Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Problems


  • This topic is locked This topic is locked
17 replies to this topic

#1 Dr. Weird

Dr. Weird

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 04 January 2009 - 07:26 PM

Hi, I just started having problems today and have not attempted to fix things on my own. I wanted to go straight to the experts first. Thanks ahead of time for any help. Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:30 PM, on 1/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9c89a1ec-900f-4fb1-bd8e-42316c969c07} - C:\WINDOWS\system32\lunuhofu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zolajusivu] Rundll32.exe "C:\WINDOWS\system32\bohusika.dll",s
O4 - HKLM\..\Run: [d82dbb21] rundll32.exe "C:\WINDOWS\system32\mogeviga.dll",b
O4 - HKLM\..\Run: [CPMdb1e88bd] Rundll32.exe "c:\windows\system32\zubufoba.dll",a
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [zolajusivu] Rundll32.exe "C:\WINDOWS\system32\bohusika.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zolajusivu] Rundll32.exe "C:\WINDOWS\system32\bohusika.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\lemovefo.dll c:\windows\system32\zubufoba.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zubufoba.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zubufoba.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5544 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 05 January 2009 - 02:54 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Dr. Weird

Dr. Weird
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 09 January 2009 - 02:42 PM

Thank you for your help, fenzodahl512. I got all the logs but only got the RSIT log.txt and didn't get the info.txt. I tried running RSIT a few more times but it only gives me one log. My computer is running great again since removing files with Malwarebyes.

Here's the Malwarebytes' log:

Malwarebytes' Anti-Malware 1.32
Database version: 1635
Windows 5.1.2600 Service Pack 2

1/9/2009 2:14:23 PM
mbam-log-2009-01-09 (14-14-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72301
Time elapsed: 14 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pozimadu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wokoguri.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pozowaha.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wuyedawa.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\remebeyi.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c89a1ec-900f-4fb1-bd8e-42316c969c07} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9c89a1ec-900f-4fb1-bd8e-42316c969c07} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9c89a1ec-900f-4fb1-bd8e-42316c969c07} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d82dbb21 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zolajusivu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmdb1e88bd (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wokoguri.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wokoguri.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wokoguri.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wuyedawa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wuyedawa.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dijuzihi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihizujid.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mogeviga.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\agivegom.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pozimadu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\udamizop.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jeyiniyo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wuyedawa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pozowaha.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wokoguri.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\remebeyi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lemovefo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bohusika.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lunuhofu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zubufoba.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gokisoso.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gefuvura.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bakedosu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Edited by Dr. Weird, 09 January 2009 - 02:46 PM.


#4 Dr. Weird

Dr. Weird
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 09 January 2009 - 02:44 PM

Here's the RSIT log.txt:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Number 6 at 2009-01-09 14:43:44
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 111 GB (73%) free of 153 GB
Total RAM: 2047 MB (82% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:45 PM, on 1/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Number 6\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Number 6.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\lemovefo.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 4582 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-03-16 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-03-16 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2006-03-02 577536]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-09-17 286720]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe [2005-06-20 1056768]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"=C:\Program Files\Download Manager\DLM.exe [2008-08-01 1103216]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2008-12-19 342848]
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe [2009-01-07 3321856]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\lemovefo.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\lemovefo.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\World of Warcraft\WoW-1.12.0-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe"="C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\THQ\Dawn Of War\W40k.exe"="C:\Program Files\THQ\Dawn Of War\W40k.exe:*:Enabled:W40k"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\nvsvc32.exe"="C:\WINDOWS\system32\nvsvc32.exe:*:Enabled:nvsvc32"
"C:\Program Files\VIA\RAID\raid_tool.exe"="C:\Program Files\VIA\RAID\raid_tool.exe:*:Enabled:raid_tool"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:msmsgs"
"C:\Program Files\DAEMON Tools Lite\daemon.exe"="C:\Program Files\DAEMON Tools Lite\daemon.exe:*:Enabled:daemon"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:iexplore"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 3 months======

65535-65535-31889 1707:31889:1771 ----ASH---- C:\WINDOWS\system32\wibotelo.dll
65535-65535-31889 1707:31889:1771 ----ASH---- C:\WINDOWS\system32\turepare.dll.tmp
65535-65535-31889 1707:31889:1771 ----ASH---- C:\WINDOWS\system32\jasutudo.dll
2009-01-09 14:35:34 ----A---- C:\WINDOWS\gmer.ini
2009-01-09 14:35:33 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2009-01-09 14:35:33 ----A---- C:\WINDOWS\gmer.exe
2009-01-09 14:35:33 ----A---- C:\WINDOWS\gmer.dll
2009-01-09 14:25:14 ----D---- C:\rsit
2009-01-09 13:58:15 ----D---- C:\Documents and Settings\Number 6\Application Data\Malwarebytes
2009-01-09 13:58:06 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-09 13:58:06 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-04 18:46:34 ----D---- C:\Program Files\Trend Micro
2009-01-04 18:09:53 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-04 12:55:36 ----D---- C:\Program Files\Perfect World Entertainment
2009-01-03 00:35:31 ----A---- C:\WINDOWS\system32\unicows.dll
2008-12-25 11:38:43 ----D---- C:\Program Files\Bethesda Softworks
2008-12-24 14:08:56 ----D---- C:\Documents and Settings\All Users\Application Data\Fallout3
2008-12-21 17:02:38 ----D---- C:\Documents and Settings\Number 6\Application Data\DAEMON Tools
2008-12-21 17:01:55 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2008-12-21 17:01:52 ----D---- C:\Program Files\DAEMON Tools Lite
2008-12-21 17:01:12 ----D---- C:\Documents and Settings\Number 6\Application Data\DAEMON Tools Lite
2008-12-21 16:50:19 ----D---- C:\Program Files\DAEMON Tools Pro
2008-12-21 16:50:19 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-12-21 16:49:05 ----D---- C:\Documents and Settings\Number 6\Application Data\DAEMON Tools Pro
2008-12-20 00:09:03 ----D---- C:\Program Files\BlackIsle
2008-12-17 19:57:59 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-12-17 18:37:39 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-17 18:37:36 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-12-17 18:37:32 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-12-17 18:37:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-17 18:37:25 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-17 18:37:22 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-17 18:37:18 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-12-17 18:37:14 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-12-17 18:36:54 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-12-17 18:36:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-12-17 18:36:47 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-12-17 18:36:40 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-12-17 18:36:36 ----D---- C:\Program Files\MSXML 6.0
2008-12-17 18:36:16 ----HDC---- C:\WINDOWS\$NtUninstallKB925720$
2008-12-17 18:36:13 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2008-12-17 18:36:04 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-12-17 18:36:00 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-12-17 18:35:57 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-12-17 18:35:53 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-12-17 18:35:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-12-17 18:35:42 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-12-17 18:35:38 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-17 18:35:35 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-12-17 18:35:31 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-12-17 18:35:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-17 18:35:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-12-17 18:35:18 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-12-15 14:37:43 ----A---- C:\WINDOWS\QUAKEME.INI
2008-12-14 16:34:03 ----HD---- C:\WINDOWS\PIF
2008-12-14 09:24:47 ----D---- C:\Program Files\Quake
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2008-11-01 04:10:04 ----D---- C:\WINDOWS\Logs
2008-11-01 04:09:12 ----D---- C:\Program Files\MSBuild
2008-11-01 04:06:31 ----D---- C:\WINDOWS\system32\XPSViewer
2008-11-01 04:06:07 ----D---- C:\Program Files\Reference Assemblies
2008-11-01 04:05:55 ----N---- C:\WINDOWS\system32\spmsg2.dll
2008-11-01 04:05:47 ----HDC---- C:\WINDOWS\$NtUninstallWIC$
2008-11-01 04:05:11 ----D---- C:\WINDOWS\system32\xlive
2008-10-25 08:09:15 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard

