Jump to content

Need help with rootkit and others!


Recommended Posts

Hey, new to the forum but have been trying and searching for a long time to get rid of these damn things! anyway here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:59:26 PM, on 9/26/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Spyware Doctor\pctsGui.exe

C:\WINDOWS\regedit.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: 3536640 - {283be34b-cf25-4bc5-ae1e-8ec3668a515e} - C:\WINDOWS\system32\ljgghedbaw.dll (file missing)

O2 - BHO: (no name) - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1308.0\msneshellx.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [38d6cddd] rundll32.exe "C:\WINDOWS\system32\kheddabyxu.dll",u

O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe

O4 - HKLM\..\Run: [17096564] C:\Documents and Settings\All Users\Application Data\17096564\17096564.exe

O4 - HKLM\..\Run: [furopadod] Rundll32.exe "c:\windows\system32\sebowowa.dll",a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AdobeUpdater6] "C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe"

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GO333C~1\GOEC62~1.DLL jidapazu.dll c:\windows\system32\jawepuwa.dll c:\windows\system32\sebowowa.dll

O21 - SSODL: gojekakov - {a07a1c5a-493c-4f0b-a10b-21b09886d80b} - c:\windows\system32\jawepuwa.dll (file missing)

O21 - SSODL: jamijilab - {a5bf1657-ea7f-46ac-861a-c39f2d395b80} - c:\windows\system32\sebowowa.dll (file missing)

O22 - SharedTaskScheduler: jugezatag - {a07a1c5a-493c-4f0b-a10b-21b09886d80b} - c:\windows\system32\jawepuwa.dll (file missing)

O22 - SharedTaskScheduler: tokatiluy - {a5bf1657-ea7f-46ac-861a-c39f2d395b80} - c:\windows\system32\sebowowa.dll (file missing)

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate1ca07644223d8d0) (gupdate1ca07644223d8d0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 6650 bytes

Any help with this would be appreciated!

Thanks,

Tony

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

thanks, i ran the both and got these reports...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:36:18, on 9/28/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.twinturbo.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {5df4e023-a41f-44b2-afbf-6066fc18315c} - pirovowi.dll (file missing)

O2 - BHO: 3530240 - {c4d57340-05f0-4916-bd66-b66fbbcba8ad} - C:\WINDOWS\system32\ddbxvwvtro.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1308.0\msneshellx.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [38d6cddd] rundll32.exe "C:\WINDOWS\system32\kheddabyxu.dll",u

O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [furopadod] Rundll32.exe "c:\windows\system32\wepakezu.dll",a

O4 - HKLM\..\Run: [98c58f99] rundll32.exe "C:\WINDOWS\system32\ddbxvwvtro.dll",b

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\anthony g\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\ANTHON~1\protect.dll,_IWMPEvents@0

O4 - Startup: scandisk.dll

O4 - Startup: scandisk.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: c:\windows\system32\wepakezu.dll

O21 - SSODL: turadumem - {5f4ff0b9-35b4-4878-b499-03920825fab7} - c:\windows\system32\wepakezu.dll

O22 - SharedTaskScheduler: kupuhivus - {5f4ff0b9-35b4-4878-b499-03920825fab7} - c:\windows\system32\wepakezu.dll

O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate1ca07644223d8d0) (gupdate1ca07644223d8d0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 6385 bytes

and this from combofix...

