Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown Virus/Trojan/Spyware/Malware


  • This topic is locked This topic is locked
15 replies to this topic

#1 cerius

cerius

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 January 2009 - 04:41 PM

My problem is that i can not run explorer.exe from anywhere. It seams to run for a few seconds on the process list then goes away. I have no taskbar, desktop icons, or explorer.exe running. I have run ad-aware with its' updates as of last night, Removed everything that they found. I have tried to install spybot search and destroy numerous times on different hardrives and even on a flash drive and it wont startup for some reason. I had it installed allready but it stopped working(wouldn't load) so I tried reinstalling it and it would install fine but would never load the process.

There is no upload button on my browser so I am going to copy and paste the attatch.txt file (it seams that my javascript is messed up, it acts up on other sites as well. I hit the BB Code Help button and nothing happens, I just hear the click sound)


DDS (Ver_09-01-07.01) - NTFSx86
Run by cerius2 at 13:18:46.88 on Mon 01/12/2009
Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_07

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyServer = <local>
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: H - No File
BHO: {213453a5-2a96-44ca-b50b-378fb745006b} - c:\windows\system32\mosodama.dll
TB: RefresherBand Class: {b24ba06e-fb7b-4757-95c2-dc01125f750e} - c:\yrefre~1\YREFRE~1.DLL
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [RIMDeviceManager] "c:\program files\common files\research in motion\rimdevicemanager\RIMDeviceManager.exe" -RunServer
uRun: [PlayNC Launcher] d:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
uRun: [Palringo] "c:\program files\palringo\palringo.exe" /hidden
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [Norton SystemWorks] "c:\program files\norton systemworks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LVComs] c:\windows\system32\LVComS.exe
mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [brastk] brastk.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [viretujaza] Rundll32.exe "c:\windows\system32\varipovu.dll",s
mRun: [58738961] rundll32.exe "c:\windows\system32\zazojire.dll",b
mRun: [CPM5b40bafd] Rundll32.exe "c:\windows\system32\vesufibi.dll",a
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [SRUUninstall] "c:\windows\system32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-explorer: NoSettingsWizards = 1 (0x1)
uPolicies-explorer: NoWinKeys = 1 (0x1)
uPolicies-explorer: NoRecycleFiles = 1 (0x1)
uPolicies-explorer: NoGoTo = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoHelp = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)
uPolicies-explorer: NoCustomizeWebView = 1 (0x1)
uPolicies-explorer: NoPrinters = 1 (0x1)
uPolicies-explorer: NoInternetIcon = 1 (0x1)
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
uPolicies-explorer: Btn_Folders = 2 (0x2)
uPolicies-explorer: Btn_Fullscreen = 2 (0x2)
uPolicies-explorer: Btn_Tools = 2 (0x2)
uPolicies-explorer: Btn_MailNews = 2 (0x2)
uPolicies-explorer: Btn_Size = 2 (0x2)
uPolicies-explorer: Btn_Edit = 2 (0x2)
uPolicies-explorer: Btn_Discussions = 2 (0x2)
uPolicies-explorer: Btn_Cut = 2 (0x2)
uPolicies-explorer: Btn_Copy = 2 (0x2)
uPolicies-explorer: Btn_Paste = 2 (0x2)
uPolicies-system: DisableLockWorkstation = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
uPolicies-system: NoSecCPL = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\windows\system32\karna.dat
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vesufibi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\vesufibi.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Notification Packages = scecli c:\windows\system32\wefejezo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cerius2\applic~1\mozilla\firefox\profiles\v12vrka0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\nsoffersfortoday.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NpIpx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============


============== File Associations ===============

inffile=c:\windows\softwaredistribution\download\6ca7b3a8efd5a9b6f87fff395a2eb989\notepad.exe %1

=============== Created Last 30 ================

2009-01-11 16:16 <DIR> --d----- c:\program files\uTorrent
2009-01-11 16:16 <DIR> --d----- c:\docume~1\cerius2\applic~1\uTorrent
2009-01-11 16:07 22,528 a------- c:\windows\system32\~.exe
2009-01-10 01:34 114 a------- C:\shellfix.reg
2009-01-10 01:34 122 a------- C:\desktop_ok.reg
2009-01-09 23:20 <DIR> --d----- c:\docume~1\cerius2\applic~1\Any Video Converter
2009-01-09 23:20 <DIR> --d----- c:\program files\Any Video Converter
2009-01-09 16:01 333 a------- c:\windows\system32\test.aok
2009-01-09 16:00 258,048 a------- c:\windows\system32\GplMpgDec.ax
2009-01-09 16:00 129,024 a------- c:\windows\system32\AVERM.dll
2009-01-09 16:00 28,672 a------- c:\windows\system32\AVEQT.dll
2009-01-09 16:00 <DIR> --d----- c:\program files\Allok MPEG4 Converter
2009-01-05 20:49 524 a------- c:\windows\Shortcut to notepad.exe.bak.lnk
2009-01-05 19:42 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-05 19:42 1,409 a------- c:\windows\QTFont.for
2009-01-05 18:57 <DIR> --d----- c:\docume~1\cerius2\applic~1\Software Informer
2009-01-05 18:11 <DIR> --d----- c:\docume~1\cerius2\applic~1\IObit
2009-01-05 18:11 <DIR> --d----- c:\program files\IObit
2009-01-05 16:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GRETECH
2009-01-05 16:02 <DIR> --d----- c:\program files\GRETECH
2009-01-05 13:43 <DIR> --d----- C:\2x
2009-01-05 12:00 4,236 a------- C:\Catalog.LiveSubscribe
2009-01-03 08:37 120 ---sh--- c:\windows\system32\ulibujam.ini
2009-01-02 23:23 120 ---sh--- c:\windows\system32\amabumim.ini
2009-01-02 01:41 120 ---sh--- c:\windows\system32\oliravuk.ini
2009-01-02 01:39 9,728 a------- c:\windows\system32\brastk.exe
2009-01-02 01:39 9,728 a------- c:\windows\brastk.exe
2009-01-01 01:49 1,262,075 ---sh--- c:\windows\system32\ofepewod.ini
2008-12-31 13:49 120 ---sh--- c:\windows\system32\otagiped.ini
2008-12-31 01:49 120 ---sh--- c:\windows\system32\akulutob.ini
2008-12-30 13:43 120 ---sh--- c:\windows\system32\umelajuv.ini
2008-12-30 01:42 120 ---sh--- c:\windows\system32\atenavig.ini
2008-12-29 13:37 120 ---sh--- c:\windows\system32\ozadasaw.ini
2008-12-29 01:36 120 ---sh--- c:\windows\system32\olehibuj.ini
2008-12-28 13:35 120 ---sh--- c:\windows\system32\iwesorug.ini
2008-12-28 01:34 120 ---sh--- c:\windows\system32\ebazutaf.ini
2008-12-27 13:34 120 ---sh--- c:\windows\system32\ozezesuw.ini
2008-12-27 00:28 120 ---sh--- c:\windows\system32\ujosefip.ini
2008-12-26 12:27 120 ---sh--- c:\windows\system32\ovohazuz.ini
2008-12-26 00:27 120 ---sh--- c:\windows\system32\ewogomul.ini
2008-12-25 12:27 120 ---sh--- c:\windows\system32\ekejavet.ini
2008-12-24 23:38 120 ---sh--- c:\windows\system32\utufulur.ini
2008-12-24 05:12 120 ---sh--- c:\windows\system32\ipedilog.ini
2008-12-24 04:12 2,098 ---sh--- c:\windows\system32\vimodiya.dll
2008-12-23 16:12 2,098 ---sh--- c:\windows\system32\tazotiwu.dll
2008-12-23 04:06 120 ---sh--- c:\windows\system32\ipirolej.ini
2008-12-22 16:06 120 ---sh--- c:\windows\system32\iratorab.ini
2008-12-22 04:06 120 ---sh--- c:\windows\system32\ukijijol.ini
2008-12-21 16:05 120 ---sh--- c:\windows\system32\etunitep.ini
2008-12-21 04:05 120 ---sh--- c:\windows\system32\ehesikol.ini
2008-12-20 16:05 120 ---sh--- c:\windows\system32\awuyurem.ini
2008-12-20 04:05 120 ---sh--- c:\windows\system32\efuwuviy.ini
2008-12-19 16:05 120 ---sh--- c:\windows\system32\ebarunab.ini
2008-12-19 04:04 120 ---sh--- c:\windows\system32\egewerif.ini
2008-12-18 16:04 120 ---sh--- c:\windows\system32\iveveviw.ini
2008-12-18 15:56 120 ---sh--- c:\windows\system32\avoridad.ini
2008-12-17 16:04 120 ---sh--- c:\windows\system32\ezigilir.ini
2008-12-17 04:03 1,598,273 ---sh--- c:\windows\system32\uzilipaf.ini
2008-12-17 02:42 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-17 02:42 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-17 02:42 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-17 02:42 29,576 a------- c:\windows\system32\drivers\kcom.sys
2008-12-17 02:42 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-17 02:42 <DIR> --d----- c:\docume~1\cerius2\applic~1\PC Tools
2008-12-17 02:41 <DIR> --d----- c:\program files\SpywareBlaster