======List of files/folders modified in the last 3 months======

2009-01-09 14:35:57 ----D---- C:\Documents and Settings\Number 6\Application Data\DNA
2009-01-09 14:35:43 ----D---- C:\WINDOWS\Prefetch
2009-01-09 14:35:34 ----D---- C:\WINDOWS
2009-01-09 14:35:33 ----D---- C:\WINDOWS\system32\drivers
2009-01-09 14:34:52 ----D---- C:\WINDOWS\Temp
2009-01-09 14:15:55 ----D---- C:\Program Files\DNA
2009-01-09 14:15:33 ----D---- C:\WINDOWS\system32
2009-01-09 14:15:04 ----N---- C:\WINDOWS\SchedLgU.Txt
2009-01-09 13:58:06 ----RD---- C:\Program Files
2009-01-04 18:23:55 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-04 18:23:55 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-04 18:22:13 ----HD---- C:\WINDOWS\inf
2009-01-04 18:10:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-04 12:46:24 ----D---- C:\Documents and Settings\Number 6\Application Data\BitTorrent
2008-12-31 12:16:17 ----D---- C:\WINDOWS\system32\DirectX
2008-12-31 12:16:16 ----RSD---- C:\WINDOWS\assembly
2008-12-31 12:11:33 ----D---- C:\Program Files\Electronic Arts
2008-12-25 11:41:38 ----D---- C:\WINDOWS\Microsoft.NET
2008-12-25 11:38:48 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-25 11:37:59 ----SHD---- C:\WINDOWS\Installer
2008-12-25 11:37:19 ----D---- C:\WINDOWS\WinSxS
2008-12-21 14:31:55 ----A---- C:\WINDOWS\system.ini
2008-12-20 00:09:51 ----A---- C:\WINDOWS\ipuninst.exe
2008-12-17 19:57:59 ----D---- C:\WINDOWS\Debug
2008-12-17 19:56:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-17 18:37:39 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-17 18:37:34 ----D---- C:\Program Files\Messenger
2008-12-17 18:37:09 ----D---- C:\Program Files\Internet Explorer
2008-12-17 18:37:05 ----D---- C:\WINDOWS\ie7updates
2008-12-17 18:16:57 ----D---- C:\WINDOWS\Help
2008-12-14 17:21:43 ----D---- C:\Documents and Settings\Number 6\Application Data\IGN_DLM
2008-12-14 10:25:36 ----D---- C:\Program Files\Download Manager
2008-12-13 01:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-12 12:11:02 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2008-12-12 12:06:23 ----ASD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-12 12:06:23 ----AD---- C:\Program Files\Outlook Express
2008-12-12 12:06:23 ----AD---- C:\Program Files\Common Files\System
2008-12-08 10:51:12 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-07 10:24:57 ----D---- C:\Program Files\Common Files
2008-11-15 16:31:58 ----D---- C:\WINDOWS\nview
2008-11-01 04:23:24 ----A---- C:\WINDOWS\system32\CmdLineExt.dll
2008-11-01 04:06:30 ----D---- C:\WINDOWS\system32\en-US
2008-11-01 04:06:28 ----RSD---- C:\WINDOWS\Fonts
2008-11-01 04:05:59 ----D---- C:\WINDOWS\system32\spool
2008-10-30 08:15:03 ----D---- C:\WINDOWS\network diagnostic
2008-10-23 08:01:36 ----A---- C:\WINDOWS\system32\gdi32.dll
2008-10-22 04:47:07 ----N---- C:\WINDOWS\system32\tzchange.exe
2008-10-19 15:32:21 ----SH---- C:\boot.ini
2008-10-19 15:32:21 ----A---- C:\WINDOWS\win.ini
2008-10-16 15:38:40 ----A---- C:\WINDOWS\system32\wininet.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\webcheck.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\url.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\occache.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\mstime.dll
2008-10-16 15:38:38 ----A---- C:\WINDOWS\system32\msrating.dll
2008-10-16 15:38:38 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\msfeeds.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\jsproxy.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\iertutil.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\iernonce.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\ieaksie.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\ieakeng.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\icardie.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\extmgr.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\advpack.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wups2.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\cdm.dll
2008-10-16 14:09:40 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:08:58 ----A---- C:\WINDOWS\system32\wups.dll
2008-10-16 14:07:44 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-10-16 14:07:14 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-16 08:11:09 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-10-16 08:11:09 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2008-10-15 11:57:55 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-15 02:04:53 ----A---- C:\WINDOWS\system32\ieakui.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 vcdrom;Virtual CD-ROM Device Driver; \??\C:\WINDOWS\system32\drivers\VCdRom.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2006-05-19 3965056]
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 a94d75gp;a94d75gp; C:\WINDOWS\system32\drivers\a94d75gp.sys []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2009-01-09 85969]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2007-11-02 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2008-12-12 201816]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-16 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

Edited by Dr. Weird, 09 January 2009 - 02:48 PM.


#5 Dr. Weird

Dr. Weird
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 09 January 2009 - 02:49 PM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-09 14:39:36
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT spds.sys



ZwCreateKey [0xBA6A80E0]
SSDT spds.sys



ZwEnumerateKey [0xBA6C6CA2]
SSDT spds.sys



ZwEnumerateValueKey [0xBA6C7030]
SSDT spds.sys



ZwOpenKey [0xBA6A80C0]
SSDT spds.sys



ZwQueryKey [0xBA6C7108]
SSDT spds.sys



ZwQueryValueKey [0xBA6C6F88]
SSDT spds.sys



ZwSetValueKey [0xBA6C719A]

INT 0x62 ?



89DE6BF8
INT 0x63 ?



89C33F00
INT 0x63 ?



89C33F00
INT 0x63 ?



89C33F00
INT 0x63 ?



89C33F00
INT 0x63 ?



89C33F00
INT 0x63 ?



89C33F00
INT 0x82 ?



89DE6BF8
INT 0x83 ?