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\9960901.exe

c:\documents and settings\All Users\Application Data\17096564

c:\documents and settings\All Users\Application Data\17096564\17096564

c:\documents and settings\All Users\Application Data\17096564\17096564.exe

c:\documents and settings\All Users\Application Data\17096564\pc17096564ins

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk

c:\documents and settings\anthony g\protect.dll

c:\program files\IEToolbar

c:\program files\Windows Police Pro

c:\program files\Windows Police Pro\msvcm80.dll

c:\program files\Windows Police Pro\msvcp80.dll

c:\program files\Windows Police Pro\msvcr80.dll

c:\program files\Windows Police Pro\tmp\dbsinit.exe

c:\program files\Windows Police Pro\tmp\images\i1.gif

c:\program files\Windows Police Pro\tmp\images\i2.gif

c:\program files\Windows Police Pro\tmp\images\i3.gif

c:\program files\Windows Police Pro\tmp\images\j1.gif

c:\program files\Windows Police Pro\tmp\images\j2.gif

c:\program files\Windows Police Pro\tmp\images\j3.gif

c:\program files\Windows Police Pro\tmp\images\jj1.gif

c:\program files\Windows Police Pro\tmp\images\jj2.gif

c:\program files\Windows Police Pro\tmp\images\jj3.gif

c:\program files\Windows Police Pro\tmp\images\l1.gif

c:\program files\Windows Police Pro\tmp\images\l2.gif

c:\program files\Windows Police Pro\tmp\images\l3.gif

c:\program files\Windows Police Pro\tmp\images\pix.gif

c:\program files\Windows Police Pro\tmp\images\t1.gif

c:\program files\Windows Police Pro\tmp\images\t2.gif

c:\program files\Windows Police Pro\tmp\images\up1.gif

c:\program files\Windows Police Pro\tmp\images\up2.gif

c:\program files\Windows Police Pro\tmp\images\w1.gif

c:\program files\Windows Police Pro\tmp\images\w11.gif

c:\program files\Windows Police Pro\tmp\images\w2.gif

c:\program files\Windows Police Pro\tmp\images\w3.gif

c:\program files\Windows Police Pro\tmp\images\w3.jpg

c:\program files\Windows Police Pro\tmp\images\wt1.gif

c:\program files\Windows Police Pro\tmp\images\wt2.gif

c:\program files\Windows Police Pro\tmp\images\wt3.gif

c:\program files\Windows Police Pro\tmp\wispex.html

c:\program files\Windows Police Pro\windows Police Pro.exe

c:\windows\Install.txt

c:\windows\otdkn72166.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\26500.exe

c:\windows\system32\3cc0810b-d693-925d-be98-a3172dc394fd.exe

c:\windows\system32\3CCFE751B7.dll

c:\windows\system32\404Fix.exe

c:\windows\system32\41.exe

c:\windows\system32\6334.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\api.dat

c:\windows\system32\busogeto.exe

c:\windows\system32\buwudemo.dll

c:\windows\system32\dibafeya.exe

c:\windows\system32\drivers\kbiwkmdodvpxyl.sys

c:\windows\system32\drivers\str.sys

c:\windows\system32\drivers\winyd.sys

c:\windows\system32\dumphive.exe

c:\windows\system32\duyesedi.dll

c:\windows\system32\faloyita.exe

c:\windows\system32\fetutupi.exe

c:\windows\system32\fihidivi.dll

c:\windows\system32\filawuzo.exe

c:\windows\system32\gedekuye.exe

c:\windows\system32\gerogije.exe

c:\windows\system32\gilavofi.exe

c:\windows\system32\hugimizu.dll

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\Install.txt

c:\windows\system32\junefare.dll

c:\windows\system32\kbiwkmiddmlamt.dll

c:\windows\system32\kbiwkmkkolcnlj.dll

c:\windows\system32\kbiwkmlvvummrc.dat

c:\windows\system32\kbiwkmourvuobm.dll

c:\windows\system32\kbiwkmxjrnwyay.dat

c:\windows\system32\kozodobe.exe

c:\windows\system32\lijujuto.dll

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\raramuge.dll

c:\windows\system32\rotapote.dll

c:\windows\system32\sodiluha.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\viriteda.dll

c:\windows\system32\vutzwbozyrmaaocu.exe

c:\windows\system32\vuvubuyo.exe

c:\windows\system32\wehokepu.dll

c:\windows\system32\winhelper.dll

c:\windows\system32\winupdate.exe

c:\windows\system32\WS2Fix.exe

c:\windows\system32\xyhfdorn.dll

c:\windows\system32\ygsuhdf83id.dll

c:\windows\system32\yxxxx.CLL

c:\windows\system32\zapohugu.dll

c:\windows\Temp\tmp3.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_kbiwkmqocniplo

-------\Legacy_kbiwkmqocniplo

-------\Legacy_6TO4

-------\Legacy_DRNCJIN

-------\Legacy_USBDRIVER

-------\Service_drncjin

-------\Service_USBDriver

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))

.