==================== Find3M ====================

2009-01-12 09:45 101,546 a------- c:\windows\system32\vesufibi.dll
2009-01-12 09:45 87,677 a------- c:\windows\system32\zazojire.dll
2009-01-12 08:40 64,239 a--sh--- c:\windows\system32\senazisa.dll
2009-01-11 20:39 91,338 a--sh--- c:\windows\system32\jetahoga.dll
2009-01-11 20:39 103,187 a--sh--- c:\windows\system32\tivopiyu.dll
2009-01-11 08:39 103,211 a--sh--- c:\windows\system32\wawihuvu.dll
2009-01-11 08:39 90,868 a--sh--- c:\windows\system32\wefifofi.dll
2009-01-10 20:39 103,198 a--sh--- c:\windows\system32\vofobonu.dll
2009-01-10 20:39 91,281 a--sh--- c:\windows\system32\renugipi.dll
2009-01-10 10:10 6,144 a------- c:\windows\system32\karna.dat
2009-01-10 08:39 103,123 a--sh--- c:\windows\system32\jerapuwi.dll
2009-01-10 08:39 90,890 a--sh--- c:\windows\system32\nefizoke.dll
2009-01-09 20:38 68,286 a--sh--- c:\windows\system32\bemumiha.dll
2009-01-09 20:38 103,202 a--sh--- c:\windows\system32\semozidu.dll
2009-01-09 20:38 90,279 a--sh--- c:\windows\system32\duretowo.dll
2009-01-09 08:38 103,056 a--sh--- c:\windows\system32\weyibadu.dll
2009-01-09 08:38 90,401 a--sh--- c:\windows\system32\jodokono.dll
2009-01-08 20:38 103,538 a--sh--- c:\windows\system32\buvalaro.dll
2009-01-08 20:38 90,743 a--sh--- c:\windows\system32\tojuhozu.dll
2009-01-08 08:38 90,961 a--sh--- c:\windows\system32\balumoke.dll
2009-01-08 08:38 102,047 a--sh--- c:\windows\system32\yudorefa.dll
2009-01-07 20:37 103,761 a--sh--- c:\windows\system32\gihezawo.dll
2009-01-07 20:37 90,950 a--sh--- c:\windows\system32\babofuve.dll
2009-01-07 08:37 90,242 a--sh--- c:\windows\system32\gemujupa.dll
2009-01-07 08:37 103,069 a--sh--- c:\windows\system32\sejiguso.dll
2009-01-06 20:37 103,003 a--sh--- c:\windows\system32\memilimi.dll
2009-01-06 20:37 90,814 a--sh--- c:\windows\system32\yuloreme.dll
2009-01-06 08:37 67,300 a--sh--- c:\windows\system32\jutimono.dll
2009-01-06 08:37 103,684 a--sh--- c:\windows\system32\siguzuwi.dll
2009-01-06 08:37 90,309 a--sh--- c:\windows\system32\wisagosa.dll
2009-01-05 21:47 27,609 a------- c:\windows\system32\tablet.dat
2009-01-05 20:37 102,086 a--sh--- c:\windows\system32\nefapifa.dll
2009-01-05 20:37 92,405 a--sh--- c:\windows\system32\jobaruse.dll
2009-01-05 08:37 101,514 a--sh--- c:\windows\system32\jiruludi.dll
2009-01-05 08:36 89,194 a--sh--- c:\windows\system32\yatesidu.dll
2009-01-04 20:36 89,221 a--sh--- c:\windows\system32\sajifamu.dll
2009-01-04 20:36 103,029 a--sh--- c:\windows\system32\somurine.dll
2009-01-04 08:36 89,167 a--sh--- c:\windows\system32\honisuhi.dll
2009-01-04 08:36 101,571 a--sh--- c:\windows\system32\dugidora.dll
2009-01-03 20:36 102,056 a--sh--- c:\windows\system32\wotupogo.dll
2009-01-03 20:36 89,270 a--sh--- c:\windows\system32\titobigi.dll
2009-01-03 08:36 103,105 a--sh--- c:\windows\system32\wasoteba.dll
2009-01-03 08:36 89,353 a--sh--- c:\windows\system32\majubilu.dll
2009-01-02 20:35 69,850 a--sh--- c:\windows\system32\ruziveki.dll
2009-01-02 20:35 102,698 a--sh--- c:\windows\system32\kofusipo.dll
2009-01-02 01:40 96,870 a--sh--- c:\windows\system32\yoletepu.dll
2009-01-01 01:49 84,755 a------- c:\windows\system32\dowepefo.dll
2009-01-01 01:49 95,867 a------- c:\windows\system32\hapewoya.dll
2008-12-31 13:49 96,902 a------- c:\windows\system32\panirola.dll
2008-12-31 01:49 96,861 a------- c:\windows\system32\kereyuyi.dll
2008-12-30 13:43 97,426 a------- c:\windows\system32\mobejaza.dll
2008-12-30 13:43 61,151 a------- c:\windows\system32\besahime.dll
2008-12-30 01:42 97,523 a------- c:\windows\system32\gobudeho.dll
2008-12-29 13:37 96,973 a------- c:\windows\system32\pisabupe.dll
2008-12-29 13:37 62,260 a------- c:\windows\system32\hebokali.dll
2008-12-29 01:36 95,856 a------- c:\windows\system32\weravasa.dll
2008-12-28 13:35 97,956 a------- c:\windows\system32\kojuyabe.dll
2008-12-28 13:35 85,242 -------- c:\windows\system32\gurosewi.dll
2008-12-28 01:34 96,553 a------- c:\windows\system32\bujowudu.dll
2008-12-28 01:34 87,196 -------- c:\windows\system32\fatuzabe.dll
2008-12-27 13:34 99,070 a------- c:\windows\system32\lekojeta.dll
2008-12-27 13:34 87,251 -------- c:\windows\system32\wusezezo.dll
2008-12-27 12:28 61,507 a--sh--- c:\windows\system32\vakidibe.dll
2008-12-27 00:28 98,978 a--sh--- c:\windows\system32\ribofuvu.dll
2008-12-27 00:28 87,278 -------- c:\windows\system32\pifesoju.dll
2008-12-26 12:28 95,859 a--sh--- c:\windows\system32\biyiziko.dll
2008-12-26 12:27 85,194 -------- c:\windows\system32\zuzahovo.dll
2008-12-26 00:27 97,929 a--sh--- c:\windows\system32\yonetaso.dll
2008-12-26 00:27 85,050 -------- c:\windows\system32\lumogowe.dll
2008-12-25 12:27 98,950 a--sh--- c:\windows\system32\wedamuvi.dll
2008-12-25 12:27 85,094 -------- c:\windows\system32\tevajeke.dll
2008-12-25 11:27 63,635 a--sh--- c:\windows\system32\rapepute.dll
2008-12-24 23:27 96,339 a--sh--- c:\windows\system32\hupebogi.dll
2008-12-24 23:27 84,183 -------- c:\windows\system32\rulufutu.dll
2008-12-24 05:12 84,246 a------- c:\windows\system32\golidepi.dll
2008-12-23 04:05 65,305 a--sh--- c:\windows\system32\fosokudu.dll
2008-12-23 04:05 99,061 a--sh--- c:\windows\system32\liwukeho.dll
2008-12-23 04:05 84,174 -------- c:\windows\system32\jeloripi.dll
2008-12-22 16:05 95,857 a--sh--- c:\windows\system32\yanijami.dll
2008-12-22 16:05 83,047 -------- c:\windows\system32\barotari.dll
2008-12-22 04:05 95,864 a--sh--- c:\windows\system32\lulosiki.dll
2008-12-21 16:05 96,036 a--sh--- c:\windows\system32\sigogeve.dll
2008-12-21 16:04 87,200 -------- c:\windows\system32\petinute.dll
2008-12-21 04:04 87,300 -------- c:\windows\system32\lokisehe.dll
2008-12-21 04:04 95,987 a--sh--- c:\windows\system32\pijutati.dll
2008-12-20 16:04 94,917 a--sh--- c:\windows\system32\yusudanu.dll
2008-12-20 16:04 83,215 -------- c:\windows\system32\meruyuwa.dll
2008-12-20 04:04 87,231 -------- c:\windows\system32\yivuwufe.dll
2008-12-20 04:04 98,078 a--sh--- c:\windows\system32\kosalutu.dll
2008-12-19 16:04 83,189 -------- c:\windows\system32\banurabe.dll
2008-12-19 16:04 95,926 a--sh--- c:\windows\system32\tuwakebi.dll
2008-12-19 04:04 94,775 a--sh--- c:\windows\system32\holojoba.dll
2008-12-19 04:04 85,238 -------- c:\windows\system32\firewege.dll
2008-12-18 16:04 83,076 -------- c:\windows\system32\wivevevi.dll
2008-12-18 16:03 96,856 a--sh--- c:\windows\system32\segivuva.dll
2008-12-18 04:03 89,821 -------- c:\windows\system32\dadirova.dll
2008-12-18 04:03 95,422 a--sh--- c:\windows\system32\piyuniha.dll
2008-12-17 16:03 95,303 a--sh--- c:\windows\system32\muribabi.dll
2008-12-17 16:03 88,859 a--sh--- c:\windows\system32\riligize.dll
2008-12-17 04:03:42 A--SH--- 97,052 c:\windows\system32\zuyahoba.dll
2030-01-13 16:19 1,537 ac-sh--- c:\windows\page files\maxmeg.sys
2007-11-06 22:17 80 ---shr-- c:\windows\system32\77F12E2646.dll
2007-11-12 18:59 56 ---shr-- c:\windows\system32\77F12E2646.sys
2004-01-29 21:17 56 -c-shr-- c:\windows\system32\FC05249FE7.sys
2006-05-03 01:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
0000-00-00 00:00 100,352 a--sh--- c:\windows\system32\fogemeva.dll
2007-11-12 19:02 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys
0000-00-00 00:00 64,239 a--sh--- c:\windows\system32\mosodama.dll
2007-02-21 02:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-09-27 12:28 25,600 a--sh--- c:\windows\system32\ralaziyo.dll
2008-09-25 11:27 69,632 a--sh--- c:\windows\system32\reziguge.dll
2003-09-27 23:34 9 ac-sh--- c:\windows\system32\System.sys
0000-00-00 00:00 64,239 a--sh--- c:\windows\system32\varipovu.dll
2008-09-17 03:03 95,232 a--sh--- c:\windows\system32\wapoyali.dll
0000-00-00 00:00 64,239 a--sh--- c:\windows\system32\wefejezo.dll
2008-09-05 10:12 4,096 a--sh--- c:\windows\system32\zavikalo.dll

============= FINISH: 13:27:31.68 ===============



==== Installed Programs ======================

µTorrent
Ad-Aware
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop CS
Adobe Reader 7.0.8
Adobe SVG Viewer 3.0
Advanced SystemCare 3
Advanced WMA Workshop version 2.01
Allok MPEG4 Converter 5.1.1223
Any Video Converter 2.6.7
Apex Video Converter Free 6.48
Apex Video Converter Pro 6.35
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI RADEON 9700 Dogs Screen Saver v1.1
ATI RADEON 9800 Gargoyle Screen Saver v1.1
AutoBOT v4
AutoUpdate
AVI to MPEG Converter
AVI/MPEG/RM/WMV Joiner 4.82
AVS DVDMenu Editor 1.2.1.19
AVS Video Converter 5.6
Battlefield 2™ Demo
beamz Music 1
beamz Music 2
beamz Player
BlackBerry Desktop Software 4.2.2
BlackBerry Smartphone Simulators 4.5.0.55 (8320)
Blender (remove only)
BluetoothRemoteControl
Burn4Free CD & DVD 1.0.4.0
ccCommon
CDDRV_Installer
Chromatica
CLO
CodeStuff Starter
Database Conversion Wizard
DC++ 0.699
Digital Camera Manager
DivX
DivX Content Uploader
DivX Player
Dropbox
DVD Copy Plus
DVD Decrypter (Remove Only)
DVD2SVCD 1.0.8 build 1
DVDFab Decrypter 2.9.6.6
Dybuk Explorer
Easy AVI/MPEG/RM/WMV Joiner 3.0.11
Easy Video Converter 3.8.1
EPSON Printer Software
EPSON TWAIN 5
Etymonix MPEG-2 Video Codec
Exteel
EZ DVD2VCD 1.4
FinalAlert 2
FinalAlert 2 Yuri's Revenge
FLV Player 1.3.3
Free Music Zilla
Game Maker 7.0
GITS2_intro_pc Screen Saver
gmax
GOM Player
GTK+ 2.6.8-1 runtime environment
Guitar Guru Version 2.1.2
Guitar Pro 5.2
HighPoint ATA RAID Management Software
HijackThis 1.99.1
HyperCam
Image Resizer Powertoy for Windows XP
ImageDrive (Ahead Software)
Intel® PRO Network Adapters and Drivers
Intel® PROSet
InterActual Player
Internet Worm Protection
InterVideo DirectShow Filter 2.6
iTunes
J2SE Development Kit 5.0
Java 2 Runtime Environment, SE v1.4.1_03
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
Java 2 SDK, SE v1.4.2
Java™ 6 Update 6
Java™ 6 Update 7
KhalSetup
LimeWire 4.18.3
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech Desktop Messenger
Logitech iTouch Software
Logitech MouseWare 9.76
Logitech Pocket Digital
Logitech QuickCam Software
Logitech Resource Center
Logitech SetPoint
Logitech® Camera Driver
Macromedia Flash MX
Macromedia Shockwave Player
Memory Gutter XP (Remove)
Messenger Plus! Live
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 2.0
Microsoft DirectX Transform optional components
Microsoft FrontPage Client - English
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Excel Viewer 2003
Microsoft Office Professional Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser and SDK
mIRC
Mozilla Firefox (3.0.5)
MP3PowerEncoder
Mpeg Layer3 Codec FHG-Radium v1.263
MSN Add-in for Windows Messenger
MSN Music Assistant
MSRedist
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
Music Visualizer Library 1.4.00
Napster
Napster Burn Engine
Nero - Burning Rom (Web installer)
Nimo Codecs Pack v4.4 (Remove Only)
Norton AntiVirus 2005
Norton AntiVirus Parent MSI
Norton SystemWorks
Norton SystemWorks 2005
Norton SystemWorks 2005 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
NVIDIA WDM Drivers
NVIDIA Windows 2000/XP Display Drivers
NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
OGM to AVI Beta .6
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
Panda ActiveScan
Panda ActiveScan 2.0
Panda spyXposer
PCI Audio Applications
PCI Audio Driver
PlayNC Launcher
Plazmic CDK 4.6 for BlackBerry
PowerDVD
PPS Plus
Quake 3 Battlebots
QuickTime
QuickTime for Windows (32-bit)
QuickVCD Player v3.0
RealPlayer
RebirthRO Small Client
Refresher
RGSS-RTP Standard
Rhapsody Player Engine
Robotics Invention System
RPG Maker VX RTP
RPGXP
RPGXP_102
RTPatch Update
Runtime Files Pack 1
Rylee Fretboard Addict
SATARaid
Send File
ShadowFlare
Shockwave
Sierra Account Wizard
Sierra Utilities
Skype™ 3.5
Slideshow Generator Powertoy for Windows XP
SlowView
Solid State ION Internet Explorer Plugin
Sony Ericsson Image Editor
SoulSeek 157 test 8
SOYO HW Monitor
SPBBC
Spybot - Search & Destroy
Spyware Doctor 6.0
SpywareBlaster 4.1
Steel Warrior
Sunbelt Kerio Personal Firewall
SUPER © Version 2007.bld.23 (July 4, 2007)
Symantec Network Driver Update
Symantec Network Drivers Update
Symantec Script Blocking Installer
SymNet
Timershot Powertoy for Windows XP
TPP Storage Driver Installation
Trillian
TrueChat
Tweakui Powertoy for Windows XP
Unreal Tournament 2004
URGE
USB Storage Adapter (TPP)
USB Storage Adapter V2 (TPP)
USB Storage Adapter V3 (TPP)
VeohTV BETA
Viewpoint Media Player
Vimicro USB PC Camera (VC0305)
Virtual Desktop Manager Powertoy for Windows XP
Visual Basic 4 Runtime Files
Visual Studio.NET Baseline - English
VisualMouse 0.985
VisualRoute
VoipCheapCom
Wacom Tablet Driver
WebFldrs XP
WIDCOMM Bluetooth Software
Winamp
WinAVI Video Converter
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB887811
Windows XP Hotfix - KB887822
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinMX
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
Yahoo! Messenger
Yrefresher 1.00
ZMatrix 1.5.2
ZyDAS IEEE 802.11 b+g Wireless LAN - USB

==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 16 January 2009 - 10:45 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 21 January 2009 - 03:55 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 cerius

cerius
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 28 January 2009 - 08:59 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600

1/25/2009 4:56:09 AM
mbam-log-2009-01-25 (04-56-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 188598
Time elapsed: 1 hour(s), 59 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 6
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 246

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\gosuruti.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\seguwuli.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1188add7-7d9a-801f-bcc1-4fc74649cffa} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{213453a5-2a96-44ca-b50b-378fb745006b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{adc00b73-c5f7-4762-b860-ce06dd31d65c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{213453a5-2a96-44ca-b50b-378fb745006b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{adc00b73-c5f7-4762-b860-ce06dd31d65c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58738961 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5b40bafd (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viretujaza (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\karna.dat -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\karna.dat -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pujovuje.dll

#5 cerius

cerius
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 28 January 2009 - 09:02 PM

i couldn't get the rsit.exe file to run in normal boot up but in safe mode it started with this error, "Error: Incorrect number of parameters in function call." and the writing header information is in the loading bar of rsit.exe

#6 cerius

cerius
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 28 January 2009 - 09:04 PM

Some reason I can't attach files on this website so I pasted the gmer log.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-28 16:14:01
Windows 5.1.2600


