\system32\wbem\autorecover.old 2009-08-08 15:27 <DIR> --d----- c:\program files\Carbonite 2009-08-08 14:37 55,656 a------- c:\windows\system32\drivers\avgntflt.sys 2009-08-08 14:24 19,723 a------- c:\windows\imazukacuf._dl 2009-08-08 14:24 17,640 a------- c:\windows\furu._dl 2009-08-08 14:24 17,003 a------- c:\windows\dylopuke.dl 2009-08-08 14:24 16,803 a------- c:\windows\system32\jopepekeva._dl 2009-08-08 14:24 15,987 a------- c:\windows\ezilepuv.dl 2009-08-08 14:24 15,896 a------- c:\windows\system32\susitu._sy 2009-08-08 14:24 15,449 a------- c:\windows\avydihany.dl 2009-08-08 14:16 <DIR> --d----- c:\program files\Trend Micro 2009-08-08 11:58 19,689 a------- c:\windows\tivatuq.pif 2009-08-08 11:58 19,640 a------- c:\windows\nituze.reg 2009-08-08 11:58 18,554 a------- c:\docume~1\alluse~1\applic~1\oqikikutu.reg 2009-08-08 11:58 18,359 a------- c:\windows\eruxotogy.reg 2009-08-08 11:58 16,550 a------- c:\windows\duporimu.dll 2009-08-08 11:58 14,868 a------- c:\docume~1\trader\applic~1\fepulo.pif 2009-08-08 11:58 14,571 a------- c:\windows\onol.dat 2009-08-08 11:58 14,439 a------- c:\program files\common files\acesyfoxex.bin 2009-08-08 11:58 13,409 a------- c:\windows\rihajacexi.vbs 2009-08-08 11:58 12,989 a------- c:\windows\system32\usobac._sy 2009-08-08 11:58 12,781 a------- c:\windows\system32\mulafa._sy 2009-08-08 11:58 12,770 a------- c:\windows\system32\amyfecyzi.vbs 2009-08-08 11:58 12,246 a------- c:\docume~1\trader\applic~1\afozahop.bin 2009-08-08 11:58 11,157 a------- c:\windows\dyzihe.lib 2009-08-08 11:58 10,968 a------- c:\windows\korehomaxo.vbs 2009-08-08 11:58 10,567 a------- c:\docume~1\alluse~1\applic~1\jedyjuqo.scr 2009-08-08 11:58 10,457 a------- c:\windows\xatah.inf 2009-08-08 11:43 15 a------- c:\documents and settings\trader\settings.dat 2009-08-08 11:39 <DIR> --d-h--- c:\windows\PIF 2009-08-08 11:23 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-08 11:23 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-08-08 10:45 <DIR> --d----- c:\docume~1\trader\applic~1\Malwarebytes 2009-08-08 07:08 18,285 a------- c:\windows\system32\aqys.inf 2009-08-08 07:08 17,070 a------- c:\windows\system32\hyzovus.dl 2009-08-08 07:08 15,600 a------- c:\windows\ycefofu.dl 2009-08-08 07:08 15,364 a------- c:\docume~1\trader\applic~1\uhevin.vbs 2009-08-08 07:08 12,133 a------- c:\windows\hydycy._sy 2009-08-08 07:08 19,314 a------- c:\windows\system32\kozimitel.inf 2009-08-08 07:08 16,658 a------- c:\windows\oleluvily.inf 2009-08-08 06:18 10,479 a------- c:\docume~1\alluse~1\applic~1\ronamon.vbs 2009-08-07 22:08 19,322 a------- c:\docume~1\alluse~1\applic~1\wada.exe 2009-08-07 22:08 18,498 a------- c:\docume~1\trader\applic~1\qymine.exe 2009-08-07 22:08 18,256 a------- c:\windows\boxofa._sy 2009-08-07 22:08 17,495 a------- c:\docume~1\trader\applic~1\zypabihic.dll 2009-08-07 22:08 17,427 a------- c:\windows\boka.exe 2009-08-07 22:08 16,508 a------- c:\docume~1\trader\applic~1\lajofeja.scr 2009-08-07 22:08 16,501 a------- c:\docume~1\trader\applic~1\upejeh.dat 2009-08-07 22:08 16,258 a------- c:\docume~1\alluse~1\applic~1\ocide.com 2009-08-07 22:08 15,268 a------- c:\program files\common files\qodu.scr 2009-08-07 22:08 14,823 a------- c:\program files\common files\oxyzuceb.com 2009-08-07 22:08 14,681 a------- c:\docume~1\alluse~1\applic~1\iceb.dll 2009-08-07 22:08 14,615 a------- c:\docume~1\trader\applic~1\ecukyhe.vbs 2009-08-07 22:08 14,292 a------- c:\windows\basovyb.pif 2009-08-07 22:08 13,843 a------- c:\windows\odunefyc.sys 2009-08-07 22:08 12,075 a------- c:\program files\common files\agupat.vbs 2009-08-07 22:08 11,930 a------- c:\windows\system32\ufuwi.com 2009-08-07 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-08-07 22:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-08-07 21:57 <DIR> --d----- c:\windows\system32\appmgmt 2009-08-07 21:46 19,936 a------- c:\windows\system32\elixoha.inf 2009-08-07 21:46 19,354 a------- c:\windows\avywody._dl 2009-08-07 21:46 19,138 a------- c:\windows\socedijaj.inf 2009-08-07 21:46 16,806 a------- c:\windows\system32\ilesavy.inf 2009-08-07 21:46 15,406 a------- c:\windows\ogixyg._sy 2009-08-07 16:19 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys 2009-08-07 16:19 130,936 a------- c:\windows\system32\drivers\PCTCore.sys 2009-08-07 16:19 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys 2009-08-07 16:18 64,392 a------- c:\windows\system32\drivers\pctplsg.sys 2009-08-07 16:18 <DIR> --d----- c:\program files\common files\PC Tools 2009-08-07 16:18 <DIR> --d----- c:\program files\Spyware Doctor 2009-08-07 16:18 <DIR> --d----- c:\docume~1\trader\applic~1\PC Tools 2009-08-07 16:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools 2009-08-07 09:22 1,110,399 a------- c:\windows\system32\UACvoevdkvnsr.db 2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll ==================== Find3M ==================== 2009-08-21 09:03 2,836 a------- c:\windows\system32\d3d9caps.dat 2009-08-08 14:24 14,108 a------- c:\program files\common files\gyjy.dl 2009-08-08 07:08 10,704 a------- c:\program files\common files\baxos._sy 2009-08-07 22:08 18,214 a------- c:\program files\common files\izivif.db 2009-08-07 21:46 17,723 a------- c:\program files\common files\ubipos._sy 2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll 2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll 2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll 2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll 2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe 2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe 2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll 2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll 2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll 2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll 2009-05-01 08:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050120090502\index.dat ============= FINISH: 17:24:47.75 =============== i believe it is 8
  15. DDS (Ver_09-07-30.01) - NTFSx86 Run by trader at 17:24:14.42 on Fri 08/21/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15 ============== Running Processes =============== ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.google.com TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kavoom~1.lnk - c:\program files\kavoom! km\KaVoomKM.exe IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://12.1.57.15/vdesk/terminal/urxvpn.cab#version=6020,2008,0222,2309 DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://12.1.57.15/vdesk/terminal/urTermProxy.cab#version=6020,2008,0212,2002 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://12.1.57.15/vdesk/terminal/urxhost.cab Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\trader\applic~1\mozilla\firefox\profiles\xm8ek33n.