2009-09-28 20:51 . 2009-09-28 20:51 122880 ----a-w- c:\windows\system32\jkkjkiheec.exe

2009-09-28 20:51 . 2009-09-28 20:51 44544 ----a-w- c:\windows\system32\ddbxvwvtro.dll

2009-09-28 20:50 . 2009-09-28 20:53 22528 --sha-w- c:\documents and settings\anthony g\protect.dll

2009-09-27 15:05 . 2009-09-27 15:05 122880 ----a-w- c:\windows\system32\ddabxyxywt.exe

2009-09-27 15:05 . 2009-09-27 15:05 44544 ----a-w- c:\windows\system32\fccccbawtr.dll

2009-09-26 15:23 . 2009-09-26 15:23 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-09-25 05:52 . 2009-09-26 01:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo

2009-09-25 05:39 . 2007-07-25 15:42 126976 ----a-w- c:\windows\system32\iavlsp.dll

2009-09-25 05:19 . 2009-08-28 17:29 93096 ----a-w- c:\windows\system32\IncContxMenu.dll

2009-09-25 05:19 . 2009-08-28 17:29 2116008 ----a-w- c:\windows\system32\Incinerator.dll

2009-09-25 05:19 . 2009-08-26 22:42 30208 ----a-w- c:\windows\system32\iolobtdfg.exe

2009-09-25 05:19 . 2009-08-26 22:42 12288 ----a-w- c:\windows\system32\smrgdf.exe

2009-09-25 05:19 . 2009-09-26 17:27 -------- d-----w- c:\program files\iolo

2009-09-25 04:32 . 2004-08-04 07:56 9728 ------w- c:\windows\system32\rwnh.dll

2009-09-25 04:32 . 2004-08-04 07:56 10752 ------w- c:\windows\system32\smtpapi.dll

2009-09-25 04:32 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll

2009-09-25 03:55 . 2009-09-25 03:55 74703 ----a-w- c:\windows\system32\mfc45.dll

2009-09-25 03:55 . 2009-09-26 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo

2009-09-25 03:55 . 2009-09-25 05:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo

2009-09-23 22:21 . 2009-09-23 22:21 155267 ----a-w- c:\windows\system32\fyzyebje.dll

2009-09-23 21:31 . 2009-09-23 21:31 52224 ----a-w- C:\hempabtn.exe

2009-09-23 21:31 . 2009-09-24 02:37 22528 --sha-w- c:\windows\system32\calc.dll

2009-09-23 21:31 . 2009-09-23 21:31 10752 ----a-w- C:\jqijnws.exe

2009-09-23 21:30 . 2009-09-23 21:31 102912 ----a-w- C:\wuun.exe

2009-09-23 21:30 . 2009-09-23 21:30 172032 ----a-w- C:\butwwo.exe

2009-09-20 19:51 . 2009-09-20 19:51 122880 ----a-w- c:\windows\system32\ssrqrqrpnk.exe

2009-09-16 02:47 . 2009-09-16 02:47 122880 ----a-w- c:\windows\system32\urrrsqoljg.exe

2009-09-16 02:47 . 2009-09-16 02:47 41984 ----a-w- c:\windows\system32\ddbyvtromj.dll

2009-09-15 01:27 . 2009-09-15 01:27 122880 ----a-w- c:\windows\system32\effghebawt.exe

2009-09-15 01:27 . 2009-09-15 01:27 41984 ----a-w- c:\windows\system32\tuvsrrqrpn.dll

2009-09-14 03:08 . 2009-09-14 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2009-09-13 14:35 . 2009-09-13 14:35 163840 ----a-w- c:\windows\svchasts.exe

2009-09-12 11:19 . 2009-09-12 11:19 122880 ----a-w- c:\windows\system32\pmnmkkigfc.exe

2009-09-12 11:18 . 2009-09-12 11:18 24064 ----a-w- c:\windows\system32\kheddabyxu.dll

2009-09-11 09:49 . 2009-09-11 09:49 466432 ----a-w- c:\windows\system32\dtpogxbvrd.dll

2009-09-10 19:58 . 2009-09-10 20:23 -------- d-----w- C:\UBCD4Win

2009-09-10 07:27 . 2009-09-10 07:27 -------- d-----w- c:\program files\Trend Micro

2009-09-08 21:42 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-07 18:38 . 2009-09-08 03:09 16 ----a-w- c:\windows\pxydb.dat

2009-09-02 14:11 . 2009-09-02 14:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-09-02 00:12 . 2009-09-02 00:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-01 20:07 . 2009-09-01 20:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\mjusbsp

2009-09-01 16:50 . 2009-09-01 16:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities

2009-09-01 06:57 . 2009-09-01 06:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-09-01 02:58 . 2009-09-01 02:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-28 16:46 . 2009-07-21 06:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-28 12:36 . 2009-06-28 12:36 88576 --sha-w- c:\windows\system32\wepakezu.dll

