Rootkit removal, run-time errors and more

[Cinquefoil]

This started as a rootkit removal exercise, but a runtime error 9 led me to post in another forum (entry number 178429) and I was guided to use procedures to post here. Thank you in advance for your help.

DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86

Run by AMC at 23:01:19.95 on Fri 01/01/2010

Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.382.99 [GMT -5:00]

AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\PROGRA~1\DrWeb\spidernt.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\DrWeb\SpIDerAgent.exe

C:\PROGRA~1\DrWeb\spiderui.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\system32\dumprep.exe

C:\Program Files\HPQ\SHARED\HPQWMI.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\AMC\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: {7710eb04-f66a-4968-85cf-5cb88b28cfd9} - maguwewo.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

mRun: [spIDerAgent] "c:\program files\drweb\SpIDerAgent.exe"

mRun: [spIDerMail] "c:\program files\drweb\spiderml.exe"

mRun: [spIDerNT] c:\progra~1\drweb\spiderui.exe /agent

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [lobajepum] Rundll32.exe "c:\windows\system32\heterute.dll",a

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

LSP: c:\program files\drweb\drwebsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260842474843

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260842685187

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/iwincarambadeluxe/zylomgamesplayer.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab

DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://pvi.stpweblocker.com/updates/lib/XUpload.ocx

TCP: {4DDF435C-F750-4AE0-A65A-31153F9E4D04} = 193.104.110.38,4.2.2.1,68.100.16.25 68.100.16.30

TCP: {5061659B-F63A-4BF9-9647-DBCCF7CF874E} = 193.104.110.38,4.2.2.1,68.100.16.25 68.100.16.30

TCP: {789A8A8F-E828-4B23-A03D-B8158D564001} = 193.104.110.38,4.2.2.1

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: muhavude.dll tijayefe.dll kowoziza.dll c:\windows\system32\heterute.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: yaputozej - {9c6a6de0-bb39-44c2-9e14-6480e11d6180} - c:\windows\system32\heterute.dll

STS: {03520177-ad93-4b88-8aa1-752e8aa14464} - No File

STS: {34cca473-7d2d-4ba3-bf38-95e53fa59b6d} - No File

STS: tokatiluy: {9c6a6de0-bb39-44c2-9e14-6480e11d6180} - c:\windows\system32\heterute.dll

LSA: Notification Packages = scecli zogovaro.dll lululune.dll purahulu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amc\applic~1\mozilla\firefox\profiles\jyhs8d1y.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - AIM Search

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\documents and settings\amc\application data\mozilla\firefox\profiles\jyhs8d1y.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [2009-12-17 107000]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-5 64160]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-13 207792]

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-12-13 51984]

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-12-13 59664]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-12-13 233136]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-13 112592]

R2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);c:\program files\common files\doctor web\scanning engine\dwengine.exe [2009-9-22 869688]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-13 359624]

R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-13 1141712]

R2 SPIDER;SpIDer Guard File System Monitor;c:\progra~1\drweb\spider.sys [2009-8-17 306464]

R2 SPIDERNT;SpIDer Guard for Windows;c:\progra~1\drweb\spidernt.exe [2009-8-17 231328]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-12-15 34760]

S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-12-13 70408]

S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-12-14 24416]

S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-12-13 33552]

S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]

=============== Created Last 30 ================

2010-01-02 03:31:57 0 ----a-w- c:\documents and settings\amc\defogger_reenable

2010-01-02 03:08:41 12672 ----a-w- c:\windows\system32\wpa.bak

2009-12-28 07:34:59 101376 -c--a-w- c:\windows\system32\dllcache\srusbusd.dll

2009-12-28 07:33:47 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys

2009-12-28 07:32:59 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll

2009-12-28 07:31:59 312832 -c--a-w- c:\windows\system32\dllcache\EXCH_aqueue.dll

2009-12-28 07:30:30 25065 ----a-w- c:\windows\system32\wmpscheme.xml

2009-12-28 07:30:25 299552 ----a-w- c:\windows\WMSysPrx.prx

2009-12-28 07:29:55 18560 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2009-12-28 07:29:52 16384 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2009-12-28 07:29:50 4992 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2009-12-28 07:29:47 83712 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2009-12-28 07:28:13 488 ---ha-r- c:\windows\system32\logonui.exe.manifest

2009-12-28 07:28:01 749 ---ha-r- c:\windows\WindowsShell.Manifest

2009-12-28 07:28:01 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest

2009-12-28 07:28:01 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest

2009-12-28 07:28:01 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest

2009-12-28 07:26:59 806969 -c--a-w- c:\windows\system32\dllcache\moviemk.exe

2009-12-28 07:16:42 5888 ----a-w- c:\windows\system32\drivers\splitter.sys

2009-12-28 07:16:38 50048 ----a-w- c:\windows\system32\drivers\DMusic.sys

2009-12-28 07:16:02 56576 ----a-w- c:\windows\system32\drivers\redbook.sys

2009-12-28 07:12:54 4096 ----a-w- c:\windows\system32\ksuser.dll

2009-12-28 07:12:54 117248 ----a-w- c:\windows\system32\ksproxy.ax

2009-12-28 07:11:28 38024 ----a-w- c:\windows\system32\drivers\termdd.sys

2009-12-28 07:05:57 8574 -c--a-w- c:\windows\system32\dllcache\IASNT4.CAT

2009-12-24 04:10:45 106496 ----a-w- c:\windows\system32\urlold.dll

2009-12-24 03:54:06 106496 ----a-w- C:\url.dll

2009-12-23 20:05:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-23 20:05:40 18520 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-17 23:35:58 107000 ----a-w- c:\windows\system32\drivers\dwprot.sys