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwClose [0xBAB34110]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateFile [0xBAB33920]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateKey [0xBAB2FEE0]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateProcess [0xBAB32F20]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateProcessEx [0xBAB32D90]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateThread [0xBAB33480]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwDeleteFile [0xBAB34190]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwDeleteKey [0xBAB30320]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwDeleteValueKey [0xBAB303C0]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwOpenFile [0xBAB33BF0]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwOpenKey [0xBAB30140]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xBAD6012A]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwResumeThread [0xBAB33510]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwSetInformationFile [0xBAB33F00]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwSetValueKey [0xBAB304D0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xBAD5AD0A]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwWriteFile [0xBAB33E50]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xBAD5A384]

---- Kernel code sections - GMER 1.0.14 ----

PAGENDSM NDIS.sys!NdisMIndicateStatus F785170D 6 Bytes JMP BAB27ED0 \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BAB27CE0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BAB27D90] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BAB27D00] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20388785-35A4-EC5F-4258-17B0BFF0F8AD}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20388785-35A4-EC5F-4258-17B0BFF0F8AD}@iapknbkfggagbihgdf 0x69 0x61 0x62 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20388785-35A4-EC5F-4258-17B0BFF0F8AD}@hafkgjfkfacceahl 0x6A 0x61 0x6C 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20388785-35A4-EC5F-4258-17B0BFF0F8AD}@ialnemhmaiaeokhaib 0x63 0x61 0x62 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20388785-35A4-EC5F-4258-17B0BFF0F8AD}@ablnejaiaipniajhamnljeoknbninhfedh 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20388785-35A4-EC5F-4258-17B0BFF0F8AD}@maonjickecbolimpebddcphabh 0x61 0x61 0x00 0x00

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

---- Files - GMER 1.0.14 ----

ADS C:\System Volume Information\_restore{F3CE0880-EFC1-4D56-B832-49CAF6583227}\RP431\A0157206.INI:xbczjf 33872 bytes executable
ADS C:\WINDOWS\CMAURACK.INI:xbczjf 33872 bytes executable
ADS C:\WINDOWS\Greenstone.bmp:hrloyd 33872 bytes executable
ADS C:\WINDOWS\WER84.tmp:bsmeln 33872 bytes executable
ADS C:\WINDOWS\WERC8.tmp:iihkkt 33872 bytes executable
ADS C:\WINDOWS\SP3D.ini:ckrniu 33872 bytes executable
ADS C:\WINDOWS\_detmp.1:utuiwy 33872 bytes executable

---- EOF - GMER 1.0.14 ----

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 01 February 2009 - 01:32 AM

Please restart your computer. Before running a new scan let's clean out the temporary folders.

Please download CleanUp! by stevengould.org and save it to your Desktop.
  • Double-click CleanUp452.exe and install CleanUp! to your computer
  • Open CleanUp! and click on Options.. button.
  • Under General tab, choose Standard CleanUp! and then click Ok
  • Click on the CleanUp! button. When it asked you to logoff Windows, click on Yes
  • Let your Windows rebooted (or do it manually) and continue with the next step


Now download OTScanIt2.exe and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Services, Drivers and Registry section, please set on Safe List.
  • In the Rootkit Search section, set to Yes
  • In the Files Created Within and Files Modified Within section, set it to WhiteList/File Age
  • At the bottom, tick on all Use WhiteList and Include All Unicode Names option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
    • Reg - IE Explorer Bars
      Reg - NetSvcs
      Reg - Tcpip Persistent Routers
      File - Lop Check
      File - Purity Scan
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 cerius

cerius
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 03 February 2009 - 05:29 AM

attached

Attached Files



#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 03 February 2009 - 06:24 AM

IMPORTANT!: Please create a fresh Restore Point before proceed with our fix. Please visit this webpage if you do not know how..



Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\Windows\system32\bss.dll
    • C:\Windows\system32\drivers\Iteio.sys
  • Click on the Upload button. You can only upload one file at a time..
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).