89DE8BF8

---- Kernel code sections - GMER 1.0.14 ----

? okkp.sys



The system cannot find the file specified. !
? spds.sys



The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload



B976D62C 5 Bytes JMP 89C334E0
.text a94d75gp.SYS



B9332386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text a94d75gp.SYS



B93323AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text a94d75gp.SYS



B93323C4 3 Bytes [ 00, 70, 02 ]
.text a94d75gp.SYS



B93323C9 1 Byte [ 2E ]
.text a94d75gp.SYS



B93323CB 9 Bytes [ 00, 00, 5C, 02, 00, 00, 00, ... ]
.text ...





---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet

Explorer\iexplore.exe[148] USER32.dll!DialogBoxParamW

7E42555F 5 Bytes JMP 42F0F301

C:\WINDOWS\system32\IEFRAME.dll (Internet

Explorer/Microsoft Corporation)
.text C:\Program Files\Internet

Explorer\iexplore.exe[148]

USER32.dll!DialogBoxIndirectParamW

7E432032 5 Bytes JMP 430A179F

C:\WINDOWS\system32\IEFRAME.dll (Internet

Explorer/Microsoft Corporation)
.text C:\Program Files\Internet

Explorer\iexplore.exe[148]

USER32.dll!MessageBoxIndirectA

7E43A04A 5 Bytes JMP 430A1720

C:\WINDOWS\system32\IEFRAME.dll (Internet

Explorer/Microsoft Corporation)
.text C:\Program Files\Internet

Explorer\iexplore.exe[148] USER32.dll!DialogBoxParamA

7E43B10C 5 Bytes JMP 430A1764

C:\WINDOWS\system32\IEFRAME.dll (Internet

Explorer/Microsoft Corporation)
.text C:\Program Files\Internet

Explorer\iexplore.exe[148] USER32.dll!MessageBoxExW

7E4505D8 5 Bytes JMP 430A16AC

C:\WINDOWS\system32\IEFRAME.dll (Internet

Explorer/Microsoft Corporation)
.text C:\Program Files\Internet

Explorer\iexplore.exe[148] USER32.dll!MessageBoxExA

7E4505FC 5 Bytes JMP 430A16E6

C:\WINDOWS\system32\IEFRAME.dll (Internet

Explorer/Microsoft Corporation)
.text C:\Program Files\Internet

Explorer\iexplore.exe[148]

USER32.dll!DialogBoxIndirectParamA

7E456B50 5 Bytes JMP 430A17DA

C:\WINDOWS\system32\IEFRAME.dll (Internet

Explorer/Microsoft Corporation)
.text C:\Program Files\Internet

Explorer\iexplore.exe[148]

USER32.dll!MessageBoxIndirectW

7E4662AB 5 Bytes JMP 42F316B6

C:\WINDOWS\system32\IEFRAME.dll (Internet

Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR]



[BA6A9040] spds.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]



[BA6A913C] spds.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT]



[BA6A90BE] spds.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]



[BA6A97FC] spds.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR]



[BA6A96D2] spds.sys
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!KfAcq

uireSpinLock]

8A000002
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!READ_

PORT_UCHAR]

83880846
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!KeGet

CurrentIrql]

000001C0
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!KfRai

seIrql]

2C4EB70F
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!KfLow

erIrql]

8303C183
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!HalGe

tInterruptVector]

D103FCE1
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!HalTr

anslateBusAddress]

2E7E8366
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!KeSta

llExecutionProcessor]

8D1C7400
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!KfRel

easeSpinLock]

83893204
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!READ_

PORT_BUFFER_USHORT]

00000218
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!READ_

PORT_USHORT]

2E4EB70F
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!WRITE

_PORT_BUFFER_USHORT]

021C8B89
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[HAL.dll!WRITE

_PORT_UCHAR]

B70F0000
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[WMILIB.SYS!Wm

iSystemControl]

03D00304
IAT

\SystemRoot\System32\Drivers\a94d75gp.SYS[WMILIB.SYS!Wm

iCompleteRequest]

0CB389F2
IAT

\SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_

PORT_UCHAR]

[BA6B9048] spds.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs



89E561F8
Device \FileSystem\Fastfat \FatCdrom



89A97500
Device \FileSystem\Udfs \UdfsCdRom



89BA81F8
Device \FileSystem\Udfs \UdfsDisk



89BA81F8
Device \Driver\usbuhci \Device\USBPDO-0



89C30500
Device \Driver\usbuhci \Device\USBPDO-1



89C30500
Device \Driver\usbuhci \Device\USBPDO-2



89C30500
Device \Driver\usbuhci \Device\USBPDO-3



89C30500
Device \Driver\NetBT

\Device\NetBT_Tcpip_{0B00B212-3CC7-4C43-A908-31A5F389F1

20} 895271F8
Device \Driver\usbehci \Device\USBPDO-4



89C11500
Device \Driver\Ftdisk \Device\HarddiskVolume1



89E581F8
Device \Driver\Cdrom \Device\CdRom0



89C1F500
Device \Driver\atapi \Device\Ide\IdePort0



89DE61F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3



89DE61F8
Device \Driver\atapi \Device\Ide\IdePort1



89DE61F8
Device \Driver\Cdrom \Device\CdRom1



89C1F500
Device \Driver\Cdrom \Device\CdRom2



89C1F500
Device \Driver\Cdrom \Device\CdRom3



89C1F500
Device \Driver\PCI_PNP5212 \Device\0000003c



spds.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export



895271F8
Device \Driver\NetBT \Device\NetbiosSmb



895271F8
Device \Driver\usbuhci \Device\USBFDO-0



89C30500
Device \Driver\usbuhci \Device\USBFDO-1



89C30500
Device \FileSystem\MRxSmb

\Device\LanmanDatagramReceiver

895011F8
Device \Driver\usbuhci \Device\USBFDO-2



89C30500
Device \FileSystem\MRxSmb \Device\LanmanRedirector



895011F8
Device \Driver\usbuhci \Device\USBFDO-3



89C30500
Device \Driver\usbehci \Device\USBFDO-4



89C11500
Device \Driver\Ftdisk \Device\FtControl



89E581F8
Device \Driver\a94d75gp

\Device\Scsi\a94d75gp1Port3Path0Target1Lun0

89B971F8
Device \Driver\viamraid \Device\Scsi\viamraid1



89E571F8
Device \Driver\a94d75gp \Device\Scsi\a94d75gp1



89B971F8
Device \Driver\viamraid

\Device\Scsi\viamraid1Port2Path0Target0Lun0

89E571F8
Device \Driver\a94d75gp

\Device\Scsi\a94d75gp1Port3Path0Target2Lun0

89B971F8
Device \Driver\a94d75gp

\Device\Scsi\a94d75gp1Port3Path0Target0Lun0

89B971F8
Device \Driver\sptd \Device\2742776462



spds.sys
Device \FileSystem\Fastfat \Fat



89A97500
Device \FileSystem\Cdfs \Cdfs



895DD500

---- Registry - GMER 1.0.14 ----

Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1



771343423
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2



285507792
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0

1
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4@p0

C:\Program Files\DAEMON Tools Lite\
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4@h0 0
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4@khjeh 0x87