2009-09-28 01:09 . 2009-07-21 06:04 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-27 11:04 . 2009-06-14 04:56 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-26 05:45 . 2009-07-21 06:05 -------- d-----w- c:\program files\Spyware Doctor

2009-09-26 00:35 . 2009-06-26 00:35 49664 --sha-w- c:\windows\system32\wozuboge.dll

2009-09-20 19:50 . 2009-07-19 03:55 -------- d-----w- c:\program files\World of Warcraft

2009-09-16 01:44 . 2009-07-20 17:38 -------- d-----w- c:\program files\SpeedFan

2009-09-12 05:39 . 2009-08-02 15:56 58334 ----a-w- c:\windows\system32\u_dtpogxbvrd.dll.exe

2009-09-10 02:32 . 2009-08-06 05:48 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-09 10:11 . 2009-06-26 18:31 -------- d-----w- c:\documents and settings\anthony g\Application Data\mjusbsp

2009-09-09 10:10 . 2009-08-26 15:37 -------- d-----w- c:\program files\TPR

2009-08-28 06:28 . 2009-07-30 02:47 -------- d-----w- c:\documents and settings\anthony g\Application Data\LimeWire

2009-08-26 15:38 . 2009-08-26 15:38 1568800 ----a-w- c:\windows\system32\mrkln.exe

2009-08-26 05:46 . 2009-08-26 05:46 -------- d-----w- c:\documents and settings\anthony g\Application Data\Malwarebytes

2009-08-26 05:46 . 2009-08-26 05:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-26 05:45 . 2009-08-26 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-25 16:10 . 2009-08-25 16:10 40448 ----a-w- c:\windows\system32\ycode.dll

2009-08-24 04:32 . 2009-08-24 04:32 88576 ----a-w- c:\windows\acnq35580.exe

2009-08-24 04:32 . 2009-08-24 04:32 412160 ----a-w- c:\windows\naut3507.exe

2009-08-24 04:32 . 2009-08-24 04:32 889078 ----a-w- c:\windows\xaxbs73558.exe

2009-08-24 04:27 . 2009-06-17 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2009-08-24 03:56 . 2009-07-30 02:46 -------- d-----w- c:\program files\Java

2009-08-23 06:04 . 2009-08-04 07:40 -------- d-----w- c:\program files\RealArcade

2009-08-23 05:46 . 2009-08-23 05:46 -------- d-----w- c:\program files\GameHouse

2009-08-23 05:43 . 2009-08-15 20:58 -------- d-----w- c:\program files\Monopoly_at

2009-08-22 14:36 . 2005-01-24 17:30 139264 ----a-w- c:\windows\system32\hpzjrd01.dll

2009-08-21 10:07 . 2009-08-21 10:07 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2009-08-21 10:03 . 2009-08-21 10:03 -------- d-----w- c:\program files\MSXML 4.0

2009-08-20 07:39 . 2009-08-20 07:39 132 ----a-w- c:\documents and settings\anthony g\Local Settings\Application Data\fusioncache.dat

2009-08-20 07:27 . 2009-08-20 06:58 112423 ----a-w- c:\windows\hpoins07.dat

2009-08-20 07:23 . 2009-08-20 06:49 -------- d-----w- c:\documents and settings\anthony g\Application Data\HP

2009-08-20 07:23 . 2009-06-14 04:52 17808 ----a-w- c:\documents and settings\anthony g\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-20 07:17 . 2009-08-20 06:59 -------- d-----w- c:\program files\HP

2009-08-20 07:17 . 2009-08-20 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2009-08-20 07:15 . 2009-08-20 07:15 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-08-20 07:15 . 2009-08-20 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2009-08-20 07:14 . 2009-08-20 07:13 -------- d-----w- c:\program files\Common Files\HP

2009-08-20 07:09 . 2009-08-20 07:09 -------- d-----w- c:\program files\Hewlett-Packard

2009-08-20 07:05 . 2009-08-20 07:05 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2009-08-20 06:16 . 2009-08-20 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

2009-08-20 06:16 . 2009-08-20 06:16 -------- d-----w- c:\program files\PC Drivers HeadQuarters

2009-08-18 04:11 . 2009-08-18 04:10 -------- d-----w- c:\program files\Virtual Earth 3D

2009-08-15 03:22 . 2009-08-15 03:22 -------- d-----w- c:\documents and settings\anthony g\Application Data\PlayFirst