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ 2009-08-19 19:59 <DIR> --d----- c:\program files\ESET 2009-08-19 18:38 227,840 a------- c:\windows\system32\wbem\SET1D.tmp 2009-08-19 18:38 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx 2009-08-19 18:37 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll 2009-08-19 18:00 <DIR> -cd----- c:\windows\system32\dllcache\cache 2009-08-19 17:41 50,176 a------- c:\windows\system32\proquota.exe 2009-08-19 17:32 <DIR> --d----- C:\cmdcons 2009-08-17 16:45 <DIR> --d----- c:\windows\system32\wbem\Repository 2009-08-17 16:45 <DIR> --d----- c:\windows\system32\wbem\autorecover 2009-08-17 16:34 <DIR> --d----- c:\windows\system32\wbem\repository.old 2009-08-17 16:34 <DIR> --d----- c:\windows\system32\wbem\autorecover.old 2009-08-08 15:27 <DIR> --d----- c:\program files\Carbonite 2009-08-08 14:37 55,656 a------- c:\windows\system32\drivers\avgntflt.sys 2009-08-08 14:24 19,723 a------- c:\windows\imazukacuf._dl 2009-08-08 14:24 17,640 a------- c:\windows\furu._dl 2009-08-08 14:24 17,003 a------- c:\windows\dylopuke.dl 2009-08-08 14:24 16,803 a------- c:\windows\system32\jopepekeva._dl 2009-08-08 14:24 15,987 a------- c:\windows\ezilepuv.dl 2009-08-08 14:24 15,896 a------- c:\windows\system32\susitu._sy 2009-08-08 14:24 15,449 a------- c:\windows\avydihany.dl 2009-08-08 14:16 <DIR> --d----- c:\program files\Trend Micro 2009-08-08 11:58 19,689 a------- c:\windows\tivatuq.pif 2009-08-08 11:58 19,640 a------- c:\windows\nituze.reg 2009-08-08 11:58 18,554 a------- c:\docume~1\alluse~1\applic~1\oqikikutu.reg 2009-08-08 11:58 18,359 a------- c:\windows\eruxotogy.reg 2009-08-08 11:58 16,550 a------- c:\windows\duporimu.dll 2009-08-08 11:58 14,868 a------- c:\docume~1\trader\applic~1\fepulo.pif 2009-08-08 11:58 14,571 a------- c:\windows\onol.dat 2009-08-08 11:58 14,439 a------- c:\program files\common files\acesyfoxex.bin 2009-08-08 11:58 13,409 a------- c:\windows\rihajacexi.vbs 2009-08-08 11:58 12,989 a------- c:\windows\system32\usobac._sy 2009-08-08 11:58 12,781 a------- c:\windows\system32\mulafa._sy 2009-08-08 11:58 12,770 a------- c:\windows\system32\amyfecyzi.vbs 2009-08-08 11:58 12,246 a------- c:\docume~1\trader\applic~1\afozahop.bin 2009-08-08 11:58 11,157 a------- c:\windows\dyzihe.lib 2009-08-08 11:58 10,968 a------- c:\windows\korehomaxo.vbs 2009-08-08 11:58 10,567 a------- c:\docume~1\alluse~1\applic~1\jedyjuqo.scr 2009-08-08 11:58 10,457 a------- c:\windows\xatah.inf 2009-08-08 11:43 15 a------- c:\documents and settings\trader\settings.dat 2009-08-08 11:39 <DIR> --d-h--- c:\windows\PIF 2009-08-08 11:23 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-08 11:23 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-08-08 10:45 <DIR> --d----- c:\docume~1\trader\applic~1\Malwarebytes 2009-08-08 07:08 18,285 a------- c:\windows\system32\aqys.inf 2009-08-08 07:08 17,070 a------- c:\windows\system32\hyzovus.dl 2009-08-08 07:08 15,600 a------- c:\windows\ycefofu.dl 2009-08-08 07:08 15,364 a------- c:\docume~1\trader\applic~1\uhevin.vbs 2009-08-08 07:08 12,133 a------- c:\windows\hydycy._sy 2009-08-08 07:08 19,314 a------- c:\windows\system32\kozimitel.inf 2009-08-08 07:08 16,658 a------- c:\windows\oleluvily.inf 2009-08-08 06:18 10,479 a------- c:\docume~1\alluse~1\applic~1\ronamon.vbs 2009-08-07 22:08 19,322 a------- c:\docume~1\alluse~1\applic~1\wada.exe 2009-08-07 22:08 18,498 a------- c:\docume~1\trader\applic~1\qymine.exe 2009-08-07 22:08 18,256 a------- c:\windows\boxofa._sy 2009-08-07 22:08 17,495 a------- c:\docume~1\trader\applic~1\zypabihic.dll 2009-08-07 22:08 17,427 a------- c:\windows\boka.exe 2009-08-07 22:08 16,508 a------- c:\docume~1\trader\applic~1\lajofeja.scr 2009-08-07 22:08 16,501 a------- c:\docume~1\trader\applic~1\upejeh.dat 2009-08-07 22:08 16,258 a------- c:\docume~1\alluse~1\applic~1\ocide.com 2009-08-07 22:08 15,268 a------- c:\program files\common files\qodu.scr 2009-08-07 22:08 14,823 a------- c:\program files\common files\oxyzuceb.com 2009-08-07 22:08 14,681 a------- c:\docume~1\alluse~1\applic~1\iceb.dll 2009-08-07 22:08 14,615 a------- c:\docume~1\trader\applic~1\ecukyhe.vbs 2009-08-07 22:08 14,292 a------- c:\windows\basovyb.pif 2009-08-07 22:08 13,843 a------- c:\windows\odunefyc.sys 2009-08-07 22:08 12,075 a------- c:\program files\common files\agupat.vbs 2009-08-07 22:08 11,930 a------- c:\windows\system32\ufuwi.com 2009-08-07 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-08-07 22:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-08-07 21:57 <DIR> --d----- c:\windows\system32\appmgmt 2009-08-07 21:46 19,936 a------- c:\windows\system32\elixoha.inf 2009-08-07 21:46 19,354 a------- c:\windows\avywody._dl 2009-08-07 21:46 19,138 a------- c:\windows\socedijaj.inf 2009-08-07 21:46 16,806 a------- c:\windows\system32\ilesavy.inf 2009-08-07 21:46 15,406 a------- c:\windows\ogixyg._sy 2009-08-07 16:19 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys 2009-08-07 16:19 130,936 a------- c:\windows\system32\drivers\PCTCore.sys 2009-08-07 16:19 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys 2009-08-07 16:18 64,392 a------- c:\windows\system32\drivers\pctplsg.sys 2009-08-07 16:18 <DIR> --d----- c:\program files\common files\PC Tools 2009-08-07 16:18 <DIR> --d----- c:\program files\Spyware Doctor 2009-08-07 16:18 <DIR> --d----- c:\docume~1\trader\applic~1\PC Tools 2009-08-07 16:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools 2009-08-07 09:22 1,110,399 a------- c:\windows\system32\UACvoevdkvnsr.db 2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll ==================== Find3M ==================== 2009-08-21 09:03 2,836 a------- c:\windows\system32\d3d9caps.dat 2009-08-08 14:24 14,108 a------- c:\program files\common files\gyjy.dl 2009-08-08 07:08 10,704 a------- c:\program files\common files\baxos._sy 2009-08-07 22:08 18,214 a------- c:\program files\common files\izivif.db 2009-08-07 21:46 17,723 a------- c:\program files\common files\ubipos._sy 2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll 2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll 2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll 2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll 2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe 2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe 2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll 2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll 2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll 2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll 2009-05-01 08:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050120090502\index.dat ============= FINISH: 17:24:47.75 ===============
  16. Ok Combo has been uninstalled. The only issue now seems to be that IE wont launch. I have been forced to use Mozzilla
  17. Ran TPC and rebooted. The second scan would not run got an auto error. I can't find the logs for it but the computer seems to be running well now. Let me know your thoughts Thanks Rapp