0xB1 0x16 0xB4 ...
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4\00000001
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4\00000001@a0 0x20

0x01 0x00 0x00 ...
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4\00000001@khjeh 0xBE

0x03 0x1A 0x99 ...
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC9

0x5E 0x3C 0x64 ...
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x82

0xA1 0x42 0xC6 ...
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg

HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\1965923

9224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x02

0xF1 0x40 0x22 ...
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4@p0

C:\Program Files\DAEMON Tools Lite\
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4@h0 0
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4@khjeh 0x87

0xB1 0x16 0xB4 ...
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4\00000001
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4\00000001@a0 0x20

0x01 0x00 0x00 ...
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4\00000001@khjeh 0xBE

0x03 0x1A 0x99 ...
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4\00000001\0Jf40
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC9

0x5E 0x3C 0x64 ...
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4\00000001\0Jf41
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x82

0xA1 0x42 0xC6 ...
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4\00000001\0Jf42
Reg

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224

E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x02

0xF1 0x40 0x22 ...

---- EOF - GMER 1.0.14 ----

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 10 January 2009 - 03:30 PM

IMPORTANT!! Uninstall these programs first (if present..) so that they won't interfere with our fixes..

1. Lavasoft Ad-Aware
2. Spybot - Search & Destroy
3. Viewpoint (all of them..)



Please download JavaRa to your desktop and unzip it to its own folder. <<MIRROR>>
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
Then, please download and install the latest Java from HERE




NEXT


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O20 - AppInit_DLLs: C:\WINDOWS\system32\lemovefo.dll

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    
    :files
    C:\WINDOWS\system32\lemovefo.dll 
    C:\WINDOWS\system32\wibotelo.dll
    C:\WINDOWS\system32\turepare.dll.tmp
    C:\WINDOWS\system32\jasutudo.dll
    
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Run RSIT again... Post these logs in your next reply..

1. OTMoveIt3
2. RSIT log.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Dr. Weird

Dr. Weird
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 11 January 2009 - 09:26 AM

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== FILES ==========
File/Folder C:\WINDOWS\system32\lemovefo.dll not found.
LoadLibrary failed for C:\WINDOWS\system32\wibotelo.dll
C:\WINDOWS\system32\wibotelo.dll NOT unregistered.
C:\WINDOWS\system32\wibotelo.dll moved successfully.
C:\WINDOWS\system32\turepare.dll.tmp moved

successfully.
DllUnregisterServer procedure not found in

C:\WINDOWS\system32\jasutudo.dll
C:\WINDOWS\system32\jasutudo.dll NOT unregistered.
C:\WINDOWS\system32\jasutudo.dll moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

\\"Notification

Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set

successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and

Settings\LocalService\Local Settings\Temporary Internet

Files\Content.IE5\index.dat scheduled to be deleted on

reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed.

C:\WINDOWS\temp\Perflib_Perfdata_8e0.dat scheduled to

be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on

01112009_091734

Files moved on Reboot...
File move failed. C:\Documents and

Settings\LocalService\Local Settings\Temporary Internet

Files\Content.IE5\index.dat scheduled to be moved on

reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_8e0.dat not

found!

Edited by Dr. Weird, 11 January 2009 - 09:31 AM.


#8 Dr. Weird

Dr. Weird
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 11 January 2009 - 09:31 AM

Logfile of random's system information tool 1.05 (written by random/random)
Run by Number 6 at 2009-01-11 09:23:03
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 111 GB (72%) free of 153 GB
Total RAM: 2047 MB (82% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:07 AM, on 1/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Number 6\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Number 6.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9c89a1ec-900f-4fb1-bd8e-42316c969c07} - C:\WINDOWS\system32\pojavoru.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [zolajusivu] Rundll32.exe "C:\WINDOWS\system32\hekomuno.dll",s
O4 - HKLM\..\Run: [d82dbb21] rundll32.exe "C:\WINDOWS\system32\wunukuna.dll",b
O4 - HKLM\..\Run: [CPMdb1e88bd] Rundll32.exe "c:\windows\system32\yijazowi.dll",a
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [zolajusivu] Rundll32.exe "C:\WINDOWS\system32\hekomuno.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zolajusivu] Rundll32.exe "C:\WINDOWS\system32\hekomuno.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) -

http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -

http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...41104281095a1d0

9267462231&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-

jc.cab&BHost=javadl.sun.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\wokoguri.dll C:\WINDOWS\system32\hujinuya.dll c:\windows\system32\yijazowi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yijazowi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yijazowi.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6594 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-11 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{9c89a1ec-900f-4fb1-bd8e-42316c969c07}]
C:\WINDOWS\system32\pojavoru.dll [65535-65535-31889 66677]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-03-16 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-11 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-01-11 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-03-16 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2006-03-02 577536]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-09-17 286720]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe [2005-06-20 1056768]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-11 136600]
"zolajusivu"=C:\WINDOWS\system32\hekomuno.dll [65535-65535-31889 66677]
"d82dbb21"=C:\WINDOWS\system32\wunukuna.dll [2009-01-11 91364]
"CPMdb1e88bd"=c:\windows\system32\yijazowi.dll [2009-01-11 103092]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"=C:\Program Files\Download Manager\DLM.exe [2008-08-01 1103216]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2008-12-19 342848]
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe [2009-01-07 3321856]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\wokoguri.dll C:\WINDOWS\system32\hujinuya.dll c:\windows\system32\yijazowi.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yijazowi.dll [2009-01-11 103092]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yijazowi.dll [2009-01-11 103092]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\wokoguri.dll
C:\WINDOWS\system32\hujinuya.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplic

ations\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\World of Warcraft\WoW-1.12.0-enUS-downloader.exe"="C:\Program Files\World of

Warcraft\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\Program Files\World of

Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe"="C:\Program Files\World of

Warcraft\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"="C:\Program Files\World of

Warcraft\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of

Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe"="C:\Program

Files\Sony\Station\LaunchPad\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\THQ\Dawn Of War\W40k.exe"="C:\Program Files\THQ\Dawn Of War\W40k.exe:*:Enabled:W40k"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download

Manager"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\nvsvc32.exe"="C:\WINDOWS\system32\nvsvc32.exe:*:Enabled:nvsvc32"
"C:\Program Files\VIA\RAID\raid_tool.exe"="C:\Program Files\VIA\RAID\raid_tool.exe:*:Enabled:raid_tool"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:msmsgs"
"C:\Program Files\DAEMON Tools Lite\daemon.exe"="C:\Program Files\DAEMON Tools Lite\daemon.exe:*:Enabled:daemon"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:iexplore"
"C:\Documents and Settings\Number 6\Desktop\OTMoveIt3.exe"="C:\Documents and Settings\Number