Copy/Paste the information in the codebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "CPM5b40bafd" -> %SystemRoot%\system32\seguwuli.DLL [Rundll32.exe "c:\windows\system32\seguwuli.dll",a]
YN -> "viretujaza" -> %SystemRoot%\System32\pibefisi.DLL [Rundll32.exe "C:\WINDOWS\System32\pibefisi.dll",s]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\System32\karna.dat -> %SystemRoot%\System32\karna.dat
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\seguwuli.dll [SSODL]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\seguwuli.dll [STS]
[Files/Folders - Created Within 90 Days]
NY -> 181 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> vulozohu.dll -> %SystemRoot%\System32\vulozohu.dll
NY -> gihezawo.dll -> %SystemRoot%\System32\gihezawo.dll
NY -> siguzuwi.dll -> %SystemRoot%\System32\siguzuwi.dll
NY -> buvalaro.dll -> %SystemRoot%\System32\buvalaro.dll
NY -> wawihuvu.dll -> %SystemRoot%\System32\wawihuvu.dll
NY -> semozidu.dll -> %SystemRoot%\System32\semozidu.dll
NY -> vofobonu.dll -> %SystemRoot%\System32\vofobonu.dll
NY -> tivopiyu.dll -> %SystemRoot%\System32\tivopiyu.dll
NY -> jerapuwi.dll -> %SystemRoot%\System32\jerapuwi.dll
NY -> sejiguso.dll -> %SystemRoot%\System32\sejiguso.dll
NY -> weyibadu.dll -> %SystemRoot%\System32\weyibadu.dll
NY -> memilimi.dll -> %SystemRoot%\System32\memilimi.dll
NY -> yudorefa.dll -> %SystemRoot%\System32\yudorefa.dll
NY -> jetahoga.dll -> %SystemRoot%\System32\jetahoga.dll
NY -> renugipi.dll -> %SystemRoot%\System32\renugipi.dll
NY -> nefizoke.dll -> %SystemRoot%\System32\nefizoke.dll
NY -> wefifofi.dll -> %SystemRoot%\System32\wefifofi.dll
NY -> bemumiha.dll -> %SystemRoot%\System32\bemumiha.dll
NY -> jutimono.dll -> %SystemRoot%\System32\jutimono.dll
NY -> senazisa.dll -> %SystemRoot%\System32\senazisa.dll
NY -> mazileve.dll -> %SystemRoot%\System32\mazileve.dll
NY -> mksvse.dll -> %SystemRoot%\System32\mksvse.dll
NY -> yafaoq.dll -> %SystemRoot%\System32\yafaoq.dll
NY -> rnuzbn.dll -> %SystemRoot%\System32\rnuzbn.dll
NY -> yrxmst.dll -> %SystemRoot%\System32\yrxmst.dll
NY -> bwnhda.dll -> %SystemRoot%\System32\bwnhda.dll
NY -> ydyosc.dll -> %SystemRoot%\System32\ydyosc.dll
NY -> hoddzp.dll -> %SystemRoot%\System32\hoddzp.dll
NY -> tyewlw.dll -> %SystemRoot%\System32\tyewlw.dll
NY -> nwyanh.dll -> %SystemRoot%\System32\nwyanh.dll
NY -> nbgkli.dll -> %SystemRoot%\System32\nbgkli.dll
[Files/Folders - Modified Within 90 Days]
NY -> 32 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 181 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 2 C:\Documents and Settings\Administrator\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Administrator\Local Settings\Temp\*.tmp
NY -> vulozohu.dll -> %SystemRoot%\System32\vulozohu.dll
NY -> bugonefe -> %SystemRoot%\System32\bugonefe
NY -> qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> mksvse.dll -> %SystemRoot%\System32\mksvse.dll
NY -> dumilela.dll -> %SystemRoot%\System32\dumilela.dll
NY -> boturuvo.dll -> %SystemRoot%\System32\boturuvo.dll
NY -> zimawigo.dll -> %SystemRoot%\System32\zimawigo.dll
NY -> yafaoq.dll -> %SystemRoot%\System32\yafaoq.dll
NY -> subudozu.dll -> %SystemRoot%\System32\subudozu.dll
NY -> rnuzbn.dll -> %SystemRoot%\System32\rnuzbn.dll
NY -> yidofele.dll -> %SystemRoot%\System32\yidofele.dll
NY -> pudahiye.dll -> %SystemRoot%\System32\pudahiye.dll
NY -> yrxmst.dll -> %SystemRoot%\System32\yrxmst.dll
NY -> panegayu.dll -> %SystemRoot%\System32\panegayu.dll
NY -> dopasajo.dll -> %SystemRoot%\System32\dopasajo.dll
NY -> yelojavi.dll -> %SystemRoot%\System32\yelojavi.dll
NY -> bwnhda.dll -> %SystemRoot%\System32\bwnhda.dll
NY -> yolonibu.dll -> %SystemRoot%\System32\yolonibu.dll
NY -> natudowu.dll -> %SystemRoot%\System32\natudowu.dll
NY -> ydyosc.dll -> %SystemRoot%\System32\ydyosc.dll
NY -> paberowe.dll -> %SystemRoot%\System32\paberowe.dll
NY -> gareyika.dll -> %SystemRoot%\System32\gareyika.dll
NY -> pozalihi.dll -> %SystemRoot%\System32\pozalihi.dll
NY -> lezotiwu.dll -> %SystemRoot%\System32\lezotiwu.dll
NY -> hoddzp.dll -> %SystemRoot%\System32\hoddzp.dll
NY -> tapusuye.dll -> %SystemRoot%\System32\tapusuye.dll
NY -> pakajebo.dll -> %SystemRoot%\System32\pakajebo.dll
NY -> tyewlw.dll -> %SystemRoot%\System32\tyewlw.dll
NY -> makorofi.dll -> %SystemRoot%\System32\makorofi.dll
NY -> ginomavu.dll -> %SystemRoot%\System32\ginomavu.dll
NY -> nuhuzebo.dll -> %SystemRoot%\System32\nuhuzebo.dll
NY -> peliziru.dll -> %SystemRoot%\System32\peliziru.dll
NY -> nwyanh.dll -> %SystemRoot%\System32\nwyanh.dll
NY -> rakevaka.dll -> %SystemRoot%\System32\rakevaka.dll
NY -> wehokigo.dll -> %SystemRoot%\System32\wehokigo.dll
NY -> mazileve.dll -> %SystemRoot%\System32\mazileve.dll
NY -> nbgkli.dll -> %SystemRoot%\System32\nbgkli.dll
NY -> bepetoha.dll -> %SystemRoot%\System32\bepetoha.dll
NY -> diwazesa.dll -> %SystemRoot%\System32\diwazesa.dll
NY -> riwemeno.dll -> %SystemRoot%\System32\riwemeno.dll
NY -> tikipume.dll -> %SystemRoot%\System32\tikipume.dll
NY -> nevapolo.dll -> %SystemRoot%\System32\nevapolo.dll
NY -> redowebo.dll -> %SystemRoot%\System32\redowebo.dll
NY -> kewegoze.dll -> %SystemRoot%\System32\kewegoze.dll
NY -> sumupuji.dll -> %SystemRoot%\System32\sumupuji.dll
NY -> sibulupu.dll -> %SystemRoot%\System32\sibulupu.dll
NY -> lobihomo.dll -> %SystemRoot%\System32\lobihomo.dll
NY -> senazisa.dll -> %SystemRoot%\System32\senazisa.dll
NY -> jetahoga.dll -> %SystemRoot%\System32\jetahoga.dll
NY -> tivopiyu.dll -> %SystemRoot%\System32\tivopiyu.dll
NY -> wawihuvu.dll -> %SystemRoot%\System32\wawihuvu.dll
NY -> wefifofi.dll -> %SystemRoot%\System32\wefifofi.dll
NY -> vofobonu.dll -> %SystemRoot%\System32\vofobonu.dll
NY -> renugipi.dll -> %SystemRoot%\System32\renugipi.dll
NY -> jerapuwi.dll -> %SystemRoot%\System32\jerapuwi.dll
NY -> nefizoke.dll -> %SystemRoot%\System32\nefizoke.dll
NY -> shellfix.reg -> %SystemDrive%\shellfix.reg
NY -> desktop_ok.reg -> %SystemDrive%\desktop_ok.reg
NY -> bemumiha.dll -> %SystemRoot%\System32\bemumiha.dll
NY -> semozidu.dll -> %SystemRoot%\System32\semozidu.dll
NY -> test.aok -> %SystemRoot%\System32\test.aok
NY -> weyibadu.dll -> %SystemRoot%\System32\weyibadu.dll
NY -> buvalaro.dll -> %SystemRoot%\System32\buvalaro.dll
NY -> yudorefa.dll -> %SystemRoot%\System32\yudorefa.dll
NY -> gihezawo.dll -> %SystemRoot%\System32\gihezawo.dll
NY -> sejiguso.dll -> %SystemRoot%\System32\sejiguso.dll
NY -> memilimi.dll -> %SystemRoot%\System32\memilimi.dll
NY -> jutimono.dll -> %SystemRoot%\System32\jutimono.dll
NY -> siguzuwi.dll -> %SystemRoot%\System32\siguzuwi.dll
NY -> amabumim.ini -> %SystemRoot%\System32\amabumim.ini
NY -> oliravuk.ini -> %SystemRoot%\System32\oliravuk.ini
NY -> otagiped.ini -> %SystemRoot%\System32\otagiped.ini
NY -> akulutob.ini -> %SystemRoot%\System32\akulutob.ini
NY -> umelajuv.ini -> %SystemRoot%\System32\umelajuv.ini
NY -> atenavig.ini -> %SystemRoot%\System32\atenavig.ini
NY -> gobudeho.dll -> %SystemRoot%\System32\gobudeho.dll
NY -> ozadasaw.ini -> %SystemRoot%\System32\ozadasaw.ini
NY -> pisabupe.dll -> %SystemRoot%\System32\pisabupe.dll
NY -> hebokali.dll -> %SystemRoot%\System32\hebokali.dll
NY -> olehibuj.ini -> %SystemRoot%\System32\olehibuj.ini
NY -> vakidibe.dll -> %SystemRoot%\System32\vakidibe.dll
NY -> rapepute.dll -> %SystemRoot%\System32\rapepute.dll
NY -> vimodiya.dll -> %SystemRoot%\System32\vimodiya.dll
NY -> tazotiwu.dll -> %SystemRoot%\System32\tazotiwu.dll
NY -> ukijijol.ini -> %SystemRoot%\System32\ukijijol.ini
NY -> gapiseza.dll -> %SystemRoot%\System32\gapiseza.dll
NY -> bemahofi.dll -> %SystemRoot%\System32\bemahofi.dll
NY -> piragobo.dll -> %SystemRoot%\System32\piragobo.dll
NY -> cahweax.dll -> %SystemRoot%\System32\cahweax.dll
NY -> yuvemifo.dll -> %SystemRoot%\System32\yuvemifo.dll
NY -> kejejedi.dll -> %SystemRoot%\System32\kejejedi.dll
NY -> ayajujos.ini -> %SystemRoot%\System32\ayajujos.ini
NY -> ayeliful.ini -> %SystemRoot%\System32\ayeliful.ini
NY -> imibesin.ini -> %SystemRoot%\System32\imibesin.ini
[Alternate Data Streams]
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\8346.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\AuHCcup1.ini:stkiyr
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\AuHCcup1.ini:twsurx
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\Blue Lace 16.bmp:yterzp
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\JDSecure20.INI:zcjlgb
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\LxrConfig.INI:jrkxhg
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\msdfmap.ini:jrkxhg
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\PerMonitorWallpaper1.bmp:rndsox
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\PerMonitorWallpaper4.bmp:jovxih
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\QTW.INI:llktpu
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\South Park 3D Spectacular!.scr:nebcch
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\ST6UNST.000:gflhwk
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\vbaddin.ini:bhosvr
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER2D.tmp:eikfxl
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER38.tmp:hywauy
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER3C.tmp:azpgoj
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER41.tmp:lncbef
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER4D.tmp:ltjwgx
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER4F.tmp:mqhieh
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER50.tmp:dtucah
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER52.tmp:ersvyr
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER54.tmp:aswdkx
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER58.tmp:ttpiea
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER86.tmp:stsgok
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER89.tmp:kukliv
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WER94.tmp:dguhkq
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WERAB.tmp:knonps
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WERAD.tmp:aqkffs
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WERAE.tmp:dggsrd
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WERB0.tmp:trcthc
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WERC7.tmp:gwxiex
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WININI(2).QTW:isbkrt
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\WININI.QTW:isbkrt
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\wininit.ini:kthlwr
NY -> @Alternate Data Stream - 11152 bytes -> %SystemRoot%\_detmp.1:vqmbvi
NY -> @Alternate Data Stream - 11152 bytes -> %SystemRoot%\b2_t_FABLE%20EVIL&384.xml:qrhrmb
NY -> @Alternate Data Stream - 11152 bytes -> %SystemRoot%\iplayer.INI:dwmcyp
NY -> @Alternate Data Stream - 11152 bytes -> %SystemRoot%\SIERRA.INI:fcbfvn
NY -> @Alternate Data Stream - 11152 bytes -> %SystemRoot%\tmupdate.ini:eyneuj
NY -> @Alternate Data Stream - 11152 bytes -> %SystemRoot%\UNIDRV.cfg:nmlxnr
NY -> @Alternate Data Stream - 11152 bytes -> %SystemRoot%\WER68.tmp:tpmwfr
NY -> @Alternate Data Stream - 11152 bytes -> %SystemRoot%\WERB6.tmp:tbukit
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
NY -> @Alternate Data Stream - 171 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
NY -> @Alternate Data Stream - 197751 bytes -> %SystemRoot%\popcinfo.dat:exzlba
NY -> @Alternate Data Stream - 197751 bytes -> %SystemRoot%\Prairie Wind.bmp:jojwmv
NY -> @Alternate Data Stream - 197751 bytes -> %SystemRoot%\WER29.tmp:lpihtb
NY -> @Alternate Data Stream - 197751 bytes -> %SystemRoot%\WERB4.tmp:fdtaxt
NY -> @Alternate Data Stream - 197753 bytes -> %SystemRoot%\WER6A.tmp:qylaox
NY -> @Alternate Data Stream - 197754 bytes -> %SystemRoot%\GPTCR.NFO:cfwzch
NY -> @Alternate Data Stream - 197754 bytes -> %SystemRoot%\PerMonitorWallpaper2.bmp:mkdsxn
NY -> @Alternate Data Stream - 197754 bytes -> %SystemRoot%\PROTOCOL.INI:eakpqm
NY -> @Alternate Data Stream - 197754 bytes -> %SystemRoot%\WER6A.tmp:xtawxw
NY -> @Alternate Data Stream - 197754 bytes -> %SystemRoot%\WER6B.tmp:itqail
NY -> @Alternate Data Stream - 21932 bytes -> %SystemRoot%\notepad.exe.bak:fpxfia
NY -> @Alternate Data Stream - 21932 bytes -> %SystemRoot%\PerMonitorWallpaper1.bmp:iclsjt
NY -> @Alternate Data Stream - 21932 bytes -> %SystemRoot%\WER5A.tmp:gwqare
NY -> @Alternate Data Stream - 33872 bytes -> %SystemRoot%\_detmp.1:utuiwy
NY -> @Alternate Data Stream - 33872 bytes -> %SystemRoot%\CMAURACK.INI:xbczjf
NY -> @Alternate Data Stream - 33872 bytes -> %SystemRoot%\Greenstone.bmp:hrloyd
NY -> @Alternate Data Stream - 33872 bytes -> %SystemRoot%\SP3D.ini:ckrniu
NY -> @Alternate Data Stream - 33872 bytes -> %SystemRoot%\WER84.tmp:bsmeln
NY -> @Alternate Data Stream - 33872 bytes -> %SystemRoot%\WERC8.tmp:iihkkt
NY -> @Alternate Data Stream - 4866 bytes -> %SystemRoot%\WER64.tmp:yxzuvn
NY -> @Alternate Data Stream - 4866 bytes -> %SystemRoot%\WER95.tmp:ilcmps
NY -> @Alternate Data Stream - 4866 bytes -> %SystemRoot%\WERA2.tmp:ighuml
NY -> @Alternate Data Stream - 4866 bytes -> %SystemRoot%\WERAE.tmp:ttlicw
NY -> @Alternate Data Stream - 4866 bytes -> %SystemRoot%\WERC6.tmp:miirzr
NY -> @Alternate Data Stream - 4870 bytes -> %SystemRoot%\{E2FDA946-5313-4F4D-BEE3-C2EF721E2589}.dat:uglref
NY -> @Alternate Data Stream - 4870 bytes -> %SystemRoot%\b2_t_FABLE%20EVIL&384.xml:rqmjio
NY -> @Alternate Data Stream - 4870 bytes -> %SystemRoot%\wininit.ini:kdxxii
NY -> @Alternate Data Stream - 4870 bytes -> %SystemRoot%\WMSysPrx.prx:agrgqr
NY -> @Alternate Data Stream - 4870 bytes -> %SystemRoot%\Zapotec.bmp:pglogi
NY -> @Alternate Data Stream - 9237 bytes -> %SystemRoot%\readme.ico:tttwhh
NY -> @Alternate Data Stream - 9237 bytes -> %SystemRoot%\setupapi.log.2.old:waebej
NY -> @Alternate Data Stream - 9237 bytes -> %SystemRoot%\WER45.tmp:zqksqs
NY -> @Alternate Data Stream - 9237 bytes -> %SystemRoot%\WER48.tmp:gpuach
NY -> @Alternate Data Stream - 9237 bytes -> %SystemRoot%\WER76.tmp:idzayz
[CatchMe Rootkit Scan by GMER]
NY -> C:\WINDOWS\WER41.tmp:lncbef 0 bytes -> 
NY -> C:\WINDOWS\CMAURACK.INI:xbczjf 33872 bytes executable -> 
NY -> C:\WINDOWS\GPTCR.NFO:cfwzch 197754 bytes -> 
NY -> C:\WINDOWS\Greenstone.bmp:hrloyd 33872 bytes executable -> 
NY -> C:\WINDOWS\popcinfo.dat:exzlba 197751 bytes -> 
NY -> C:\WINDOWS\Prairie Wind.bmp:jojwmv 197751 bytes -> 
NY -> C:\WINDOWS\readme.ico:tttwhh 9237 bytes -> 
NY -> C:\WINDOWS\setupapi.log.2.old:waebej 9237 bytes -> 
NY -> C:\WINDOWS\SIERRA.INI:fcbfvn 11152 bytes -> 
NY -> C:\WINDOWS\vbaddin.ini:bhosvr 0 bytes -> 
NY -> C:\WINDOWS\WER29.tmp:lpihtb 197751 bytes -> 
NY -> C:\WINDOWS\WER2D.tmp:eikfxl 0 bytes -> 
NY -> C:\WINDOWS\WER38.tmp:hywauy 0 bytes -> 
NY -> C:\WINDOWS\WER3C.tmp:azpgoj 0 bytes -> 
NY -> C:\WINDOWS\WER45.tmp:zqksqs 9237 bytes -> 
NY -> C:\WINDOWS\WER48.tmp:gpuach 9237 bytes -> 
NY -> C:\WINDOWS\WER4F.tmp:mqhieh 0 bytes -> 
NY -> C:\WINDOWS\WER50.tmp:dtucah 0 bytes -> 
NY -> C:\WINDOWS\WER52.tmp:ersvyr 0 bytes -> 
NY -> C:\WINDOWS\WER58.tmp:ttpiea 0 bytes -> 
NY -> C:\WINDOWS\WER64.tmp:yxzuvn 4866 bytes -> 
NY -> C:\WINDOWS\WER68.tmp:tpmwfr 11152 bytes -> 
NY -> C:\WINDOWS\WER6A.tmp:qylaox 197753 bytes -> 
NY -> C:\WINDOWS\WER6A.tmp:xtawxw 197754 bytes -> 
NY -> C:\WINDOWS\WER6B.tmp:itqail 197754 bytes -> 
NY -> C:\WINDOWS\WER76.tmp:idzayz 9237 bytes -> 
NY -> C:\WINDOWS\WER84.tmp:bsmeln 33872 bytes executable -> 
NY -> C:\WINDOWS\WER89.tmp:kukliv 0 bytes -> 
NY -> C:\WINDOWS\WER94.tmp:dguhkq 0 bytes -> 
NY -> C:\WINDOWS\WER95.tmp:ilcmps 4866 bytes -> 
NY -> C:\WINDOWS\WERA2.tmp:ighuml 4866 bytes -> 
NY -> C:\WINDOWS\WERAB.tmp:knonps 0 bytes -> 
NY -> C:\WINDOWS\WERAD.tmp:aqkffs 0 bytes -> 
NY -> C:\WINDOWS\WERAE.tmp:dggsrd 0 bytes -> 
NY -> C:\WINDOWS\WERAE.tmp:ttlicw 4866 bytes -> 
NY -> C:\WINDOWS\WERB0.tmp:trcthc 0 bytes -> 
NY -> C:\WINDOWS\WER4D.tmp:ltjwgx 0 bytes -> 
NY -> C:\WINDOWS\WER54.tmp:aswdkx 0 bytes -> 
NY -> C:\WINDOWS\WER5A.tmp:gwqare 21932 bytes -> 
NY -> C:\WINDOWS\WER86.tmp:stsgok 0 bytes -> 
NY -> C:\WINDOWS\WERC6.tmp:miirzr 4866 bytes -> 
NY -> C:\WINDOWS\Zapotec.bmp:pglogi 4870 bytes -> 
NY -> C:\WINDOWS\WERB4.tmp:fdtaxt 197751 bytes -> 
NY -> C:\WINDOWS\WERB6.tmp:tbukit 11152 bytes -> 
NY -> C:\WINDOWS\WERC7.tmp:gwxiex 0 bytes -> 
NY -> C:\WINDOWS\WERC8.tmp:iihkkt 33872 bytes executable -> 
NY -> C:\WINDOWS\Blue Lace 16.bmp:yterzp 0 bytes -> 
NY -> C:\WINDOWS\South Park 3D Spectacular!.scr:nebcch 0 bytes -> 
NY -> C:\WINDOWS\SP3D.ini:ckrniu 33872 bytes executable -> 
NY -> C:\WINDOWS\ST6UNST.000:gflhwk 0 bytes -> 
NY -> C:\WINDOWS\8346.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes -> 
NY -> C:\WINDOWS\PROTOCOL.INI:eakpqm 197754 bytes -> 
NY -> C:\WINDOWS\AuHCcup1.ini:stkiyr 0 bytes -> 
NY -> C:\WINDOWS\AuHCcup1.ini:twsurx 0 bytes -> 
NY -> C:\WINDOWS\b2_t_FABLE%20EVIL&384.xml:qrhrmb 11152 bytes -> 
NY -> C:\WINDOWS\b2_t_FABLE%20EVIL&384.xml:rqmjio 4870 bytes -> 
NY -> C:\WINDOWS\PerMonitorWallpaper1.bmp:iclsjt 21932 bytes -> 
NY -> C:\WINDOWS\PerMonitorWallpaper1.bmp:rndsox 0 bytes -> 
NY -> C:\WINDOWS\PerMonitorWallpaper2.bmp:mkdsxn 197754 bytes -> 
NY -> C:\WINDOWS\PerMonitorWallpaper4.bmp:jovxih 0 bytes -> 
NY -> C:\WINDOWS\tmupdate.ini:eyneuj 11152 bytes -> 
NY -> C:\WINDOWS\JDSecure20.INI:zcjlgb 0 bytes -> 
NY -> C:\WINDOWS\msdfmap.ini:jrkxhg 0 bytes -> 
NY -> C:\WINDOWS\_detmp.1:utuiwy 33872 bytes executable -> 
NY -> C:\WINDOWS\_detmp.1:vqmbvi 11152 bytes -> 
NY -> C:\WINDOWS\{E2FDA946-5313-4F4D-BEE3-C2EF721E2589}.dat:uglref 4870 bytes -> 
NY -> C:\WINDOWS\QTW.INI:llktpu 0 bytes -> 
NY -> C:\WINDOWS\notepad.exe.bak:fpxfia 21932 bytes -> 
NY -> C:\WINDOWS\LxrConfig.INI:jrkxhg 0 bytes -> 
NY -> C:\WINDOWS\WMSysPrx.prx:agrgqr 4870 bytes -> 
NY -> C:\WINDOWS\UNIDRV.cfg:nmlxnr 11152 bytes -> 
NY -> C:\WINDOWS\iplayer.INI:dwmcyp 11152 bytes -> 
NY -> C:\WINDOWS\WININI(2).QTW:isbkrt 0 bytes -> 
NY -> C:\WINDOWS\WININI.QTW:isbkrt 0 bytes -> 
NY -> C:\WINDOWS\wininit.ini:kdxxii 4870 bytes -> 
NY -> C:\WINDOWS\wininit.ini:kthlwr 0 bytes -> 
[Purity]
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.