  18. ran combo then ran Malware bytes. Then ran combo again with your CFScript command. Here is the latest log. ComboFix 09-08-18.04 - trader 08/19/2009 18:47.3.2 - NTFSx86 Running from: c:\documents and settings\trader\Desktop\Combo-Fix..exe Command switches used :: c:\documents and settings\trader\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} * Created a new restore point file zipped: c:\documents and settings\All Users\Application Data\jatyd.dll file zipped: c:\documents and settings\trader\Application Data\mygurecan.exe file zipped: c:\documents and settings\trader\Application Data\nubike.sys file zipped: c:\documents and settings\trader\Application Data\sepaqe.scr file zipped: c:\documents and settings\trader\Application Data\vimobak.com file zipped: c:\documents and settings\trader\Application Data\ynyl.sys file zipped: c:\documents and settings\trader\Local Settings\Application Data\adec.pif file zipped: c:\documents and settings\trader\Local Settings\Application Data\gyky.bin file zipped: c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr file zipped: c:\program files\Common Files\cywumokofi.com file zipped: c:\program files\Common Files\ixyqywiju.pif file zipped: c:\program files\Common Files\rabeq.dat file zipped: c:\windows\depih.bin file zipped: c:\windows\ebac.sys file zipped: c:\windows\esamebus.pif file zipped: c:\windows\kuhe.pif file zipped: c:\windows\muhyxoxujy.dll file zipped: c:\windows\nyrowil.scr file zipped: c:\windows\otiwa.exe file zipped: c:\windows\system32\anuna.com file zipped: c:\windows\system32\buxy.com file zipped: c:\windows\system32\gibake.com file zipped: c:\windows\system32\himajil.reg file zipped: c:\windows\system32\sulefevo.dll file zipped: c:\windows\ukefyruma.bin file zipped: c:\windows\urexe.pif file zipped: c:\windows\uryq.scr file zipped: c:\windows\xonarif.bat file zipped: c:\windows\yrepa.scr . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\jatyd.dll c:\documents and settings\trader\Application Data\mygurecan.exe c:\documents and settings\trader\Application Data\nubike.sys c:\documents and settings\trader\Application Data\sepaqe.scr c:\documents and settings\trader\Application Data\vimobak.com c:\documents and settings\trader\Application Data\ynyl.sys c:\documents and settings\trader\Local Settings\Application Data\adec.pif c:\documents and settings\trader\Local Settings\Application Data\gyky.bin c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr c:\program files\Common Files\cywumokofi.com c:\program files\Common Files\ixyqywiju.pif c:\program files\Common Files\rabeq.dat c:\windows\depih.bin c:\windows\ebac.sys c:\windows\esamebus.pif c:\windows\kuhe.pif c:\windows\muhyxoxujy.dll c:\windows\nyrowil.scr c:\windows\otiwa.exe c:\windows\system32\anuna.com c:\windows\system32\buxy.com c:\windows\system32\gibake.com c:\windows\system32\himajil.reg c:\windows\system32\sulefevo.dll c:\windows\ukefyruma.bin c:\windows\urexe.pif c:\windows\uryq.scr c:\windows\xonarif.bat c:\windows\yrepa.scr Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_VIEWPOINT_MANAGER_SERVICE -------\Service_Viewpoint Manager Service ((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 ))))))))))))))))))))))))))))))) . 2009-08-19 21:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-08-17 20:45 . 2009-08-17 20:45 -------- d-----w- c:\windows\system32\wbem\Repository 2009-08-17 20:45 . 2009-08-17 20:46 -------- d-----w- c:\windows\system32\wbem\autorecover 2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\repository.old 2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\autorecover.old 2009-08-08 19:27 . 2009-08-08 21:37 -------- d-----w- c:\program files\Carbonite 2009-08-08 19:26 . 2009-08-08 19:26 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-08-08 18:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-08 18:37 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-08 18:37 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-08 18:37 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\program files\Avira 2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-08 18:16 . 2009-08-08 18:16 -------- d-----w- c:\program files\Trend Micro 2009-08-08 16:17 . 2009-08-08 16:19 -------- d-----w- c:\program files\Windows Live Safety Center 2009-08-08 15:43 . 2009-08-08 16:48 15 ----a-w- c:\documents and settings\trader\settings.dat 2009-08-08 15:39 . 2009-08-08 15:39 -------- d--h--w- c:\windows\PIF 2009-08-08 15:23 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-08 15:23 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-08 14:45 . 2009-08-08 14:45 -------- d-----w- c:\documents and settings\trader\Application Data\Malwarebytes 2009-08-08 02:03 . 2009-08-08 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-08 02:03 . 2009-08-19 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-08 00:05 . 2009-08-08 00:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-07 21:59 . 2009-08-07 21:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla 2009-08-07 20:19 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-08-07 20:19 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-08-07 20:19 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-08-07 20:18 . 2009-08-11 12:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\program files\Common Files\PC Tools 2009-08-07 20:18 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-08-07 20:18 . 2009-08-12 11:33 -------- d-----w- c:\program files\Spyware Doctor 2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\trader\Application Data\PC Tools 2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-08-05 11:57 . 2009-08-05 11:57 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-19 22:53 . 2009-04-21 12:53 -------- d-----w- c:\program files\KaVoom! KM 2009-08-19 22:37 . 2009-05-05 22:30 2836 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-19 20:05 . 2007-07-16 14:26 -------- d-----w- c:\program files\mIRC 2009-08-14 01:30 . 2006-06-14 17:31 13104 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-08 19:26 . 2007-07-18 14:00 -------- d-----w- c:\program files\Java 2009-08-08 18:24 . 2009-08-08 18:24 14108 ----a-w- c:\program files\Common Files\gyjy.dl 2009-08-08 14:45 . 2009-05-08 14:45 85504 --sha-w- c:\windows\system32\kelewaba.dll 2009-08-08 11:08 . 2009-08-08 11:08 15364 ----a-w- c:\documents and settings\trader\Application Data\uhevin.vbs 2009-08-08 11:08 . 2009-08-08 11:08 10704 ----a-w- c:\program files\Common Files\baxos._sy 2009-08-08 10:18 . 2009-08-08 10:18 10479 ----a-w- c:\documents and settings\All Users\Application Data\ronamon.vbs 2009-08-08 01:57 . 2006-05-15 15:25 -------- d-----w- c:\program files\Blackwood 2009-08-08 01:56 . 2006-06-12 14:49 -------- d-----w- c:\program files\PokerStars 2009-08-08 01:46 . 2009-08-08 01:46 17723 ----a-w- c:\program files\Common Files\ubipos._sy 2009-08-05 11:57 . 2009-06-19 12:39 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-08-05 11:57 . 2009-06-19 12:39 38208 ----a-w- c:\documents and settings\trader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-07-25 09:23 . 2009-05-27 20:28 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-08 23:19 . 2009-07-08 23:19 -------- d-----w- c:\program files\TweetDeck 2009-07-03 17:09 . 2004-08-12 13:33 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:36 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-03 19:09 . 2004-08-12 13:26 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-27 20:23 . 2009-05-27 20:23 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\ravufuge.dll.tmp 2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\yiwuyipa.dll.tmp . ((((((((((((((((((((((((((((( SnapShot@2009-08-19_21.57.20 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-19 22:53 . 2009-08-19 22:53 16384 c:\windows\Temp\Perflib_Perfdata_670.dat + 2004-08-12 13:26 . 