2009-12-17 23:34:38 0 d-----w- c:\program files\common files\Doctor Web

2009-12-17 23:34:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Doctor Web

2009-12-17 23:34:33 0 d-----w- c:\program files\DrWeb

2009-12-17 22:02:15 0 ----a-w- c:\windows\system32\setup_XP.ini

2009-12-17 21:48:52 0 d-----w- c:\documents and settings\amc\DoctorWeb

2009-12-15 22:12:40 4775 ----a-w- c:\windows\setupapi.old

2009-12-15 19:30:37 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys

2009-12-15 05:02:04 0 ----a-w- c:\documents and settings\amc\settings.dat

2009-12-15 03:49:08 0 d-----w- c:\program files\CCleaner

2009-12-15 02:03:06 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

2009-12-14 06:08:35 57056 ----a-w- C:\regrunck.exe

2009-12-14 05:53:52 35040 ----a-w- c:\windows\system32\Partizan.exe

2009-12-14 05:53:45 24416 ----a-w- c:\windows\system32\drivers\regguard.sys

2009-12-14 05:42:34 2 --shatr- c:\windows\winstart.bat

2009-12-14 05:41:45 0 d-----w- c:\program files\Greatis

2009-12-14 02:57:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-14 00:42:07 0 d-sh--w- c:\documents and settings\amc\IECompatCache

2009-12-13 16:40:58 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys

2009-12-13 16:40:58 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys

2009-12-13 16:40:57 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys

2009-12-13 15:30:44 882 ----a-w- c:\windows\RegSDImport.xml

2009-12-13 15:30:44 880 ----a-w- c:\windows\RegISSImport.xml

2009-12-13 15:30:44 767952 ----a-w- c:\windows\BDTSupport.dll

2009-12-13 15:30:44 165840 ----a-w- c:\windows\PCTBDRes.dll

2009-12-13 15:30:44 1640400 ----a-w- c:\windows\PCTBDCore.dll

2009-12-13 15:30:44 149456 ----a-w- c:\windows\SGDetectionTool.dll

2009-12-13 15:30:44 131 ----a-w- c:\windows\IDB.zip

2009-12-13 15:30:44 1152444 ----a-w- c:\windows\UDB.zip

2009-12-13 15:27:59 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat

2009-12-13 15:27:59 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-12-13 15:27:53 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-12-13 15:27:53 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2009-12-13 15:27:53 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-12-13 15:27:53 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-12-13 15:27:47 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat

2009-12-13 15:27:47 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-12-13 15:27:40 0 d-----w- c:\program files\Spyware Doctor

2009-12-13 15:27:40 0 d-----w- c:\program files\common files\PC Tools

2009-12-13 15:27:40 0 d-----w- c:\docume~1\amc\applic~1\PC Tools

2009-12-13 15:27:40 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2009-12-13 14:51:12 0 d-----w- c:\docume~1\amc\applic~1\Malwarebytes

2009-12-13 02:44:42 0 d--h--w- c:\windows\PIF

2009-12-13 01:11:59 17877 ----a-w- c:\docume~1\alluse~1\applic~1\ozequcyluf.scr

2009-12-13 01:11:59 17167 ----a-w- c:\windows\umir.ban

2009-12-13 01:11:59 16617 ----a-w- c:\windows\syjebyn.pif

2009-12-13 01:11:59 13279 ----a-w- c:\docume~1\alluse~1\applic~1\ycibiw.bin

2009-12-13 01:11:59 13039 ----a-w- c:\windows\ahymuxibuk.bin

2009-12-13 01:11:59 11670 ----a-w- c:\docume~1\alluse~1\applic~1\iralogituv.com

2009-12-12 21:36:15 3243 ----a-w- c:\windows\system32\wbem\Outlook_01ca7b7321dde088.mof

2009-12-12 20:52:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-12 20:17:37 0 d-----w- c:\windows\system32\schtml

==================== Find3M ====================

2009-12-28 07:25:58 23428 ----a-w- c:\windows\system32\emptyregdb.dat

2009-09-17 18:01:11 3 --sha-w- c:\windows\system32\dedezaye.dll

1601-01-01 00:03:21 91648 --sha-w- c:\windows\system32\heterute.dll

2009-09-12 21:13:16 45568 --sha-w- c:\windows\system32\hufovora.dll

2009-09-17 18:01:11 3 --sha-w- c:\windows\system32\jeruvote.dll

2009-09-18 18:03:37 51712 --sha-w- c:\windows\system32\kowoziza.dll

1601-01-01 00:03:21 45568 --sha-w- c:\windows\system32\kugipipo.dll

2009-09-18 18:03:37 51712 --sha-w- c:\windows\system32\maguwewo.dll

2009-09-13 21:16:09 61440 --sha-w- c:\windows\system32\pamukuhu.dll

2009-09-18 18:03:37 51712 --sha-w- c:\windows\system32\purahulu.dll

1601-01-01 00:03:21 38912 --sha-w- c:\windows\system32\suyorayo.dll

1601-01-01 00:03:21 61440 --sha-w- c:\windows\system32\zevupayi.dll

2009-01-06 08:07:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010620090107\index.dat

============= FINISH: 23:02:45.42 ===============

ark.zip

Attach.zip

defogger_disable.zip

DDS.txt

[screen317]

Hi and welcome to Malwarebytes.

Do you still need help?

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!