2009-08-15 03:22 . 2009-08-15 03:22 -------- d-----w- c:\program files\PlayFirst

2009-08-15 02:52 . 2009-08-15 02:52 -------- d-----w- c:\program files\AOL Games

2009-08-14 06:56 . 2009-08-14 06:56 -------- d-----w- c:\program files\TikGames

2009-08-09 01:39 . 2009-08-09 00:25 -------- d-----w- c:\program files\Daycare Nightmare

2009-08-09 00:30 . 2009-08-09 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis

2009-08-07 10:18 . 2009-08-07 10:18 -------- d-----w- c:\program files\MSBuild

2009-08-07 10:17 . 2009-08-07 10:17 -------- d-----w- c:\program files\Reference Assemblies

2009-08-07 10:03 . 2009-08-07 10:03 -------- d-----w- c:\program files\MSXML 6.0

2009-08-05 09:11 . 2001-08-23 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 07:41 . 2009-08-04 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\RealArcade

2009-08-03 20:36 . 2009-08-26 05:45 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 20:36 . 2009-08-26 05:45 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-03 06:18 . 2009-08-03 06:18 -------- d-----w- c:\documents and settings\anthony g\Application Data\SpinTop

2009-08-03 04:45 . 2009-08-03 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware

2009-08-02 05:05 . 2009-08-02 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia

2009-08-02 05:05 . 2009-08-02 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NeoEdge Networks

2009-07-31 08:59 . 2009-06-14 09:20 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-25 12:23 . 2009-07-30 02:47 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 18:55 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 09:18 . 2009-06-14 04:35 233472 ------w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2001-08-23 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-09-11 09:49 . 2009-09-11 09:49 365056 ----a-w- c:\program files\mozilla firefox\components\dtpogxbvrd.dll

2009-07-21 06:03 . 2009-07-21 06:03 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2009-06-24 23:34 . 2009-06-24 23:34 4096 --sha-w- c:\windows\system32\jofaluju.exe

2009-06-26 00:35 . 2009-06-26 00:35 49664 --sha-w- c:\windows\system32\pirovowi.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5df4e023-a41f-44b2-afbf-6066fc18315c}]

2009-06-26 00:35 49664 --sha-w- c:\windows\system32\pirovowi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4d57340-05f0-4916-bd66-b66fbbcba8ad}]

2009-09-28 20:51 44544 ----a-w- c:\windows\system32\ddbxvwvtro.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-18 39408]

"cdloader"="c:\documents and settings\anthony g\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

"calc"="c:\docume~1\ANTHON~1\protect.dll" [2009-09-28 22528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-07-21 30192]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"38d6cddd"="c:\windows\system32\kheddabyxu.dll" [2009-09-12 24064]

"calc"="c:\windows\system32\calc.dll" [2009-09-24 22528]

"furopadod"="c:\windows\system32\wepakezu.dll" [2009-09-28 88576]

"98c58f99"="c:\windows\system32\ddbxvwvtro.dll" [2009-09-28 44544]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\anthony g\Start Menu\Programs\Startup\

scandisk.dll [2009-9-23 22528]

scandisk.lnk - c:\windows\system32\rundll32.exe [2001-8-23 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-8 525664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{5f4ff0b9-35b4-4878-b499-03920825fab7}"= "c:\windows\system32\wepakezu.dll" [2009-09-28 88576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"turadumem"= {5f4ff0b9-35b4-4878-b499-03920825fab7} - c:\windows\system32\wepakezu.dll [2009-09-28 88576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Documents and Settings\\anthony g\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 dfjmjv;dfjmjv;c:\windows\system32\drivers\syoi.sys [x]

R2 gupdate1ca07644223d8d0;Google Update Service (gupdate1ca07644223d8d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-18 133104]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-08-28 609792]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-08-28 609792]

R3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-07-21 30192]

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-31 c:\windows\Tasks\firefox.job

- c:\program files\Mozilla Firefox\firefox.exe [2009-06-17 01:49]

2009-09-28 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-18 04:56]

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-18 04:57]

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-18 04:57]

2009-07-31 c:\windows\Tasks\Mozilla Firefox.job

- c:\progra~1\MOZILL~1\firefox.exe [2009-06-17 01:49]

2009-09-23 c:\windows\Tasks\Norton Security Scan for anthony g.job

- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-19 23:45]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.twinturbo.net/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

FF - ProfilePath - c:\documents and settings\anthony g\Application Data\Mozilla\Firefox\Profiles\7ongi6fj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.twinturbo.net/