2009-08-19 22:39 39992 c:\windows\system32\perfc009.dat - 2004-08-12 13:26 . 2009-08-19 21:51 39992 c:\windows\system32\perfc009.dat + 2004-08-12 13:26 . 2009-08-19 22:39 311604 c:\windows\system32\perfh009.dat - 2004-08-12 13:26 . 2009-08-19 21:51 311604 c:\windows\system32\perfh009.dat + 2009-08-19 22:38 . 2009-07-29 21:49 24281536 c:\windows\system32\MRT.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-5-25 1524776] KaVoom! KM.lnk - c:\program files\KaVoom! KM\KaVoomKM.exe [2007-1-31 1679360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\eSignal\\winros.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"= "c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"= R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2007-12-13 10752] R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752] S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] S2 KaVoom! KM;KaVoom! KM;c:\program files\KaVoom! KM\kavoomkm.exe [2007-01-31 1679360] S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\system32\DRIVERS\s3sav4m.sys [2001-08-17 77824] S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [2007-12-13 27008] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.google.com IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html FF - ProfilePath - c:\documents and settings\trader\Application Data\Mozilla\Firefox\Profiles\xm8ek33n.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-19 18:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(664) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\wdfmgr.exe c:\program files\RealVNC\VNC4\winvnc4.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-08-19 18:58 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-19 22:57 ComboFix2.txt 2009-08-19 22:01 Pre-Run: 30,675,972,096 bytes free Post-Run: 30,632,742,912 bytes free 233 --- E O F --- 2009-08-19 22:39
  19. Malware log Malwarebytes' Anti-Malware 1.40 Database version: 2659 Windows 5.1.2600 Service Pack 3 8/19/2009 6:29:36 PM mbam-log-2009-08-19 (18-29-36).txt Scan type: Quick Scan Objects scanned: 80259 Time elapsed: 3 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 5 Registry Values Infected: 5 Registry Data Items Infected: 6 Folders Infected: 3 Files Infected: 23 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\megumipa.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\lepopoka.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c59d7222-e38b-4403-bc69-6e5ac7767927} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{c59d7222-e38b-4403-bc69-6e5ac7767927} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c59d7222-e38b-4403-bc69-6e5ac7767927} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lezuhorose (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm87219719 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\megumipa.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\megumipa.dll -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\trader\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\lepopoka.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\megumipa.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\sodofewa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Start Menu\Programs\Startup\dmaupd32.exe.XXX (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\guhegeni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\xa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\UACirqpbpxdlt.sys.XXX (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\beep.sys.XXX (Trojan.KillAV) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 09_42_50 PM_640.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 09_53_56 PM_703.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 09_54_11 PM_968.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 10_07_11 PM_312.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 10_14_18 PM_000.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 10_25_36 PM_296.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 10_47_35 PM_500.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 08 - 06_17_47 AM_562.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 08 - 06_20_58 AM_328.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 08 - 06_25_45 AM_609.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 08 - 06_38_54 AM_390.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\zupejaku.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\trader\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
  20. Combo log ComboFix 09-08-18.04 - trader 08/19/2009 17:50.2.2 - NTFSx86 Running from: c:\documents and settings\trader\Desktop\Combo-Fix..exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BaseWN.3-2-0.ddr.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BJBase_2-4-1_DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BJNet_2-4-0_DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BJXSLT_1_0_ddr.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\CustomActiveX.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\libeay32_1-1-0_DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Marshaller.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\mfc42.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\msvcrt.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\backAtoB.exe.XXX c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\cleanup.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\cmuninst.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\cpicon.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\delsbc.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\BJAXSecurityManager.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\BJInstaller.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\RGWInterfaces_DSR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\RGWLib_2-0-0_DSR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\TrustInhouse.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\EnetChk.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\NTSRD.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\NTSRR.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\NTSRR2.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\icons.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\InitSST.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\LnchSST.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\removeicons.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\ActiveUtils.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\BJAXSecurityManager.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\BJInstaller.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\chorus.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\csshim.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\EnCmnSvr.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\EniCommon.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\enisnmp.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\InstallHelper.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\McciCPEX.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\mccupdate.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\MCCWrapper_DSR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis4.sys c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis5.sys c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\Prox.