Run OTScanIt2 again as the first time you did it.. Post me these logs in your next reply..

1. VirScan.org results
2. OTScanIt2 (fix result)
3. OTScanIt2 (the normal scan result)

Edited by fenzodahl512, 03 February 2009 - 06:26 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 cerius

cerius
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 03 February 2009 - 08:26 AM

VirSCAN.org Scanned Report :
Scanned time : 2009/02/03 03:40:12 (PST)
Scanner results: 30% Scanner(11/37) found malware!
File Name : bss.dll
File Size : 3584 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 6c126a3421f9807b948a416a55bacba6
SHA1 : e595345fb0f70b5018de7631a5bf7ff0642799d2
Online report : http://virscan.org/report/69a5a7f9eb522a40...adaefd0acc.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.29 20090203180325 2009-02-03 6.01 Virus.Win32.BssDll!IK
AhnLab V3 2009.02.03.02 2009.02.03 2009-02-03 1.19 Win-Trojan/Xema.variant
AntiVir 7.9.0.71 7.1.1.218 2009-02-03 1.95 TR/Crypt.XPACK.Gen
Antiy 2.0.18 20090118.2063925 2009-01-18 0.02 -
Authentium 5.1.1 200902022221 2009-02-02 1.10 -
AVAST! 3.0.1 090202-1 2009-02-02 0.00 -
AVG 7.5.52.442 270.10.17/1932 2009-02-03 1.88 Generic12.ADJO
BitDefender 7.81008.2638921 7.23474 2009-02-03 2.46 Trojan.Generic.563312
CA (VET) 9.0.0.143 31.6.6339 2009-02-03 19.35 -
ClamAV 0.94.2 8945 2009-02-03 0.01 -
Comodo 3.0 961 2009-02-03 1.13 -
CP Secure 1.1.0.715 2009.02.02 2009-02-02 7.11 -
Dr.Web 4.44.0.9170 2009.02.03 2009-02-03 5.28 -
F-Prot 4.4.4.56 20090202 2009-02-02 1.10 -
F-Secure 5.51.6100 2009.02.03.02 2009-02-03 0.06 -
Fortinet 2.81-3.117 9.994 2009-02-03 0.30 -
GData 19.2775/19.208 20090203 2009-02-03 4.00 Win32:BssDll [Trj] [Engine:B]
ViRobot 20090203 2009.02.03 2009-02-03 1.10 -
Ikarus T3.1.01.45 2009.02.03.72251 2009-02-03 3.61 Virus.Win32.BssDll
JiangMin 11.0.706 2009.02.03 2009-02-03 3.56 -
Kaspersky 5.5.10 2009.02.03 2009-02-03 0.04 -
KingSoft 2008.9.8.18 2009.2.3.18 2009-02-03 2.48 -
McAfee 5.3.00 5514 2009-02-02 3.08 Generic.dx
Microsoft 1.4306 2009.02.03 2009-02-03 7.41 -
mks_vir 2.01 2009.02.02 2009-02-02 2.71 -
Norman 6.00.02 6.00.00 2009-02-02 8.01 W32/Smalltroj.IQJR
Panda 9.05.01 2009.02.02 2009-02-02 9.31 Generic Trojan
Trend Micro 8.700-1004 5.812.04 2009-02-03 0.02 -
Quick Heal 10.00 2009.02.03 2009-02-03 1.19 -
Rising 20.0 21.15.10.00 2009-02-03 1.79 -
Sophos 2.83.3 4.38 2009-02-03 2.26 -
Sunbelt 4787 4787 2009-01-29 1.00 -
Symantec 1.3.0.24 20090202.007 2009-02-02 0.04 Trojan Horse
nProtect 20090203.01 3105377 2009-02-03 6.40 -
The Hacker 6.3.1.5 v00245 2009-02-03 0.56 -
VBA32 3.12.8.12 20090202.1103 2009-02-02 1.59 -
VirusBuster 4.5.11.10 10.100.47/785112 2009-02-02 1.01 -

VirSCAN.org Scanned Report :
Scanned time : 2009/02/03 03:44:42 (PST)
Scanner results: All Scanners reported not find malware!
File Name : Iteio.sys
File Size : 3680 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 3a495271ce703ebff717c66b6fcdd16a
SHA1 : c04ea1706587843f26395f61bb6ba429cfda21ee
Online report : http://virscan.org/report/f816e9ebc54def8a...fae6e304bc.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.29 20090203180325 2009-02-03 2.21 -
AhnLab V3 2009.02.03.02 2009.02.03 2009-02-03 1.08 -
AntiVir 7.9.0.71 7.1.1.218 2009-02-03 1.94 -
Antiy 2.0.18 20090118.2063925 2009-01-18 0.02 -
Authentium 5.1.1 200902022221 2009-02-02 1.09 -
AVAST! 3.0.1 090202-1 2009-02-02 0.00 -
AVG 7.5.52.442 270.10.17/1932 2009-02-03 1.92 -
BitDefender 7.81008.2638921 7.23474 2009-02-03 2.46 -
CA (VET) 9.0.0.143 31.6.6339 2009-02-03 6.66 -
ClamAV 0.94.2 8945 2009-02-03 0.00 -
Comodo 3.0 961 2009-02-03 1.08 -
CP Secure 1.1.0.715 2009.02.02 2009-02-02 6.94 -
Dr.Web 4.44.0.9170 2009.02.03 2009-02-03 3.94 -
F-Prot 4.4.4.56 20090202 2009-02-02 1.07 -
F-Secure 5.51.6100 2009.02.03.02 2009-02-03 4.49 -
Fortinet 2.81-3.117 9.994 2009-02-03 0.18 -
GData 19.2775/19.208 20090203 2009-02-03 3.17 -
ViRobot 20090203 2009.02.03 2009-02-03 0.40 -
Ikarus T3.1.01.45 2009.02.03.72251 2009-02-03 3.61 -
JiangMin 11.0.706 2009.02.03 2009-02-03 1.42 -
Kaspersky 5.5.10 2009.02.03 2009-02-03 0.04 -
KingSoft 2008.9.8.18 2009.2.3.18 2009-02-03 0.59 -
McAfee 5.3.00 5514 2009-02-02 3.08 -
Microsoft 1.4306 2009.02.03 2009-02-03 4.70 -
mks_vir 2.01 2009.02.02 2009-02-02 2.65 -
Norman 6.00.02 6.00.00 2009-02-02 8.01 -
Panda 9.05.01 2009.02.02 2009-02-02 2.56 -
Trend Micro 8.700-1004 5.812.04 2009-02-03 0.02 -
Quick Heal 10.00 2009.02.03 2009-02-03 0.87 -
Rising 20.0 21.15.10.00 2009-02-03 0.90 -
Sophos 2.83.3 4.38 2009-02-03 2.26 -
Sunbelt 4787 4787 2009-01-29 3.32 -
Symantec 1.3.0.24 20090202.007 2009-02-02 0.23 -
nProtect 20090203.01 3105377 2009-02-03 3.67 -
The Hacker 6.3.1.5 v00245 2009-02-03 0.63 -
VBA32 3.12.8.12 20090202.1103 2009-02-02 1.60 -
VirusBuster 4.5.11.10 10.100.47/785112 2009-02-02 1.00 -

____________________________________________________________________________________________________
RESULTS AFTER SCAN AND REBOOT AND FIX