6\Desktop\OTMoveIt3.exe:*:Enabled:OTMoveIt3"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplicat

ions\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 3 months======

65535-65535-31889 1707:31889:1771 ----ASH---- C:\WINDOWS\system32\yijazowi.dll
65535-65535-31889 1707:31889:1771 ----ASH---- C:\WINDOWS\system32\wunukuna.dll
65535-65535-31889 1707:31889:1771 ----ASH---- C:\WINDOWS\system32\savahusu.dll
65535-65535-31889 1707:31889:1771 ----ASH---- C:\WINDOWS\system32\pojavoru.dll
65535-65535-31889 1707:31889:1771 ----ASH---- C:\WINDOWS\system32\hujinuya.dll
65535-65535-31889 1707:31889:1771 ----ASH---- C:\WINDOWS\system32\hekomuno.dll
2009-01-11 09:18:24 ----SH---- C:\WINDOWS\system32\anukunuw.ini
2009-01-11 09:17:34 ----D---- C:\_OTMoveIt
2009-01-11 09:12:05 ----D---- C:\WINDOWS\Sun
2009-01-11 09:11:33 ----A---- C:\WINDOWS\system32\javaws.exe
2009-01-11 09:11:33 ----A---- C:\WINDOWS\system32\javaw.exe
2009-01-11 09:11:33 ----A---- C:\WINDOWS\system32\java.exe
2009-01-11 09:11:33 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-01-11 09:11:23 ----D---- C:\Program Files\Java
2009-01-11 09:10:07 ----D---- C:\Documents and Settings\Number 6\Application Data\Sun
2009-01-09 20:01:12 ----D---- C:\Documents and Settings\All Users\Application Data\Electronic Arts
2009-01-09 14:35:34 ----A---- C:\WINDOWS\gmer.ini
2009-01-09 14:35:33 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2009-01-09 14:35:33 ----A---- C:\WINDOWS\gmer.exe
2009-01-09 14:35:33 ----A---- C:\WINDOWS\gmer.dll
2009-01-09 14:25:14 ----D---- C:\rsit
2009-01-09 13:58:15 ----D---- C:\Documents and Settings\Number 6\Application Data\Malwarebytes
2009-01-09 13:58:06 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-09 13:58:06 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-04 18:46:34 ----D---- C:\Program Files\Trend Micro
2009-01-04 18:09:53 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-04 12:55:36 ----D---- C:\Program Files\Perfect World Entertainment
2009-01-03 00:35:31 ----A---- C:\WINDOWS\system32\unicows.dll
2008-12-25 11:38:43 ----D---- C:\Program Files\Bethesda Softworks
2008-12-24 14:08:56 ----D---- C:\Documents and Settings\All Users\Application Data\Fallout3
2008-12-21 17:02:38 ----D---- C:\Documents and Settings\Number 6\Application Data\DAEMON Tools
2008-12-21 17:01:55 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2008-12-21 17:01:52 ----D---- C:\Program Files\DAEMON Tools Lite
2008-12-21 17:01:12 ----D---- C:\Documents and Settings\Number 6\Application Data\DAEMON Tools Lite
2008-12-21 16:50:19 ----D---- C:\Program Files\DAEMON Tools Pro
2008-12-21 16:50:19 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-12-21 16:49:05 ----D---- C:\Documents and Settings\Number 6\Application Data\DAEMON Tools Pro
2008-12-20 00:09:03 ----D---- C:\Program Files\BlackIsle
2008-12-17 19:57:59 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-12-17 18:37:39 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-17 18:37:36 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-12-17 18:37:32 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-12-17 18:37:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-17 18:37:25 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-17 18:37:22 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-17 18:37:18 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-12-17 18:37:14 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-12-17 18:36:54 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-12-17 18:36:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-12-17 18:36:47 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-12-17 18:36:40 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-12-17 18:36:36 ----D---- C:\Program Files\MSXML 6.0
2008-12-17 18:36:16 ----HDC---- C:\WINDOWS\$NtUninstallKB925720$
2008-12-17 18:36:13 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2008-12-17 18:36:04 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-12-17 18:36:00 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-12-17 18:35:57 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-12-17 18:35:53 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-12-17 18:35:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-12-17 18:35:42 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-12-17 18:35:38 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-17 18:35:35 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-12-17 18:35:31 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-12-17 18:35:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-17 18:35:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-12-17 18:35:18 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-12-15 14:37:43 ----A---- C:\WINDOWS\QUAKEME.INI
2008-12-14 16:34:03 ----HD---- C:\WINDOWS\PIF
2008-12-14 09:24:47 ----D---- C:\Program Files\Quake
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2008-11-01 04:10:04 ----D---- C:\WINDOWS\Logs
2008-11-01 04:09:12 ----D---- C:\Program Files\MSBuild
2008-11-01 04:06:31 ----D---- C:\WINDOWS\system32\XPSViewer
2008-11-01 04:06:07 ----D---- C:\Program Files\Reference Assemblies
2008-11-01 04:05:55 ----N---- C:\WINDOWS\system32\spmsg2.dll
2008-11-01 04:05:47 ----HDC---- C:\WINDOWS\$NtUninstallWIC$
2008-11-01 04:05:11 ----D---- C:\WINDOWS\system32\xlive
2008-10-25 08:09:15 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard