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWInterfaces_DSR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWLib_2-0-0_DSR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\W32n50.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\closeAll.exe.XXX c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\CustomUninstall.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\EndProcess.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\KillWindow2.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\mad.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCCleanup.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCDevice.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCDNSHLP_1-0-0_DSR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCEmbInstall.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\McciCPEX_2_DSR.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCSilent.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCUninst.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MotiveBrowser.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Package\McciControlInstaller_DSR.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Package\McciCoreInstaller_DSR.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Package\NoRun.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\psapi.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\resource.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\StartAsync.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Uninstall.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\UpdateSC.EXE c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\util.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\vdmdbg.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\VNC\MotVNC.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\ssleay32_1-1-0_DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\stlport_4_0_0_DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\wffDDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WinUtils3_DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\AddDictionaryInt.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicInt.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicStr.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CopyFiles.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CoreObjects.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CPUSpeed.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\DictionaryWindow.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\DirAndFilePaths.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExitHostApp.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtEvntMngr.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtractListEntry.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtractZipFile.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtrnlEvntLstnr.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\FileReadWrite.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\GetPhoneBookEntries.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\GlobalDicAndRepEnt.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\GlobalDicCompare.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\HTMLDisplayProps.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\HtmlFormInput.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\HttpPost.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IniFileReaderWriter.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IsAdministrator.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IsIEInstalled.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IsNetscapeInstalled.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\LaunchProgram.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Logger.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\OsDetect.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\PrintAscii.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Profile.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\RamSize.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\RebootSystem.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\RegManipulation.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Report.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SaveReport.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ScriptRunner.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SglDisplay.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SimpleHostApp.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SleepNode.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\StringFormat.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\StringListPatMatch.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\StringReplace.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SubstringExtraction.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SysDriveSpace.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\TcpIpConnectionTest.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\WaitOnWindow.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\WindowClicker.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\XmlParserNode.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\XmlToString.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Zipit.DDR.dll c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\AgentKiller.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\curl.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\DeleteAll.EXE c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\DeleteLegacyFolders.EXE c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\DLFile.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\FixXPDun.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\GetVersion.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\LaunchDSLIcon.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\MotGuidGen.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\RecoverFromReboot.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\RemoveMe.exe c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\xerces-c_1_40_0_DDR.dll c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\trader\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk c:\documents and settings\trader\Application Data\wiaserva.log c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BaseWN.3-2-0.ddr.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BJBase_2-4-1_DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BJNet_2-4-0_DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BJXSLT_1_0_ddr.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\CustomActiveX.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\libeay32_1-1-0_DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Marshaller.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\mfc42.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\msvcrt.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\backAtoB.exe.XXX c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\cleanup.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\cmuninst.