No active process named Explorer.EXE was found!
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CPM5b40bafd deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\viretujaza deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\System32\karna.dat deleted successfully.
File C:\WINDOWS\System32\karna.dat not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SSODL deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\ not found.
[Files/Folders - Created Within 90 Days]
C:\WINDOWS\LastGood.Tmp\System32\DRIVERS folder deleted successfully.
C:\WINDOWS\LastGood.Tmp\System32 folder deleted successfully.
C:\WINDOWS\LastGood.Tmp\INF folder deleted successfully.
C:\WINDOWS\LastGood.Tmp folder deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
LoadLibrary failed for C:\WINDOWS\System32\vulozohu.dll
C:\WINDOWS\System32\vulozohu.dll NOT unregistered.
C:\WINDOWS\System32\vulozohu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\gihezawo.dll
C:\WINDOWS\System32\gihezawo.dll NOT unregistered.
C:\WINDOWS\System32\gihezawo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\siguzuwi.dll
C:\WINDOWS\System32\siguzuwi.dll NOT unregistered.
C:\WINDOWS\System32\siguzuwi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\buvalaro.dll
C:\WINDOWS\System32\buvalaro.dll NOT unregistered.
C:\WINDOWS\System32\buvalaro.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\wawihuvu.dll
C:\WINDOWS\System32\wawihuvu.dll NOT unregistered.
C:\WINDOWS\System32\wawihuvu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\semozidu.dll
C:\WINDOWS\System32\semozidu.dll NOT unregistered.
C:\WINDOWS\System32\semozidu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\vofobonu.dll
C:\WINDOWS\System32\vofobonu.dll NOT unregistered.
C:\WINDOWS\System32\vofobonu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\tivopiyu.dll
C:\WINDOWS\System32\tivopiyu.dll NOT unregistered.
C:\WINDOWS\System32\tivopiyu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\jerapuwi.dll
C:\WINDOWS\System32\jerapuwi.dll NOT unregistered.
C:\WINDOWS\System32\jerapuwi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\sejiguso.dll
C:\WINDOWS\System32\sejiguso.dll NOT unregistered.
C:\WINDOWS\System32\sejiguso.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\weyibadu.dll
C:\WINDOWS\System32\weyibadu.dll NOT unregistered.
C:\WINDOWS\System32\weyibadu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\memilimi.dll
C:\WINDOWS\System32\memilimi.dll NOT unregistered.
C:\WINDOWS\System32\memilimi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\yudorefa.dll
C:\WINDOWS\System32\yudorefa.dll NOT unregistered.
C:\WINDOWS\System32\yudorefa.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\jetahoga.dll
C:\WINDOWS\System32\jetahoga.dll NOT unregistered.
C:\WINDOWS\System32\jetahoga.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\renugipi.dll
C:\WINDOWS\System32\renugipi.dll NOT unregistered.
C:\WINDOWS\System32\renugipi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\nefizoke.dll
C:\WINDOWS\System32\nefizoke.dll NOT unregistered.
C:\WINDOWS\System32\nefizoke.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\wefifofi.dll
C:\WINDOWS\System32\wefifofi.dll NOT unregistered.
C:\WINDOWS\System32\wefifofi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\bemumiha.dll
C:\WINDOWS\System32\bemumiha.dll NOT unregistered.
C:\WINDOWS\System32\bemumiha.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\jutimono.dll
C:\WINDOWS\System32\jutimono.dll NOT unregistered.
C:\WINDOWS\System32\jutimono.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\senazisa.dll
C:\WINDOWS\System32\senazisa.dll NOT unregistered.
C:\WINDOWS\System32\senazisa.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\mazileve.dll
C:\WINDOWS\System32\mazileve.dll NOT unregistered.
C:\WINDOWS\System32\mazileve.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\mksvse.dll
C:\WINDOWS\System32\mksvse.dll NOT unregistered.
C:\WINDOWS\System32\mksvse.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\yafaoq.dll
C:\WINDOWS\System32\yafaoq.dll NOT unregistered.
C:\WINDOWS\System32\yafaoq.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\rnuzbn.dll
C:\WINDOWS\System32\rnuzbn.dll NOT unregistered.
C:\WINDOWS\System32\rnuzbn.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\yrxmst.dll
C:\WINDOWS\System32\yrxmst.dll NOT unregistered.
C:\WINDOWS\System32\yrxmst.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\bwnhda.dll
C:\WINDOWS\System32\bwnhda.dll NOT unregistered.
C:\WINDOWS\System32\bwnhda.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\ydyosc.dll
C:\WINDOWS\System32\ydyosc.dll NOT unregistered.
C:\WINDOWS\System32\ydyosc.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\hoddzp.dll
C:\WINDOWS\System32\hoddzp.dll NOT unregistered.
C:\WINDOWS\System32\hoddzp.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\tyewlw.dll
C:\WINDOWS\System32\tyewlw.dll NOT unregistered.
C:\WINDOWS\System32\tyewlw.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\nwyanh.dll
C:\WINDOWS\System32\nwyanh.dll NOT unregistered.
C:\WINDOWS\System32\nwyanh.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\nbgkli.dll
C:\WINDOWS\System32\nbgkli.dll NOT unregistered.
C:\WINDOWS\System32\nbgkli.dll moved successfully.
[Files/Folders - Modified Within 90 Days]
File C:\WINDOWS\System32\vulozohu.dll not found!
C:\WINDOWS\System32\bugonefe moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
File C:\WINDOWS\System32\mksvse.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\dumilela.dll
C:\WINDOWS\System32\dumilela.dll NOT unregistered.
C:\WINDOWS\System32\dumilela.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\boturuvo.dll
C:\WINDOWS\System32\boturuvo.dll NOT unregistered.
C:\WINDOWS\System32\boturuvo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\zimawigo.dll
C:\WINDOWS\System32\zimawigo.dll NOT unregistered.
C:\WINDOWS\System32\zimawigo.dll moved successfully.
File C:\WINDOWS\System32\yafaoq.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\subudozu.dll
C:\WINDOWS\System32\subudozu.dll NOT unregistered.
C:\WINDOWS\System32\subudozu.dll moved successfully.
File C:\WINDOWS\System32\rnuzbn.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\yidofele.dll
C:\WINDOWS\System32\yidofele.dll NOT unregistered.
C:\WINDOWS\System32\yidofele.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\pudahiye.dll
C:\WINDOWS\System32\pudahiye.dll NOT unregistered.
C:\WINDOWS\System32\pudahiye.dll moved successfully.
File C:\WINDOWS\System32\yrxmst.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\panegayu.dll
C:\WINDOWS\System32\panegayu.dll NOT unregistered.
C:\WINDOWS\System32\panegayu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\dopasajo.dll
C:\WINDOWS\System32\dopasajo.dll NOT unregistered.
C:\WINDOWS\System32\dopasajo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\yelojavi.dll
C:\WINDOWS\System32\yelojavi.dll NOT unregistered.
C:\WINDOWS\System32\yelojavi.dll moved successfully.
File C:\WINDOWS\System32\bwnhda.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\yolonibu.dll
C:\WINDOWS\System32\yolonibu.dll NOT unregistered.
C:\WINDOWS\System32\yolonibu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\natudowu.dll
C:\WINDOWS\System32\natudowu.dll NOT unregistered.
C:\WINDOWS\System32\natudowu.dll moved successfully.
File C:\WINDOWS\System32\ydyosc.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\paberowe.dll
C:\WINDOWS\System32\paberowe.dll NOT unregistered.
C:\WINDOWS\System32\paberowe.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\gareyika.dll
C:\WINDOWS\System32\gareyika.dll NOT unregistered.
C:\WINDOWS\System32\gareyika.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\pozalihi.dll
C:\WINDOWS\System32\pozalihi.dll NOT unregistered.
C:\WINDOWS\System32\pozalihi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\lezotiwu.dll
C:\WINDOWS\System32\lezotiwu.dll NOT unregistered.
C:\WINDOWS\System32\lezotiwu.dll moved successfully.
File C:\WINDOWS\System32\hoddzp.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\tapusuye.dll
C:\WINDOWS\System32\tapusuye.dll NOT unregistered.
C:\WINDOWS\System32\tapusuye.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\pakajebo.dll
C:\WINDOWS\System32\pakajebo.dll NOT unregistered.
C:\WINDOWS\System32\pakajebo.dll moved successfully.
File C:\WINDOWS\System32\tyewlw.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\makorofi.dll
C:\WINDOWS\System32\makorofi.dll NOT unregistered.
C:\WINDOWS\System32\makorofi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\ginomavu.dll
C:\WINDOWS\System32\ginomavu.dll NOT unregistered.
C:\WINDOWS\System32\ginomavu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\nuhuzebo.dll
C:\WINDOWS\System32\nuhuzebo.dll NOT unregistered.
C:\WINDOWS\System32\nuhuzebo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\peliziru.dll
C:\WINDOWS\System32\peliziru.dll NOT unregistered.
C:\WINDOWS\System32\peliziru.dll moved successfully.
File C:\WINDOWS\System32\nwyanh.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\rakevaka.dll
C:\WINDOWS\System32\rakevaka.dll NOT unregistered.
C:\WINDOWS\System32\rakevaka.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\wehokigo.dll
C:\WINDOWS\System32\wehokigo.dll NOT unregistered.
C:\WINDOWS\System32\wehokigo.dll moved successfully.
File C:\WINDOWS\System32\mazileve.dll not found!
File C:\WINDOWS\System32\nbgkli.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\bepetoha.dll
C:\WINDOWS\System32\bepetoha.dll NOT unregistered.
C:\WINDOWS\System32\bepetoha.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\diwazesa.dll
C:\WINDOWS\System32\diwazesa.dll NOT unregistered.
C:\WINDOWS\System32\diwazesa.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\riwemeno.dll
C:\WINDOWS\System32\riwemeno.dll NOT unregistered.
C:\WINDOWS\System32\riwemeno.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\tikipume.dll
C:\WINDOWS\System32\tikipume.dll NOT unregistered.
C:\WINDOWS\System32\tikipume.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\nevapolo.dll
C:\WINDOWS\System32\nevapolo.dll NOT unregistered.
C:\WINDOWS\System32\nevapolo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\redowebo.dll
C:\WINDOWS\System32\redowebo.dll NOT unregistered.
C:\WINDOWS\System32\redowebo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\kewegoze.dll
C:\WINDOWS\System32\kewegoze.dll NOT unregistered.
C:\WINDOWS\System32\kewegoze.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\sumupuji.dll
C:\WINDOWS\System32\sumupuji.dll NOT unregistered.
C:\WINDOWS\System32\sumupuji.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\sibulupu.dll
C:\WINDOWS\System32\sibulupu.dll NOT unregistered.
C:\WINDOWS\System32\sibulupu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\lobihomo.dll
C:\WINDOWS\System32\lobihomo.dll NOT unregistered.
C:\WINDOWS\System32\lobihomo.dll moved successfully.
File C:\WINDOWS\System32\senazisa.dll not found!
File C:\WINDOWS\System32\jetahoga.dll not found!
File C:\WINDOWS\System32\tivopiyu.dll not found!
File C:\WINDOWS\System32\wawihuvu.dll not found!
File C:\WINDOWS\System32\wefifofi.dll not found!
File C:\WINDOWS\System32\vofobonu.dll not found!
File C:\WINDOWS\System32\renugipi.dll not found!
File C:\WINDOWS\System32\jerapuwi.dll not found!
File C:\WINDOWS\System32\nefizoke.dll not found!
C:\shellfix.reg moved successfully.
C:\desktop_ok.reg moved successfully.
File C:\WINDOWS\System32\bemumiha.dll not found!
File C:\WINDOWS\System32\semozidu.dll not found!
C:\WINDOWS\System32\test.aok moved successfully.
File C:\WINDOWS\System32\weyibadu.dll not found!
File C:\WINDOWS\System32\buvalaro.dll not found!
File C:\WINDOWS\System32\yudorefa.dll not found!
File C:\WINDOWS\System32\gihezawo.dll not found!
File C:\WINDOWS\System32\sejiguso.dll not found!
File C:\WINDOWS\System32\memilimi.dll not found!
File C:\WINDOWS\System32\jutimono.dll not found!
File C:\WINDOWS\System32\siguzuwi.dll not found!
C:\WINDOWS\System32\amabumim.ini moved successfully.
C:\WINDOWS\System32\oliravuk.ini moved successfully.
C:\WINDOWS\System32\otagiped.ini moved successfully.
C:\WINDOWS\System32\akulutob.ini moved successfully.
C:\WINDOWS\System32\umelajuv.ini moved successfully.
C:\WINDOWS\System32\atenavig.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\gobudeho.dll
C:\WINDOWS\System32\gobudeho.dll NOT unregistered.
C:\WINDOWS\System32\gobudeho.dll moved successfully.
C:\WINDOWS\System32\ozadasaw.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\pisabupe.dll
C:\WINDOWS\System32\pisabupe.dll NOT unregistered.
C:\WINDOWS\System32\pisabupe.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\hebokali.dll
C:\WINDOWS\System32\hebokali.dll NOT unregistered.
C:\WINDOWS\System32\hebokali.dll moved successfully.
C:\WINDOWS\System32\olehibuj.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\vakidibe.dll
C:\WINDOWS\System32\vakidibe.dll NOT unregistered.
C:\WINDOWS\System32\vakidibe.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\rapepute.dll
C:\WINDOWS\System32\rapepute.dll NOT unregistered.
C:\WINDOWS\System32\rapepute.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\vimodiya.dll
C:\WINDOWS\System32\vimodiya.dll NOT unregistered.
C:\WINDOWS\System32\vimodiya.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\tazotiwu.dll
C:\WINDOWS\System32\tazotiwu.dll NOT unregistered.
C:\WINDOWS\System32\tazotiwu.dll moved successfully.
C:\WINDOWS\System32\ukijijol.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\gapiseza.dll
C:\WINDOWS\System32\gapiseza.dll NOT unregistered.
C:\WINDOWS\System32\gapiseza.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\bemahofi.dll
C:\WINDOWS\System32\bemahofi.dll NOT unregistered.
C:\WINDOWS\System32\bemahofi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\piragobo.dll
C:\WINDOWS\System32\piragobo.dll NOT unregistered.
C:\WINDOWS\System32\piragobo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\cahweax.dll
C:\WINDOWS\System32\cahweax.dll NOT unregistered.
C:\WINDOWS\System32\cahweax.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\yuvemifo.dll
C:\WINDOWS\System32\yuvemifo.dll NOT unregistered.
C:\WINDOWS\System32\yuvemifo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\kejejedi.dll
C:\WINDOWS\System32\kejejedi.dll NOT unregistered.
C:\WINDOWS\System32\kejejedi.dll moved successfully.
C:\WINDOWS\System32\ayajujos.ini moved successfully.
C:\WINDOWS\System32\ayeliful.ini moved successfully.
C:\WINDOWS\System32\imibesin.ini moved successfully.
[Alternate Data Streams]
ADS C:\WINDOWS\8346.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} deleted successfully.
ADS C:\WINDOWS\AuHCcup1.ini:stkiyr deleted successfully.
ADS C:\WINDOWS\AuHCcup1.ini:twsurx deleted successfully.
ADS C:\WINDOWS\Blue Lace 16.bmp:yterzp deleted successfully.
ADS C:\WINDOWS\JDSecure20.INI:zcjlgb deleted successfully.
ADS C:\WINDOWS\LxrConfig.INI:jrkxhg deleted successfully.
ADS C:\WINDOWS\msdfmap.ini:jrkxhg deleted successfully.
ADS C:\WINDOWS\PerMonitorWallpaper1.bmp:rndsox deleted successfully.
ADS C:\WINDOWS\PerMonitorWallpaper4.bmp:jovxih deleted successfully.
ADS C:\WINDOWS\QTW.INI:llktpu deleted successfully.
ADS C:\WINDOWS\South Park 3D Spectacular!.scr:nebcch deleted successfully.
ADS C:\WINDOWS\ST6UNST.000:gflhwk deleted successfully.
ADS C:\WINDOWS\vbaddin.ini:bhosvr deleted successfully.
Unable to delete ADS C:\WINDOWS\WER2D.tmp:eikfxl .
Unable to delete ADS C:\WINDOWS\WER38.tmp:hywauy .
Unable to delete ADS C:\WINDOWS\WER3C.tmp:azpgoj .
Unable to delete ADS C:\WINDOWS\WER41.tmp:lncbef .
Unable to delete ADS C:\WINDOWS\WER4D.tmp:ltjwgx .
Unable to delete ADS C:\WINDOWS\WER4F.tmp:mqhieh .
Unable to delete ADS C:\WINDOWS\WER50.tmp:dtucah .
Unable to delete ADS C:\WINDOWS\WER52.tmp:ersvyr .
Unable to delete ADS C:\WINDOWS\WER54.tmp:aswdkx .
Unable to delete ADS C:\WINDOWS\WER58.tmp:ttpiea .
Unable to delete ADS C:\WINDOWS\WER86.tmp:stsgok .
Unable to delete ADS C:\WINDOWS\WER89.tmp:kukliv .
Unable to delete ADS C:\WINDOWS\WER94.tmp:dguhkq .
Unable to delete ADS C:\WINDOWS\WERAB.tmp:knonps .
Unable to delete ADS C:\WINDOWS\WERAD.tmp:aqkffs .
Unable to delete ADS C:\WINDOWS\WERAE.tmp:dggsrd .
Unable to delete ADS C:\WINDOWS\WERB0.tmp:trcthc .
Unable to delete ADS C:\WINDOWS\WERC7.tmp:gwxiex .
ADS C:\WINDOWS\WININI(2).QTW:isbkrt deleted successfully.
ADS C:\WINDOWS\WININI.QTW:isbkrt deleted successfully.
ADS C:\WINDOWS\wininit.ini:kthlwr deleted successfully.
ADS C:\WINDOWS\_detmp.1:vqmbvi deleted successfully.
ADS C:\WINDOWS\b2_t_FABLE%20EVIL&384.xml:qrhrmb deleted successfully.
ADS C:\WINDOWS\iplayer.INI:dwmcyp deleted successfully.
ADS C:\WINDOWS\SIERRA.INI:fcbfvn deleted successfully.
ADS C:\WINDOWS\tmupdate.ini:eyneuj deleted successfully.
ADS C:\WINDOWS\UNIDRV.cfg:nmlxnr deleted successfully.
Unable to delete ADS C:\WINDOWS\WER68.tmp:tpmwfr .
Unable to delete ADS C:\WINDOWS\WERB6.tmp:tbukit .
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\WINDOWS\popcinfo.dat:exzlba deleted successfully.
ADS C:\WINDOWS\Prairie Wind.bmp:jojwmv deleted successfully.
Unable to delete ADS C:\WINDOWS\WER29.tmp:lpihtb .
Unable to delete ADS C:\WINDOWS\WERB4.tmp:fdtaxt .
Unable to delete ADS C:\WINDOWS\WER6A.tmp:qylaox .
ADS C:\WINDOWS\GPTCR.NFO:cfwzch deleted successfully.
ADS C:\WINDOWS\PerMonitorWallpaper2.bmp:mkdsxn deleted successfully.
ADS C:\WINDOWS\PROTOCOL.INI:eakpqm deleted successfully.
Unable to delete ADS C:\WINDOWS\WER6A.tmp:xtawxw .
Unable to delete ADS C:\WINDOWS\WER6B.tmp:itqail .
ADS C:\WINDOWS\notepad.exe.bak:fpxfia deleted successfully.
ADS C:\WINDOWS\PerMonitorWallpaper1.bmp:iclsjt deleted successfully.
Unable to delete ADS C:\WINDOWS\WER5A.tmp:gwqare .
ADS C:\WINDOWS\_detmp.1:utuiwy deleted successfully.
ADS C:\WINDOWS\CMAURACK.INI:xbczjf deleted successfully.
ADS C:\WINDOWS\Greenstone.bmp:hrloyd deleted successfully.
ADS C:\WINDOWS\SP3D.ini:ckrniu deleted successfully.
Unable to delete ADS C:\WINDOWS\WER84.tmp:bsmeln .
Unable to delete ADS C:\WINDOWS\WERC8.tmp:iihkkt .
Unable to delete ADS C:\WINDOWS\WER64.tmp:yxzuvn .
Unable to delete ADS C:\WINDOWS\WER95.tmp:ilcmps .
Unable to delete ADS C:\WINDOWS\WERA2.tmp:ighuml .
Unable to delete ADS C:\WINDOWS\WERAE.tmp:ttlicw .
Unable to delete ADS C:\WINDOWS\WERC6.tmp:miirzr .
ADS C:\WINDOWS\{E2FDA946-5313-4F4D-BEE3-C2EF721E2589}.dat:uglref deleted successfully.
ADS C:\WINDOWS\b2_t_FABLE%20EVIL&384.xml:rqmjio deleted successfully.
ADS C:\WINDOWS\wininit.ini:kdxxii deleted successfully.
ADS C:\WINDOWS\WMSysPrx.prx:agrgqr deleted successfully.
ADS C:\WINDOWS\Zapotec.bmp:pglogi deleted successfully.
ADS C:\WINDOWS\readme.ico:tttwhh deleted successfully.
ADS C:\WINDOWS\setupapi.log.2.old:waebej deleted successfully.
Unable to delete ADS C:\WINDOWS\WER45.tmp:zqksqs .
Unable to delete ADS C:\WINDOWS\WER48.tmp:gpuach .
Unable to delete ADS C:\WINDOWS\WER76.tmp:idzayz .
[Purity]
Purity scan complete.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_4icDb5gMMDvfsvz3VfzC scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_434.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.7.1 fix logfile created on 02032009_050107