======List of files/folders modified in the last 3 months======

2009-01-11 09:20:29 ----D---- C:\WINDOWS\Temp
2009-01-11 09:20:23 ----D---- C:\Program Files\DNA
2009-01-11 09:20:23 ----D---- C:\Documents and Settings\Number 6\Application Data\DNA
2009-01-11 09:18:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-11 09:18:32 ----D---- C:\WINDOWS\system32
2009-01-11 09:12:05 ----D---- C:\WINDOWS
2009-01-11 09:12:04 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-11 09:12:04 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-11 09:11:24 ----SHD---- C:\WINDOWS\Installer
2009-01-11 09:11:23 ----RD---- C:\Program Files
2009-01-10 19:34:48 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-01-10 19:32:22 ----ASD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-01-10 19:32:22 ----AD---- C:\Program Files\Outlook Express
2009-01-10 19:32:22 ----AD---- C:\Program Files\Common Files\System
2009-01-09 14:35:43 ----D---- C:\WINDOWS\Prefetch
2009-01-09 14:35:33 ----D---- C:\WINDOWS\system32\drivers
2009-01-04 18:23:55 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-04 18:22:13 ----HD---- C:\WINDOWS\inf
2009-01-04 18:10:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-04 12:46:24 ----D---- C:\Documents and Settings\Number 6\Application Data\BitTorrent
2008-12-31 12:16:17 ----D---- C:\WINDOWS\system32\DirectX
2008-12-31 12:16:16 ----RSD---- C:\WINDOWS\assembly
2008-12-31 12:11:33 ----D---- C:\Program Files\Electronic Arts
2008-12-25 11:41:38 ----D---- C:\WINDOWS\Microsoft.NET
2008-12-25 11:38:48 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-25 11:37:19 ----D---- C:\WINDOWS\WinSxS
2008-12-21 14:31:55 ----A---- C:\WINDOWS\system.ini
2008-12-20 00:09:51 ----A---- C:\WINDOWS\ipuninst.exe
2008-12-17 19:57:59 ----D---- C:\WINDOWS\Debug
2008-12-17 19:56:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-17 18:37:39 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-17 18:37:34 ----D---- C:\Program Files\Messenger
2008-12-17 18:37:09 ----D---- C:\Program Files\Internet Explorer
2008-12-17 18:37:05 ----D---- C:\WINDOWS\ie7updates
2008-12-17 18:16:57 ----D---- C:\WINDOWS\Help
2008-12-14 17:21:43 ----D---- C:\Documents and Settings\Number 6\Application Data\IGN_DLM
2008-12-14 10:25:36 ----D---- C:\Program Files\Download Manager
2008-12-13 01:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-07 10:24:57 ----D---- C:\Program Files\Common Files
2008-11-15 16:31:58 ----D---- C:\WINDOWS\nview
2008-11-01 04:23:24 ----A---- C:\WINDOWS\system32\CmdLineExt.dll
2008-11-01 04:06:30 ----D---- C:\WINDOWS\system32\en-US
2008-11-01 04:06:28 ----RSD---- C:\WINDOWS\Fonts
2008-11-01 04:05:59 ----D---- C:\WINDOWS\system32\spool
2008-10-30 08:15:03 ----D---- C:\WINDOWS\network diagnostic
2008-10-23 08:01:36 ----A---- C:\WINDOWS\system32\gdi32.dll
2008-10-22 04:47:07 ----N---- C:\WINDOWS\system32\tzchange.exe
2008-10-19 15:32:21 ----SH---- C:\boot.ini
2008-10-19 15:32:21 ----A---- C:\WINDOWS\win.ini
2008-10-16 15:38:40 ----A---- C:\WINDOWS\system32\wininet.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\webcheck.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\url.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\occache.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\mstime.dll
2008-10-16 15:38:38 ----A---- C:\WINDOWS\system32\msrating.dll
2008-10-16 15:38:38 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\msfeeds.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\jsproxy.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\iertutil.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\iernonce.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\ieaksie.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\ieakeng.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\icardie.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\extmgr.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\advpack.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wups2.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\cdm.dll
2008-10-16 14:09:40 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:08:58 ----A---- C:\WINDOWS\system32\wups.dll
2008-10-16 14:07:44 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-10-16 14:07:14 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-16 08:11:09 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-10-16 08:11:09 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2008-10-15 11:57:55 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-15 02:04:53 ----A---- C:\WINDOWS\system32\ieakui.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 vcdrom;Virtual CD-ROM Device Driver; \??\C:\WINDOWS\system32\drivers\VCdRom.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2006-05-19 3965056]
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2004-12-16

42496]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04

26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04

20480]
S3 a8wvg3tb;a8wvg3tb; C:\WINDOWS\system32\drivers\a8wvg3tb.sys []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2009-01-09 85969]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys

[2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys

[2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-11 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2007-11-02 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-01-10 201816]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86;

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;

c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-16 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

[2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30

741376]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18

913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication

Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 12 January 2009 - 01:56 AM

Hello.. your RSIT log.txt somehow is difficult to read.. Do below first..


Please open Notepad >> Go to Format tab >> untick Word Wrap

Then run RSIT again please and post the logs here..

Sorry, but with the words scattered all over the place, it's quite difficult to read the log :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 Dr. Weird

Dr. Weird
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 13 January 2009 - 09:46 PM

Logfile of random's system information tool 1.05 (written by random/random)
Run by Number 6 at 2009-01-13 21:44:17
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 111 GB (72%) free of 153 GB
Total RAM: 2047 MB (84% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:20 PM, on 1/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Number 6\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Number 6.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [zolajusivu] Rundll32.exe "C:\WINDOWS\system32\hekomuno.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zolajusivu] Rundll32.exe "C:\WINDOWS\system32\hekomuno.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...=javadl.sun.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\wokoguri.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5960 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-11 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-03-16 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-11 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-01-11 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-03-16 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2006-03-02 577536]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-09-17 286720]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe [2005-06-20 1056768]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-11 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"=C:\Program Files\Download Manager\DLM.exe [2008-08-01 1103216]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2008-12-19 342848]
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe [2009-01-07 3321856]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\wokoguri.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\wokoguri.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\World of Warcraft\WoW-1.12.0-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe"="C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\THQ\Dawn Of War\W40k.exe"="C:\Program Files\THQ\Dawn Of War\W40k.exe:*:Enabled:W40k"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\nvsvc32.exe"="C:\WINDOWS\system32\nvsvc32.exe:*:Enabled:nvsvc32"
"C:\Program Files\VIA\RAID\raid_tool.exe"="C:\Program Files\VIA\RAID\raid_tool.exe:*:Enabled:raid_tool"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:msmsgs"
"C:\Program Files\DAEMON Tools Lite\daemon.exe"="C:\Program Files\DAEMON Tools Lite\daemon.exe:*:Enabled:daemon"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:iexplore"
"C:\Documents and Settings\Number 6\Desktop\OTMoveIt3.exe"="C:\Documents and Settings\Number 6\Desktop\OTMoveIt3.exe:*:Enabled:OTMoveIt3"
"C:\Program Files\Electronic Arts\Battlefield 2142\BF2142Pace.exe"="C:\Program Files\Electronic Arts\Battlefield 2142\BF2142Pace.exe:*:Enabled:BF2142Pace"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 3 months======