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\cpicon.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\delsbc.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\BJAXSecurityManager.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\BJInstaller.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\RGWInterfaces_DSR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\RGWLib_2-0-0_DSR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\TrustInhouse.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\EnetChk.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\NTSRD.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\NTSRR.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\NTSRR2.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\icons.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\InitSST.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\LnchSST.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\removeicons.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\ActiveUtils.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\BJAXSecurityManager.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\BJInstaller.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\chorus.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\csshim.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\EnCmnSvr.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\EniCommon.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\enisnmp.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\InstallHelper.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\McciCPEX.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\mccupdate.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\MCCWrapper_DSR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis4.sys c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis5.sys c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\Prox.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWInterfaces_DSR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWLib_2-0-0_DSR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\W32n50.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\closeAll.exe.XXX c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\CustomUninstall.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\EndProcess.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\KillWindow2.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\mad.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCCleanup.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCDevice.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCDNSHLP_1-0-0_DSR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCEmbInstall.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\McciCPEX_2_DSR.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCSilent.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCUninst.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MotiveBrowser.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Package\McciControlInstaller_DSR.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Package\McciCoreInstaller_DSR.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Package\NoRun.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\psapi.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\resource.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\StartAsync.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Uninstall.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\UpdateSC.EXE c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\util.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\vdmdbg.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\VNC\MotVNC.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\ssleay32_1-1-0_DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\stlport_4_0_0_DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\wffDDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WinUtils3_DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\AddDictionaryInt.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicInt.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicStr.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CopyFiles.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CoreObjects.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CPUSpeed.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\DictionaryWindow.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\DirAndFilePaths.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExitHostApp.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtEvntMngr.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtractListEntry.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtractZipFile.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtrnlEvntLstnr.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\FileReadWrite.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\GetPhoneBookEntries.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\GlobalDicAndRepEnt.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\GlobalDicCompare.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\HTMLDisplayProps.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\HtmlFormInput.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\HttpPost.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IniFileReaderWriter.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IsAdministrator.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IsIEInstalled.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IsNetscapeInstalled.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\LaunchProgram.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Logger.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\OsDetect.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\PrintAscii.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Profile.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\RamSize.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\RebootSystem.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\RegManipulation.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Report.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SaveReport.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ScriptRunner.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SglDisplay.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SimpleHostApp.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SleepNode.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\StringFormat.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\StringListPatMatch.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\StringReplace.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SubstringExtraction.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SysDriveSpace.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\TcpIpConnectionTest.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\WaitOnWindow.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\WindowClicker.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\XmlParserNode.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\XmlToString.