Files moved on Reboot...
File C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_4icDb5gMMDvfsvz3VfzC not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_434.dat not found!
File move failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\Cache\_CACHE_001_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\Cache\_CACHE_002_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\Cache\_CACHE_003_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\Cache\_CACHE_MAP_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\urlclassifier3.sqlite scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ej1v1min.default\XUL.mfl scheduled to be moved on reboot.

Registry entries deleted on Reboot...

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 03 February 2009 - 10:11 AM

Please show hidden files and folders

Find and delete this file manually C:\Windows\system32\bss.dll


Then, do this step once again and post the OTScanIt2 log here please :thumbsup:

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Services, Drivers and Registry section, please set on Safe List.
  • In the Rootkit Search section, set to Yes
  • In the Files Created Within and Files Modified Within section, set it to WhiteList/File Age
  • At the bottom, tick on all Use WhiteList and Include All Unicode Names option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
    • Reg - IE Explorer Bars
      Reg - NetSvcs
      Reg - Tcpip Persistent Routers
      File - Lop Check
      File - Purity Scan
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..


Edited by fenzodahl512, 03 February 2009 - 10:12 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 cerius

cerius
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 03 February 2009 - 10:59 AM

attached

I had to zip it because it was too large
:thumbsup:

P.S. I had to do all of this in safe mode to get it to run all of these programs.

Attached Files


Edited by cerius, 03 February 2009 - 11:02 AM.


#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 03 February 2009 - 11:43 AM

Looks a lot better.. Lets do this....


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 cerius

cerius
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 05 February 2009 - 05:48 AM

ComboFix 09-02-04.01 - cerius2 2009-02-05 0:06:21.1 - NTFSx86
Running from: c:\documents and settings\cerius2\Desktop\ComboFix.exe
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\aldew.dat
c:\windows\ANS2000.INI
c:\windows\bazat.dat
c:\windows\dotwu.dat
c:\windows\fjuej.dat
c:\windows\fmocs.dat
c:\windows\frhas.dat
c:\windows\IE4 Error Log.txt
c:\windows\inkur.dat
c:\windows\kafhf.dat
c:\windows\lyiwe.dat
c:\windows\msktc.dat
c:\windows\qdjjc.dat
c:\windows\qzzub.dat
c:\windows\sviud.dat
c:\windows\system32\addmf.exe
c:\windows\system32\addmm.exe
c:\windows\system32\addyt.exe
c:\windows\system32\apice32.exe
c:\windows\system32\apifg32.exe
c:\windows\system32\apifi32.exe
c:\windows\system32\apigi32.exe
c:\windows\system32\apikg32.exe
c:\windows\system32\apilw.exe
c:\windows\system32\apinx.exe
c:\windows\system32\apiqq32.exe
c:\windows\system32\apizu.exe
c:\windows\system32\appaq.exe
c:\windows\system32\appiy.exe
c:\windows\system32\appji32.exe
c:\windows\system32\appmt.exe
c:\windows\system32\appvw.exe
c:\windows\system32\apthh.dll
c:\windows\system32\atluh.exe
c:\windows\system32\atlxd32.exe
c:\windows\system32\aztkc.dat
c:\windows\system32\bmquz.dat
c:\windows\system32\buctw.dat
c:\windows\system32\crkt.exe
c:\windows\system32\crtu32.exe
c:\windows\system32\cryn.exe
c:\windows\system32\d3it32.exe
c:\windows\system32\d3oa.exe
c:\windows\system32\d3od32.exe
c:\windows\system32\d3rv32.exe
c:\windows\system32\d3vi32.exe
c:\windows\system32\d3vw32.exe
c:\windows\system32\d3vz32.exe
c:\windows\system32\d3wk.exe
c:\windows\system32\d3xj32.exe
c:\windows\system32\dovfm.dat
c:\windows\system32\evilu.dat
c:\windows\system32\fcswf.dll
c:\windows\system32\ftkwj.dll
c:\windows\system32\ftpupd.exe
c:\windows\system32\fwcqk.dat
c:\windows\system32\geusd.dll
c:\windows\system32\gflhw.dat
c:\windows\system32\hflbz.dat
c:\windows\system32\hryxc.dat
c:\windows\system32\ieea32.exe
c:\windows\system32\iefo.exe
c:\windows\system32\iety32.exe
c:\windows\system32\ievn32.exe
c:\windows\system32\iezk32.exe
c:\windows\system32\ipho32.exe
c:\windows\system32\ipit32.exe
c:\windows\system32\ipnq32.exe
c:\windows\system32\ipql32.exe
c:\windows\system32\iptt.exe
c:\windows\system32\javaaw.exe
c:\windows\system32\javaig32.exe
c:\windows\system32\javaxv32.exe
c:\windows\system32\kbvsc.log
c:\windows\system32\ljlmm.dat
c:\windows\system32\mdgzu.dll
c:\windows\system32\mfcgd.exe
c:\windows\system32\mfcoe.exe
c:\windows\system32\mfcqd32.exe
c:\windows\system32\mfcww32.exe
c:\windows\system32\mstx32.exe
c:\windows\system32\netav.exe
c:\windows\system32\nethp.exe
c:\windows\system32\netjt.exe
c:\windows\system32\netkn32.exe
c:\windows\system32\nhwca.dat
c:\windows\system32\ntmd32.exe
c:\windows\system32\ntso32.exe
c:\windows\system32\obfea.dat
c:\windows\system32\onmmj.dat
c:\windows\system32\open.ico
c:\windows\system32\pghgt.dat
c:\windows\system32\pswkb.dll
c:\windows\system32\ptjco.dat
c:\windows\system32\pxgof.dat
c:\windows\system32\qgwte.dat
c:\windows\system32\rlyqc.dat
c:\windows\system32\sdkql.exe
c:\windows\system32\sdkus32.exe
c:\windows\system32\sdkvh.exe
c:\windows\system32\sysea32.exe
c:\windows\system32\syshh.exe
c:\windows\system32\syshq32.exe
c:\windows\system32\system.sys
c:\windows\system32\sysuo.exe
c:\windows\system32\sysyy32.exe
c:\windows\system32\tcugc.dat
c:\windows\system32\utljk.dat
c:\windows\system32\wingf32.exe
c:\windows\system32\winle32.exe
c:\windows\system32\winoz.exe
c:\windows\system32\winwa32.exe
c:\windows\system32\winyg.exe
c:\windows\system32\wogmq.dat
c:\windows\system32\xgsww.dat
c:\windows\system32\xhaoo.dat
c:\windows\system32\xzvcu.dat
c:\windows\system32\ycqsf.dat
c:\windows\system32\ywvop.dat
c:\windows\unkgb.dat
c:\windows\uqojw.dat
c:\windows\vrveo.dat
c:\windows\wacal.dat
c:\windows\wnjqm.dat
c:\windows\wpmzi.dat
c:\windows\ylwgi.dat
c:\windows\ympsh.dat
c:\windows\zowov.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_iprip