2009-01-11 09:17:34 ----D---- C:\_OTMoveIt
2009-01-11 09:12:05 ----D---- C:\WINDOWS\Sun
2009-01-11 09:11:33 ----A---- C:\WINDOWS\system32\javaws.exe
2009-01-11 09:11:33 ----A---- C:\WINDOWS\system32\javaw.exe
2009-01-11 09:11:33 ----A---- C:\WINDOWS\system32\java.exe
2009-01-11 09:11:33 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-01-11 09:11:23 ----D---- C:\Program Files\Java
2009-01-11 09:10:07 ----D---- C:\Documents and Settings\Number 6\Application Data\Sun
2009-01-09 20:01:12 ----D---- C:\Documents and Settings\All Users\Application Data\Electronic Arts
2009-01-09 14:35:34 ----A---- C:\WINDOWS\gmer.ini
2009-01-09 14:35:33 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2009-01-09 14:35:33 ----A---- C:\WINDOWS\gmer.exe
2009-01-09 14:35:33 ----A---- C:\WINDOWS\gmer.dll
2009-01-09 14:25:14 ----D---- C:\rsit
2009-01-09 13:58:15 ----D---- C:\Documents and Settings\Number 6\Application Data\Malwarebytes
2009-01-09 13:58:06 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-09 13:58:06 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-04 18:46:34 ----D---- C:\Program Files\Trend Micro
2009-01-04 18:09:53 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-04 12:55:36 ----D---- C:\Program Files\Perfect World Entertainment
2009-01-03 00:35:31 ----A---- C:\WINDOWS\system32\unicows.dll
2008-12-25 11:38:43 ----D---- C:\Program Files\Bethesda Softworks
2008-12-24 14:08:56 ----D---- C:\Documents and Settings\All Users\Application Data\Fallout3
2008-12-21 17:02:38 ----D---- C:\Documents and Settings\Number 6\Application Data\DAEMON Tools
2008-12-21 17:01:55 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2008-12-21 17:01:52 ----D---- C:\Program Files\DAEMON Tools Lite
2008-12-21 17:01:12 ----D---- C:\Documents and Settings\Number 6\Application Data\DAEMON Tools Lite
2008-12-21 16:50:19 ----D---- C:\Program Files\DAEMON Tools Pro
2008-12-21 16:50:19 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-12-21 16:49:05 ----D---- C:\Documents and Settings\Number 6\Application Data\DAEMON Tools Pro
2008-12-20 00:09:03 ----D---- C:\Program Files\BlackIsle
2008-12-17 19:57:59 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-12-17 18:37:39 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-17 18:37:36 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-12-17 18:37:32 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-12-17 18:37:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-17 18:37:25 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-17 18:37:22 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-17 18:37:18 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-12-17 18:37:14 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-12-17 18:36:54 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-12-17 18:36:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-12-17 18:36:47 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-12-17 18:36:40 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-12-17 18:36:36 ----D---- C:\Program Files\MSXML 6.0
2008-12-17 18:36:16 ----HDC---- C:\WINDOWS\$NtUninstallKB925720$
2008-12-17 18:36:13 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2008-12-17 18:36:04 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-12-17 18:36:00 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-12-17 18:35:57 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-12-17 18:35:53 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-12-17 18:35:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-12-17 18:35:42 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-12-17 18:35:38 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-17 18:35:35 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-12-17 18:35:31 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-12-17 18:35:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-17 18:35:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-12-17 18:35:18 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-12-15 14:37:43 ----A---- C:\WINDOWS\QUAKEME.INI
2008-12-14 16:34:03 ----HD---- C:\WINDOWS\PIF
2008-12-14 09:24:47 ----D---- C:\Program Files\Quake
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2008-11-01 04:10:18 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2008-11-01 04:10:04 ----D---- C:\WINDOWS\Logs
2008-11-01 04:09:12 ----D---- C:\Program Files\MSBuild
2008-11-01 04:06:31 ----D---- C:\WINDOWS\system32\XPSViewer
2008-11-01 04:06:07 ----D---- C:\Program Files\Reference Assemblies
2008-11-01 04:05:55 ----N---- C:\WINDOWS\system32\spmsg2.dll
2008-11-01 04:05:47 ----HDC---- C:\WINDOWS\$NtUninstallWIC$
2008-11-01 04:05:11 ----D---- C:\WINDOWS\system32\xlive
2008-10-25 08:09:15 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard

======List of files/folders modified in the last 3 months======

2009-01-13 21:40:25 ----D---- C:\WINDOWS\Temp
2009-01-13 21:40:22 ----D---- C:\WINDOWS
2009-01-13 21:40:11 ----D---- C:\Program Files\DNA
2009-01-13 21:40:11 ----D---- C:\Documents and Settings\Number 6\Application Data\DNA
2009-01-13 00:17:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-12 23:29:13 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-01-12 23:25:38 ----ASD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-01-12 23:25:38 ----AD---- C:\Program Files\Outlook Express
2009-01-12 23:25:38 ----AD---- C:\Program Files\Common Files\System
2009-01-11 21:56:57 ----D---- C:\WINDOWS\Prefetch
2009-01-11 09:50:17 ----D---- C:\WINDOWS\system32\drivers
2009-01-11 09:50:17 ----D---- C:\WINDOWS\system32
2009-01-11 09:12:04 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-11 09:12:04 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-11 09:11:24 ----SHD---- C:\WINDOWS\Installer
2009-01-11 09:11:23 ----RD---- C:\Program Files
2009-01-04 18:23:55 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-04 18:22:13 ----HD---- C:\WINDOWS\inf
2009-01-04 18:10:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-04 12:46:24 ----D---- C:\Documents and Settings\Number 6\Application Data\BitTorrent
2008-12-31 12:16:17 ----D---- C:\WINDOWS\system32\DirectX
2008-12-31 12:16:16 ----RSD---- C:\WINDOWS\assembly
2008-12-31 12:11:33 ----D---- C:\Program Files\Electronic Arts
2008-12-25 11:41:38 ----D---- C:\WINDOWS\Microsoft.NET
2008-12-25 11:38:48 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-25 11:37:19 ----D---- C:\WINDOWS\WinSxS
2008-12-21 14:31:55 ----A---- C:\WINDOWS\system.ini
2008-12-20 00:09:51 ----A---- C:\WINDOWS\ipuninst.exe
2008-12-17 19:57:59 ----D---- C:\WINDOWS\Debug
2008-12-17 19:56:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-17 18:37:39 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-17 18:37:34 ----D---- C:\Program Files\Messenger
2008-12-17 18:37:09 ----D---- C:\Program Files\Internet Explorer
2008-12-17 18:37:05 ----D---- C:\WINDOWS\ie7updates
2008-12-17 18:16:57 ----D---- C:\WINDOWS\Help
2008-12-14 17:21:43 ----D---- C:\Documents and Settings\Number 6\Application Data\IGN_DLM
2008-12-14 10:25:36 ----D---- C:\Program Files\Download Manager
2008-12-13 01:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-07 10:24:57 ----D---- C:\Program Files\Common Files
2008-11-15 16:31:58 ----D---- C:\WINDOWS\nview
2008-11-01 04:23:24 ----A---- C:\WINDOWS\system32\CmdLineExt.dll
2008-11-01 04:06:30 ----D---- C:\WINDOWS\system32\en-US
2008-11-01 04:06:28 ----RSD---- C:\WINDOWS\Fonts
2008-11-01 04:05:59 ----D---- C:\WINDOWS\system32\spool
2008-10-30 08:15:03 ----D---- C:\WINDOWS\network diagnostic
2008-10-23 08:01:36 ----A---- C:\WINDOWS\system32\gdi32.dll
2008-10-22 04:47:07 ----N---- C:\WINDOWS\system32\tzchange.exe
2008-10-19 15:32:21 ----SH---- C:\boot.ini
2008-10-19 15:32:21 ----A---- C:\WINDOWS\win.ini
2008-10-16 15:38:40 ----A---- C:\WINDOWS\system32\wininet.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\webcheck.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\url.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\occache.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\mstime.dll
2008-10-16 15:38:38 ----A---- C:\WINDOWS\system32\msrating.dll
2008-10-16 15:38:38 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\msfeeds.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\jsproxy.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\iertutil.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\iernonce.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\ieaksie.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\ieakeng.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\icardie.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\extmgr.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\advpack.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wups2.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\cdm.dll
2008-10-16 14:09:40 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:08:58 ----A---- C:\WINDOWS\system32\wups.dll
2008-10-16 14:07:44 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-10-16 14:07:14 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-16 08:11:09 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-10-16 08:11:09 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2008-10-15 11:57:55 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-15 02:04:53 ----A---- C:\WINDOWS\system32\ieakui.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 vcdrom;Virtual CD-ROM Device Driver; \??\C:\WINDOWS\system32\drivers\VCdRom.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2006-05-19 3965056]
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 az2al0pg;az2al0pg; C:\WINDOWS\system32\drivers\az2al0pg.sys []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2009-01-09 85969]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-11 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2007-11-02 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-01-12 201816]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-16 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------
I have wordwrap unticked but when I paste it in my reply here it ends up wrapping itself again.