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Zipit.DDR.dll c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\AgentKiller.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\curl.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\DeleteAll.EXE c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\DeleteLegacyFolders.EXE c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\DLFile.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\FixXPDun.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\GetVersion.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\LaunchDSLIcon.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\MotGuidGen.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\RecoverFromReboot.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\RemoveMe.exe c:\documents and settings\trader\Local Settings\Temp\WebInstaller\xerces-c_1_40_0_DDR.dll c:\documents and settings\trader\Local Settings\Temporary Internet Files\acokoni.reg c:\documents and settings\trader\Local Settings\Temporary Internet Files\fypijala.lib c:\documents and settings\trader\Local Settings\Temporary Internet Files\gugy.exe c:\documents and settings\trader\Local Settings\Temporary Internet Files\ifuzad.dat c:\documents and settings\trader\Local Settings\Temporary Internet Files\ipuzucada.dat c:\documents and settings\trader\Local Settings\Temporary Internet Files\izybijeku.pif c:\documents and settings\trader\Local Settings\Temporary Internet Files\mavez.dat c:\documents and settings\trader\Local Settings\Temporary Internet Files\ozemodenuf.ban c:\documents and settings\trader\Local Settings\Temporary Internet Files\qysilymyk.dll c:\documents and settings\trader\Local Settings\Temporary Internet Files\syqoryl.db c:\documents and settings\trader\Local Settings\Temporary Internet Files\uqigasag.db c:\documents and settings\trader\Local Settings\Temporary Internet Files\zykyzolif.scr c:\documents and settings\trader\Local Settings\Temporary Internet Files\zypedav.inf c:\documents and settings\trader\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk c:\documents and settings\trader\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk C:\HijackThis.exe c:\program files\PC_Antispyware2010\AVEngn.dll c:\program files\PC_Antispyware2010\data\daily.cvd c:\program files\PC_Antispyware2010\htmlayout.dll c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg c:\program files\PC_Antispyware2010\pthreadVC2.dll c:\program files\PC_Antispyware2010\wscui.cpl c:\windows\run.log c:\windows\system32\ditehahe.dll c:\windows\system32\drivers\vsfoceiofmlwbi.sys.XXX c:\windows\system32\dudeheru.dll c:\windows\system32\fogebota.dll c:\windows\system32\fopijunu.dll c:\windows\system32\fovakike.dll c:\windows\system32\gayuzime.dll c:\windows\system32\gifitafa.dll c:\windows\system32\havehawi.dll c:\windows\system32\hebotezi.dll c:\windows\system32\jabetuze.dll c:\windows\system32\jayamuja.dll c:\windows\system32\jinuriwa.dll c:\windows\system32\jiwirido.dll c:\windows\system32\jonefede.dll c:\windows\system32\kemomupi.dll c:\windows\system32\kimuremo.dll c:\windows\system32\kiramega.dll c:\windows\system32\kudinuho.dll c:\windows\system32\malopebi.dll c:\windows\system32\migukaho.dll c:\windows\system32\mudagisi.dll c:\windows\system32\najibite.dll c:\windows\system32\peroruvo.dll c:\windows\system32\rayefeku.dll c:\windows\system32\razifazi.dll c:\windows\system32\ripetate.dll c:\windows\system32\rogavove.dll c:\windows\system32\ruzomivu.dll c:\windows\system32\tinonere.dll c:\windows\system32\tizitiya.dll c:\windows\system32\tolataga.dll c:\windows\system32\vikewami.dll c:\windows\system32\vuzibare.dll c:\windows\system32\wujeluhe.dll c:\windows\system32\yajosofo.dll c:\windows\system32\yawususi.dll c:\windows\system32\yejedufi.dll c:\windows\system32\yeruduki.dll c:\windows\system32\yokamuye.dll c:\windows\system32\zabunego.dll c:\windows\system32\zofegadi.dll Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected Restored copy from - c:\windows\system32\dllcache\MsPMSNSv.dll c:\windows\system32\proquota.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_UACd.sys -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 ))))))))))))))))))))))))))))))) . 2009-08-19 21:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-08-17 20:45 . 2009-08-17 20:45 -------- d-----w- c:\windows\system32\wbem\Repository 2009-08-17 20:45 . 2009-08-17 20:46 -------- d-----w- c:\windows\system32\wbem\autorecover 2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\repository.old 2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\autorecover.old 2009-08-08 19:27 . 2009-08-08 21:37 -------- d-----w- c:\program files\Carbonite 2009-08-08 19:26 . 2009-08-08 19:26 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-08-08 18:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-08 18:37 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-08 18:37 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-08 18:37 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\program files\Avira 2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-08 18:24 . 2009-08-08 18:24 19748 ----a-w- c:\documents and settings\trader\Application Data\vimobak.com 2009-08-08 18:24 . 2009-08-08 18:24 18816 ----a-w- c:\windows\xonarif.bat 2009-08-08 18:24 . 2009-08-08 18:24 18762 ----a-w- c:\windows\system32\sulefevo.dll 2009-08-08 18:24 . 2009-08-08 18:24 18012 ----a-w- c:\windows\ukefyruma.bin 2009-08-08 18:24 . 2009-08-08 18:24 17708 ----a-w- c:\windows\yrepa.scr 2009-08-08 18:24 . 2009-08-08 18:24 15560 ----a-w- c:\documents and settings\trader\Application Data\mygurecan.exe 2009-08-08 18:24 . 2009-08-08 18:24 13993 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\gyky.bin 2009-08-08 18:24 . 2009-08-08 18:24 13046 ----a-w- c:\windows\system32\anuna.com 2009-08-08 18:24 . 2009-08-08 18:24 12129 ----a-w- c:\windows\muhyxoxujy.dll 2009-08-08 18:24 . 2009-08-08 18:24 11295 ----a-w- c:\documents and settings\trader\Application Data\nubike.sys 2009-08-08 18:24 . 2009-08-08 18:24 11063 ----a-w- c:\windows\uryq.scr 2009-08-08 18:16 . 2009-08-08 18:16 -------- d-----w- c:\program files\Trend Micro 2009-08-08 16:17 . 2009-08-08 16:19 -------- d-----w- c:\program files\Windows Live Safety Center 2009-08-08 15:43 . 2009-08-08 16:48 15 ----a-w- c:\documents and settings\trader\settings.dat 2009-08-08 15:39 . 2009-08-08 15:39 -------- d--h--w- c:\windows\PIF 2009-08-08 15:23 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-08 15:23 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-08 14:45 . 2009-08-08 14:45 -------- d-----w- c:\documents and settings\trader\Application Data\Malwarebytes 2009-08-08 11:08 . 2009-08-08 11:08 19329 ----a-w- c:\documents and settings\trader\Application Data\sepaqe.scr 2009-08-08 11:08 . 2009-08-08 11:08 17835 ----a-w- c:\program files\Common Files\cywumokofi.com 2009-08-08 11:08 . 2009-08-08 11:08 16109 ----a-w- c:\program files\Common Files\ixyqywiju.pif 2009-08-08 11:08 . 2009-08-08 11:08 15802 ----a-w- c:\program files\Common Files\rabeq.dat 2009-08-08 11:08 . 2009-08-08 11:08 11504 ----a-w- c:\windows\system32\buxy.com 2009-08-08 11:08 . 2009-08-08 11:08 11017 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\adec.pif 2009-08-08 11:08 . 