FF - component: c:\program files\Mozilla Firefox\components\dtpogxbvrd.dll

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\extensions\npmozax@real.com\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll

FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKLM-Run-17096564 - c:\documents and settings\All Users\Application Data\17096564\17096564.exe

HKLM-Run-hivahovohi - raramuge.dll

SharedTaskScheduler-{a07a1c5a-493c-4f0b-a10b-21b09886d80b} - c:\windows\system32\jawepuwa.dll

SharedTaskScheduler-{a5bf1657-ea7f-46ac-861a-c39f2d395b80} - c:\windows\system32\sebowowa.dll

SharedTaskScheduler-{b9d47c83-470a-4af9-ab69-b58203bd95c3} - c:\windows\system32\duzileru.dll

SharedTaskScheduler-{603cc096-a57b-48b0-b54c-26c43b43f0dc} - c:\windows\system32\pinafadi.dll

SSODL-gojekakov-{a07a1c5a-493c-4f0b-a10b-21b09886d80b} - c:\windows\system32\jawepuwa.dll

SSODL-jamijilab-{a5bf1657-ea7f-46ac-861a-c39f2d395b80} - c:\windows\system32\sebowowa.dll

SSODL-gewumadus-{b9d47c83-470a-4af9-ab69-b58203bd95c3} - c:\windows\system32\duzileru.dll

SSODL-napenimoy-{603cc096-a57b-48b0-b54c-26c43b43f0dc} - c:\windows\system32\pinafadi.dll

AddRemove-3cc0810b-d693-925d-be98-a3172dc394fd - c:\windows\system32\3cc0810b-d693-925d-be98-a3172dc394fd.exe

AddRemove-vutzwbozyrmaaocu - c:\windows\system32\vutzwbozyrmaaocu.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-28 13:50

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

c:\windows\system32\.38767e55\38767e55.exe [1304] 0x890BD898

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\tmp478.tmp.38767e55.tmp 126976 bytes executable

c:\windows\TEMP\tmpBF.tmp.38767e55.tmp 122880 bytes executable

c:\windows\TEMP\tmp1DE.tmp.38767e55.tmp 126976 bytes executable

c:\windows\system32\.38767e55

c:\windows\system32\ddbxvwvtro.dll 44544 bytes executable

c:\windows\system32\jkkjkiheec.exe 122880 bytes executable

scan completed successfully

hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\38767e55]

"ImagePath"="c:\windows\system32\.38767e55\38767e55.exe"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,cf,df,be,4b,11,54,49,a0,6a,20,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,cf,df,be,4b,11,54,49,a0,6a,20,\

[HKEY_USERS\S-1-5-21-1343024091-1284227242-1177238915-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4032)

c:\windows\system32\WININET.dll

c:\windows\system32\ddbxvwvtro.dll

c:\windows\system32\kheddabyxu.dll

c:\windows\system32\calc.dll

c:\windows\system32\wepakezu.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\.38767e55\38767e55.core.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\webcheck.dll

c:\program files\Stardock\Object Desktop\IconPackager\iprepair.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

.

**************************************************************************

.

Completion time: 2009-09-28 14:03 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-28 21:03

Pre-Run: 20,668,223,488 bytes free

Post-Run: 22,100,938,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

432 --- E O F --- 2009-09-09 10:10

Anyway, it runs a LOT better now but stilla few bugs...

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=26028
Collect::
c:\windows\system32\pirovowi.dll
c:\windows\system32\ddbxvwvtro.dll
c:\documents and settings\anthony g\protect.dll
c:\windows\system32\kheddabyxu.dll
c:\windows\system32\calc.dll
c:\windows\system32\wepakezu.dll
c:\documents and settings\anthony g\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\drivers\syoi.sys
c:\windows\system32\jkkjkiheec.exe
c:\windows\TEMP\tmp478.tmp.38767e55.tmp
c:\windows\TEMP\tmpBF.tmp.38767e55.tmp
c:\windows\TEMP\tmp1DE.tmp.38767e55.tmp
c:\windows\system32\.38767e55\38767e55.exe
Driver::
dfjmjv
KILLALL::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5df4e023-a41f-44b2-afbf-6066fc18315c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4d57340-05f0-4916-bd66-b66fbbcba8ad}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"calc"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
"furopadod"=-
"calc"=-
"38d6cddd"=-
Folder::
c:\windows\system32\.38767e55

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Also update MBAM, run a Quick Scan, and post its log. Then post a fresh HijackThis log.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.