Edited by Dr. Weird, 13 January 2009 - 09:49 PM.


#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 14 January 2009 - 01:35 AM

Don't worry.. You did it right this time :thumbsup:

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 Dr. Weird

Dr. Weird
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 16 January 2009 - 11:34 AM

ComboFix 09-01-15.01 - Number 6 2009-01-16 11:26:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1725 [GMT -5:00]
Running from: c:\documents and settings\Number 6\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-11 09:17 . 2009-01-11 09:17 <DIR> d-------- C:\_OTMoveIt
2009-01-11 09:12 . 2009-01-11 09:12 <DIR> d-------- c:\windows\Sun
2009-01-11 09:11 . 2009-01-11 09:11 <DIR> d-------- c:\program files\Java
2009-01-11 09:11 . 2009-01-11 09:11 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-11 09:11 . 2009-01-11 09:11 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-09 20:01 . 2009-01-09 20:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-09 14:35 . 2009-01-09 14:35 250 --a------ c:\windows\gmer.ini
2009-01-09 14:25 . 2009-01-09 14:25 <DIR> d-------- C:\rsit
2009-01-09 13:58 . 2009-01-09 13:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 13:58 . 2009-01-09 13:58 <DIR> d-------- c:\documents and settings\Number 6\Application Data\Malwarebytes
2009-01-09 13:58 . 2009-01-09 13:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 13:58 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 13:58 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-04 18:46 . 2009-01-04 18:46 <DIR> d-------- c:\program files\Trend Micro
2009-01-04 18:09 . 2009-01-04 18:55 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-04 12:55 . 2009-01-04 12:55 <DIR> d-------- c:\program files\Perfect World Entertainment
2009-01-03 00:35 . 2008-12-25 15:36 258,352 --a------ c:\windows\system32\unicows.dll
2008-12-25 11:38 . 2008-12-25 11:38 <DIR> d-------- c:\program files\Bethesda Softworks
2008-12-24 14:08 . 2008-12-25 11:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fallout3
2008-12-21 17:02 . 2008-12-21 17:02 <DIR> d-------- c:\documents and settings\Number 6\Application Data\DAEMON Tools
2008-12-21 17:01 . 2008-12-21 17:01 <DIR> d-------- c:\program files\DAEMON Tools Lite
2008-12-21 17:01 . 2008-12-21 17:04 <DIR> d-------- c:\documents and settings\Number 6\Application Data\DAEMON Tools Lite
2008-12-21 17:01 . 2008-12-21 17:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-21 16:50 . 2008-12-21 16:54 <DIR> d-------- c:\program files\DAEMON Tools Pro
2008-12-21 16:50 . 2008-12-21 16:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-12-21 16:49 . 2008-12-21 17:02 <DIR> d-------- c:\documents and settings\Number 6\Application Data\DAEMON Tools Pro
2008-12-21 16:49 . 2008-12-21 16:49 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-12-20 00:09 . 2008-12-20 00:09 <DIR> d-------- c:\program files\BlackIsle
2008-12-17 19:57 . 2009-01-04 18:23 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-17 18:36 . 2008-12-17 18:36 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-17 18:21 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-17 18:21 . 2008-06-13 08:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-17 18:20 . 2008-10-16 15:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 16:28 --------- d-----w c:\program files\DNA
2009-01-16 16:28 --------- d-----w c:\documents and settings\Number 6\Application Data\DNA
2009-01-16 02:24 137,992 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-04 17:46 --------- d-----w c:\documents and settings\Number 6\Application Data\BitTorrent
2008-12-31 17:11 --------- d-----w c:\program files\Electronic Arts
2008-12-25 16:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 05:09 52,736 ----a-w c:\windows\ipuninst.exe
2008-12-14 22:34 --------- d-----w c:\program files\Quake
2008-12-14 22:21 --------- d-----w c:\documents and settings\Number 6\Application Data\IGN_DLM
2008-12-14 15:25 --------- d-----w c:\program files\Download Manager
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-07 3321856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-17 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"c:\\Program Files\\VIA\\RAID\\raid_tool.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\Number 6\\Desktop\\OTMoveIt3.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-07-28 8576]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 11:28:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-1757981266-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:91,8b,9f,e7,cd,0a,66,48,1c,2d,30,f1,0d,c5,19,c3,6c,0c,e6,e0,80,
ce,3e,d9,77,57,f1,64,6a,7f,49,1b,de,5f,6e,72,77,ce,78,1d,a2,7c,ff,df,ee,ea,\
"rkeysecu"=hex:57,94,b2,4d,4c,cd,fe,bf,32,a3,20,a6,ce,19,23,b7
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wscntfy.exe
c:\windows\SoftwareDistribution\Download\7e70d7f1344368369315f2c9066e4c9c\update\update.exe
.
**************************************************************************
.
Completion time: 2009-01-16 11:31:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 16:31:23

Pre-Run: 115,843,932,160 bytes free
Post-Run: 115,766,624,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

143 --- E O F --- 2008-12-17 23:37:41

#13 Dr. Weird

Dr. Weird
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 16 January 2009 - 11:35 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:46 AM, on 1/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...=javadl.sun.com
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5633 bytes

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 16 January 2009 - 12:04 PM

Looks good to me.. Lets do an online scan to make sure we got them all :thumbsup:


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Dr. Weird

Dr. Weird
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 17 January 2009 - 04:56 PM

My computer is running great now, thanks. But it looks like some threats remain:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3774 (20090117)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=e6f57062d34a9b4680e84d69bbc494a6
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-17 09:53:10
# local_time=2009-01-17 04:53:10 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=155524
# found=2
# scan_time=1115
C:\_OTMoveIt\MovedFiles\01112009_091734\WINDOWS\system32\jasutudo.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\01112009_091734\WINDOWS\system32\turepare.dll.tmp Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users