2009-08-08 11:08 18402 ----a-w- c:\windows\kuhe.pif 2009-08-08 11:08 . 2009-08-08 11:08 18655 ----a-w- c:\windows\system32\himajil.reg 2009-08-08 02:03 . 2009-08-08 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-08 02:03 . 2009-08-18 11:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-08 01:46 . 2009-08-08 01:46 19761 ----a-w- c:\windows\system32\gibake.com 2009-08-08 01:46 . 2009-08-08 01:46 19260 ----a-w- c:\documents and settings\All Users\Application Data\jatyd.dll 2009-08-08 01:46 . 2009-08-08 01:46 18328 ----a-w- c:\windows\nyrowil.scr 2009-08-08 01:46 . 2009-08-08 01:46 17775 ----a-w- c:\windows\esamebus.pif 2009-08-08 01:46 . 2009-08-08 01:46 17481 ----a-w- c:\windows\otiwa.exe 2009-08-08 01:46 . 2009-08-08 01:46 15762 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr 2009-08-08 01:46 . 2009-08-08 01:46 15135 ----a-w- c:\windows\ebac.sys 2009-08-08 01:46 . 2009-08-08 01:46 13369 ----a-w- c:\windows\urexe.pif 2009-08-08 01:46 . 2009-08-08 01:46 12781 ----a-w- c:\windows\depih.bin 2009-08-08 01:46 . 2009-08-08 01:46 11231 ----a-w- c:\documents and settings\trader\Application Data\ynyl.sys 2009-08-08 01:42 . 2009-08-08 01:43 -------- d-----w- c:\documents and settings\trader\Application Data\MalwareRemovalBot 2009-08-08 00:05 . 2009-08-08 00:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-07 21:59 . 2009-08-07 21:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla 2009-08-07 20:19 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-08-07 20:19 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-08-07 20:19 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-08-07 20:18 . 2009-08-11 12:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\program files\Common Files\PC Tools 2009-08-07 20:18 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-08-07 20:18 . 2009-08-12 11:33 -------- d-----w- c:\program files\Spyware Doctor 2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\trader\Application Data\PC Tools 2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-08-05 11:57 . 2009-08-05 11:57 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-19 21:57 . 2009-04-21 12:53 -------- d-----w- c:\program files\KaVoom! KM 2009-08-19 21:28 . 2009-05-05 22:30 2836 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-19 20:05 . 2007-07-16 14:26 -------- d-----w- c:\program files\mIRC 2009-08-19 11:39 . 2009-05-19 11:39 84992 --sha-w- c:\windows\system32\megumipa.dll 2009-08-18 23:39 . 2009-05-18 23:39 49664 --sha-w- c:\windows\system32\guhegeni.dll 2009-08-14 01:30 . 2006-06-14 17:31 13104 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-08 19:26 . 2007-07-18 14:00 -------- d-----w- c:\program files\Java 2009-08-08 18:24 . 2009-08-08 18:24 14108 ----a-w- c:\program files\Common Files\gyjy.dl 2009-08-08 14:45 . 2009-05-08 14:45 85504 --sha-w- c:\windows\system32\kelewaba.dll 2009-08-08 11:08 . 2009-08-08 11:08 15364 ----a-w- c:\documents and settings\trader\Application Data\uhevin.vbs 2009-08-08 11:08 . 2009-08-08 11:08 10704 ----a-w- c:\program files\Common Files\baxos._sy 2009-08-08 10:18 . 2009-08-08 10:18 10479 ----a-w- c:\documents and settings\All Users\Application Data\ronamon.vbs 2009-08-08 01:57 . 2006-05-15 15:25 -------- d-----w- c:\program files\Blackwood 2009-08-08 01:56 . 2006-06-12 14:49 -------- d-----w- c:\program files\PokerStars 2009-08-08 01:46 . 2009-08-08 01:46 17723 ----a-w- c:\program files\Common Files\ubipos._sy 2009-08-07 22:15 . 2009-05-07 22:15 84480 --sha-w- c:\windows\system32\zupejaku.dll 2009-08-07 20:19 . 2004-08-12 13:17 30208 ----a-w- c:\windows\system32\drivers\beep.sys.XXX 2009-08-07 13:22 . 2009-08-07 13:22 54784 ----a-w- c:\windows\system32\drivers\UACirqpbpxdlt.sys.XXX 2009-08-07 13:11 . 2009-08-07 13:11 1215624 ----a-w- c:\windows\system32\xa.tmp 2009-08-05 11:57 . 2009-06-19 12:39 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-08-05 11:57 . 2009-06-19 12:39 38208 ----a-w- c:\documents and settings\trader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-07-25 09:23 . 2009-05-27 20:28 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-08 23:19 . 2009-07-08 23:19 -------- d-----w- c:\program files\TweetDeck 2009-07-03 17:09 . 2004-08-12 13:33 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:36 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-03 19:09 . 2004-08-12 13:26 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-27 20:23 . 2009-05-27 20:23 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-05-18 23:39 . 2009-05-18 23:39 49664 --sha-w- c:\windows\system32\lepopoka.dll 2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\ravufuge.dll.tmp 2009-05-18 23:39 . 2009-05-18 23:39 49664 --sha-w- c:\windows\system32\sodofewa.dll 2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\yiwuyipa.dll.tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c59d7222-e38b-4403-bc69-6e5ac7767927}] 2009-05-18 23:39 49664 --sha-w- c:\windows\system32\sodofewa.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "lezuhorose"="c:\windows\system32\lepopoka.dll" [2009-05-18 49664] "CPM87219719"="c:\windows\system32\megumipa.dll" [2009-08-19 84992] c:\documents and settings\trader\Start Menu\Programs\Startup\ dmaupd32.exe.XXX [2008-4-13 28160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-5-25 1524776] KaVoom! KM.lnk - c:\program files\KaVoom! KM\KaVoomKM.exe [2007-1-31 1679360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\megumipa.dll" [2009-08-19 84992] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\megumipa.dll [2009-08-19 84992] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\eSignal\\winros.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"= "c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"= "c:\\WINDOWS\\explorer.exe"= R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2007-12-13 10752] R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752] S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] S2 KaVoom! KM;KaVoom! KM;c:\program files\KaVoom! KM\kavoomkm.exe [2007-01-31 1679360] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\system32\DRIVERS\s3sav4m.sys [2001-08-17 77824] S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [2007-12-13 27008] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - HKCU-Run-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.google.com IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html FF - ProfilePath - c:\documents and settings\trader\Application Data\Mozilla\Firefox\Profiles\xm8ek33n.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-19 17:57 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3680) c:\windows\system32\WININET.dll c:\windows\system32\lepopoka.dll c:\windows\system32\megumipa.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\wdfmgr.exe c:\program files\RealVNC\VNC4\winvnc4.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe . ************************************************************************** . Completion time: 2009-08-19 18:01 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-19 22:00 Pre-Run: 30,828,244,992 bytes free Post-Run: 30,780,985,344 bytes free 576 --- E O F --- 2009-07-30 07:01
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.