((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 21:46 . 2009-02-04 21:46 <DIR> d-------- c:\program files\Orban
2009-02-04 15:24 . 2009-02-04 15:25 <DIR> d-------- c:\program files\Essentials Codec Pack
2009-02-04 15:12 . 2009-02-04 15:12 <DIR> d-------- c:\program files\AMV Video Codec
2009-02-04 14:26 . 2009-02-04 14:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-02-04 14:20 . 2009-02-04 14:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\streamripper
2009-02-04 13:39 . 2009-02-04 13:39 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-04 13:39 . 2009-02-04 13:39 1,409 --a------ c:\windows\QTFont.for
2009-02-03 05:01 . 2009-02-03 05:01 <DIR> d-------- C:\_OTScanIt
2009-02-03 04:14 . 2009-02-03 04:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Any Video Converter
2009-02-03 00:18 . 2009-02-03 00:18 <DIR> d-------- c:\program files\CleanUp!
2009-01-28 06:42 . 2009-01-28 06:42 250 --a------ c:\windows\gmer.ini
2009-01-28 06:40 . 2009-01-28 06:40 <DIR> d-------- C:\rsit
2009-01-21 01:26 . 2009-01-28 17:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 01:26 . 2009-01-21 01:26 <DIR> d-------- c:\documents and settings\cerius2\Application Data\Malwarebytes
2009-01-21 01:26 . 2009-01-21 01:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 01:26 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 01:26 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-11 16:16 . 2009-01-11 16:16 <DIR> d-------- c:\program files\uTorrent
2009-01-11 16:16 . 2009-01-21 02:32 <DIR> d-------- c:\documents and settings\cerius2\Application Data\uTorrent
2009-01-09 23:20 . 2009-01-09 23:21 <DIR> d-------- c:\program files\Any Video Converter
2009-01-09 23:20 . 2009-01-09 23:21 <DIR> d-------- c:\documents and settings\cerius2\Application Data\Any Video Converter
2009-01-09 16:00 . 2009-01-09 16:00 <DIR> d-------- c:\program files\Allok MPEG4 Converter
2009-01-09 16:00 . 2004-01-11 08:02 258,048 --a------ c:\windows\system32\GplMpgDec.ax
2009-01-09 16:00 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll
2009-01-09 16:00 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll
2009-01-05 20:49 . 2009-01-05 20:49 524 --a------ c:\windows\Shortcut to notepad.exe.bak.lnk
2009-01-05 18:57 . 2009-01-05 19:01 <DIR> d-------- c:\documents and settings\cerius2\Application Data\Software Informer
2009-01-05 18:11 . 2009-01-05 18:11 <DIR> d-------- c:\program files\IObit
2009-01-05 18:11 . 2009-01-05 18:11 <DIR> d-------- c:\documents and settings\cerius2\Application Data\IObit
2009-01-05 16:03 . 2009-01-05 16:03 <DIR> d-------- c:\documents and settings\cerius2\Application Data\GRETECH
2009-01-05 16:03 . 2009-01-05 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\GRETECH
2009-01-05 16:02 . 2009-01-05 16:02 <DIR> d-------- c:\program files\GRETECH
2009-01-05 13:43 . 2009-01-05 13:43 <DIR> d-------- C:\2x
2009-01-05 12:00 . 2009-02-05 00:23 4,236 --a------ C:\Catalog.LiveSubscribe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 10:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-05 05:59 --------- d-----w c:\program files\DivX
2009-02-03 13:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-03 08:10 --------- d-----w c:\program files\Palringo
2009-01-29 12:48 --------- d--h--r c:\documents and settings\All Users\Application Data\yahoo!
2009-01-28 08:24 --------- d-----w c:\program files\Norton SystemWorks
2009-01-20 08:07 --------- d-----w c:\documents and settings\cerius2\Application Data\LimeWire
2009-01-10 09:54 --------- d-----w c:\program files\Drv Dart
2009-01-06 05:44 --------- d-----w c:\program files\Trillian
2009-01-02 10:00 --------- d-----w c:\documents and settings\cerius2\Application Data\Dropbox
2008-12-17 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-17 19:24 --------- d-----w c:\program files\mIRC
2008-12-17 19:24 --------- d-----w c:\program files\Common Files\Download Manager
2008-12-17 11:16 120 ----a-w C:\drmHeader.bin
2008-12-17 10:51 --------- d-----w c:\program files\Spyware Doctor
2008-12-17 10:42 --------- d-----w c:\documents and settings\cerius2\Application Data\PC Tools
2008-12-17 10:41 --------- d-----w c:\program files\SpywareBlaster
2008-12-17 03:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-17 02:48 899 ----a-w c:\windows\system32\drivers\fwdrv.err
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-12-08 23:58 --------- d-----w c:\program files\Panda Security
2008-11-22 04:47 737,280 -c--a-w c:\windows\iun6002.exe
2008-11-06 16:37 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-06 16:37 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-06 16:37 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-06 16:37 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-06 16:37 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-06 16:35 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-06 16:35 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-06 16:33 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-11-06 16:33 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-11-06 16:33 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-11-06 16:33 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-11-06 16:33 684,032 ----a-w c:\windows\system32\DivX.dll
2008-11-06 16:33 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-07-20 05:53 1,890 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-07-20 05:52 88 --sh--r c:\documents and settings\All Users\Application Data\FC628B9812.sys
2007-10-28 00:20 43,008 -csha-w c:\program files\Thumbs.db
2004-10-15 03:04 22,983 ----a-w c:\documents and settings\cerius2\x.exe
2004-01-06 07:43 8,432 -c--a-w c:\program files\crashinfo.txt
2003-07-18 00:11 181 -c--a-w c:\program files\Common Files\PATCH.ERR
2003-07-11 21:39 1,653,760 ----a-w c:\documents and settings\cerius2\FlashFXP.exe
2003-05-21 03:25 140 -c--a-w c:\documents and settings\cerius2\Stats.dat
2003-05-21 01:22 116 -c--a-w c:\documents and settings\cerius2\Sites.dat
2003-02-17 00:28 64,430 -c--a-w c:\program files\VirtualDub.vdi
2003-02-17 00:28 475,136 -c--a-w c:\program files\VirtualDub.exe
2003-02-11 06:59 16,384 -c--a-w c:\program files\AuxSetup.exe
2003-02-03 05:17 7,168 -c--a-w c:\program files\vdremote.dll
2003-02-03 05:17 34,816 -c--a-w c:\program files\vdicmdrv.dll
2003-02-03 05:16 5,632 -c--a-w c:\program files\vdsvrlnk.dll
2001-11-23 19:08 712,704 -c--a-w c:\windows\inf\OTHER\AUDIO3D.DLL
2001-10-05 19:53 21,866 -c--a-w c:\program files\Common Files\tppupd2k.dll
2001-03-20 18:19 229,944 -c--a-w c:\program files\VirtualD.hlp
2001-03-20 18:11 4,798 -c--a-w c:\program files\VirtualD.cnt
1995-10-19 00:18 18,321 -c--a-w c:\program files\Copying
2000-06-06 01:47 32,768 ----a-w c:\program files\mozilla firefox\plugins\AppSub32.dll
2005-09-16 01:26 44,153 ----a-w c:\program files\mozilla firefox\components\inspector.dll
2007-11-07 06:17 80 --sh--r c:\windows\system32\77F12E2646.dll
2007-11-13 02:59 56 --sh--r c:\windows\system32\77F12E2646.sys
2004-01-30 05:17 56 -csh--r c:\windows\system32\FC05249FE7.sys
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-11-13 03:02 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-09-05 18:12 4,096 --sha-w c:\windows\system32\zavikalo.dll
.

------- Sigcheck -------

2004-06-17 00:03 1954688 ed0d7a5f1138ccfd3ecaf8f6ac691f13 c:\windows\$hf_mig$\KB840987\SP1QFE\ntkrnlpa.exe
2004-10-18 16:44 1955712 47cfed6c35a1b0ec18c083cc9632ad8e c:\windows\$hf_mig$\KB887811\SP1QFE\ntkrnlpa.exe
2001-08-23 07:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 c:\windows\$NtUninstallKB840987$\ntkrnlpa.exe
2004-06-17 09:00 1903872 37eee86e396c2fc1508e3a499631f709 c:\windows\$NtUninstallKB887811$\ntkrnlpa.exe
2004-10-18 17:03 1904128 3379e8cdf2fd61aa5035bbf24e3be16e c:\windows\Driver Cache\i386\ntkrnlpa.exe
2004-08-03 21:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ntkrnlpa.exe
2004-10-18 17:03 1896704 5a9877e10a195bb5a984bf365e38ab12 c:\windows\system32\ntkrnlpa.exe
2004-10-18 17:03 1904128 3379e8cdf2fd61aa5035bbf24e3be16e c:\windows\system32\LHTrans\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"RIMDeviceManager"="c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2007-04-13 1320472]
"PlayNC Launcher"="d:\program files\NCSoft\Launcher\NCLauncher.exe" [2008-06-09 38128]
"Norton SystemWorks"="c:\program files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 132248]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-12-21 2250256]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-23 4363504]
"NVIEW"="nview.dll" [2003-03-20 c:\windows\system32\nview.dll]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ypagerps1"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-10-26 100056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-09 155648]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-07-10 86016]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-20 4616192]
"LVCOMSX"="c:\windows\System32\LVCOMSX.EXE" [2005-12-09 225280]
"LVComs"="c:\windows\System32\LVComS.exe" [2002-04-05 102400]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-12-07 09:33 73728]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]
"LogitechCameraService(E)"="c:\windows\System32\ElkCtrl.exe" [2004-11-01 262144]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2001-08-23 145408]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-20 180269]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\WECPUpdate.exe" [2009-01-25 196608]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 c:\windows\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]
"C-Media Mixer"="Mixer.exe" [2003-07-18 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="c:\windows\System32\msiexec.exe" [2005-05-03 78848]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2001-08-23 40448]
"RunNarrator"="Narrator.exe" [2001-08-23 c:\windows\system32\narrator.exe]

c:\documents and settings\cerius2\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\Dropbox.exe [2008-09-25 24096981]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 1 (0x1)
"DisableChangePassword"= 1 (0x1)
"NoSecCPL"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSettingsWizards"= 1 (0x1)
"NoWinKeys"= 1 (0x1)
"NoRecycleFiles"= 1 (0x1)
"NoGoTo"= 1 (0x1)
"NoHelp"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)
"NoCustomizeWebView"= 1 (0x1)
"NoPrinters"= 1 (0x1)
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Folders"= 2 (0x2)
"Btn_Fullscreen"= 2 (0x2)
"Btn_Tools"= 2 (0x2)
"Btn_MailNews"= 2 (0x2)
"Btn_Size"= 2 (0x2)
"Btn_Edit"= 2 (0x2)
"Btn_Discussions"= 2 (0x2)
"Btn_Cut"= 2 (0x2)
"Btn_Copy"= 2 (0x2)
"Btn_Paste"= 2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= c:\documents and settings\cerius2\My Documents\Music\My Pictures\artwork\websites\alien\alien.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-01-30 02:15 65536 c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.I263"= i263_32.drv
"msvideo7"= STV680tg.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\MP3POW~1\CLMP3Enc.ACM
"vidc.EM2V"= EtxCodec.dll
"vidc.XVID"= xvid.dll
"msacm.divxa32"= msaud32_divx.acm
"msacm.l3codec"= L3codecp.acm
"msacm.lameacm"= LameACM.dll
"vidc.amv2"= c:\progra~1\AMVVID~1\AMV2CO~1.DLL
"vidc.amm2"= c:\progra~1\AMVVID~1\AMV2MT~1.DLL
"vidc.amv3"= c:\progra~1\AMVVID~1\AMV3CO~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinRoute"=2 (0x2)
"GEARSecurity"=2 (0x2)
"StyleXPService"=2 (0x2)
"Slave"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"seekmo"="c:\program files\seekmo\seekmo.exe"
"Repair Registry Pro"=c:\program files\Repair Registry Pro\RepairRegistryPro.exe -s
"csrss"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"CoolSwitch"=c:\windows\System32\taskswitch.exe
"LVCOMS"=c:\windows\System32\LVComS.exe
"MimBoot"=c:\program files\Musicmatch\Musicmatch Jukebox\mimboot.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe
"WinampAgent"=f:\data\Programs\wa\Winamp\winampa.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"antiware"=c:\windows\system32\eliteskt32.exe
"javahi.exe"=c:\windows\javahi.exe
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
"APC"=c:\program files\Advanced Parental Control\BackProcessAPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\DRIVERS\nvtunep.sys [2003-02-05 18128]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\DRIVERS\nvtvsnd.sys [2003-02-05 45072]
R3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2005-06-08 20608]
R3 iteio;iteio;c:\windows\System32\drivers\iteio.sys [1999-08-30 3680]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\lccfltr.sys [2004-03-03 14095]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\DRIVERS\OVCE.sys [2001-08-17 31872]
R3 RTR720;RTR720;c:\windows\system32\drivers\Rtr720.sys [2002-06-09 48896]
R3 SMALUSB;Digital Camera Driver;c:\windows\system32\DRIVERS\smallogi.sys [2002-08-15 11721]
R3 TPP725;USB Storage Adapter (TPP);c:\windows\system32\DRIVERS\TPP725.SYS [2001-10-05 43269]
R3 USBIODS;Beamz Interactive USB Controller;c:\windows\system32\Drivers\USBIODS.sys [2008-02-15 10980]
S0 hptpro;hptpro;c:\windows\System32\DRIVERS\hptpro.sys [2003-01-26 9809]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\System32\DRIVERS\si3112r.sys [2003-02-23 85265]
S1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2006-05-09 278528]
S1 hwinterface;hwinterface;c:\windows\system32\Drivers\hwinterface.sys [2005-02-03 3026]
S1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2006-05-09 86016]
S1 SSHDRV65;SSHDRV65;c:\windows\System32\drivers\SSHDRV65.sys [2002-01-28 120320]
S1 SSHDRV85;SSHDRV85;c:\windows\System32\drivers\SSHDRV85.sys [2002-01-28 78848]
S2 NProtectService;Norton Unerase Protection;c:\progra~1\NORTON~3\NORTON~1\NPROTECT.EXE [2004-08-30 95328]
S2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe [2001-08-23 12800]


--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - ASPI32
*Deregistered* - Ati HotKey Poller
*Deregistered* - ATI Smart
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Automatic LiveUpdate Scheduler
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - BTKRNL
*Deregistered* - btwdins
*Deregistered* - ccEvtMgr
*Deregistered* - ccSetMgr
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - DumaNT
*Deregistered* - enodpl
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - Ftdisk
*Deregistered* - fwdrv
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - hptpro
*Deregistered* - hwinterface
*Deregistered* - IKSysFlt
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - irda
*Deregistered* - IRENUM
*Deregistered* - Irmon
*Deregistered* - Kbdclass
*Deregistered* - khips
*Deregistered* - KPF4
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LBTServ
*Deregistered* - LiveUpdate
*Deregistered* - LmHosts
*Deregistered* - LVPrcMon
*Deregistered* - LVPrcSrv
*Deregistered* - mchInjDrv
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - Modem
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - Mup
*Deregistered* - navapsvc
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NPDriver
*Deregistered* - NPFMntor
*Deregistered* - Npfs
*Deregistered* - NPPTNT
*Deregistered* - NProtectService
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - NwlnkFlt
*Deregistered* - NwlnkFwd
*Deregistered* - NwlnkIpx
*Deregistered* - NwlnkNb
*Deregistered* - NwlnkSpx
*Deregistered* - NwSapAgent
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - pavboot
*Deregistered* - PenClass
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - RasAuto
*Deregistered* - Rasirda
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteAccess
*Deregistered* - RimVSerPort
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - SBService
*Deregistered* - Schedule
*Deregistered* - sdCoreService
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SiFilter
*Deregistered* - SNDSrvc
*Deregistered* - SPBBCDrv
*Deregistered* - SPBBCSvc
*Deregistered* - Speed Disk service
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSHDRV65
*Deregistered* - SSHDRV85
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Symantec Core LC
*Deregistered* - SYMDNS
*Deregistered* - SymEvent
*Deregistered* - SYMFW
*Deregistered* - SYMIDS
*Deregistered* - SYMIDSCO
*Deregistered* - symlcbrd
*Deregistered* - SYMNDIS
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - SymWSC
*Deregistered* - TabletService
*Deregistered* - tandpl
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - viaagp
*Deregistered* - ViaIde
*Deregistered* - VolSnap
*Deregistered* - vsbus
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection c:\program files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\Norton AntiVirus - Scan my computer - cerius2.job
- c:\progra~1\NORTON~3\NORTON~3\Navw32.exe [2005-01-10 11:20]

2009-01-28 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2004-11-03 21:19]

2009-02-05 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2004-10-27 10:48]
.
- - - - ORPHANS REMOVED - - - -

BHO-{213453a5-2a96-44ca-b50b-378fb745006b} - c:\windows\System32\gosuruti.dll
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKLM-Run-CPM5b40bafd - c:\windows\system32\nefapifa.dll
HKLM-Run-ymogsvqbjkugvrhg - c:\windows\System32\ohhgwnywgfnui.dll
HKLM-Run-viretujaza - c:\windows\System32\jomibojo.dll
HKLM-Run-Logitech BT Wizard - LBTWiz.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\cerius2\Application Data\Mozilla\Firefox\Profiles\v12vrka0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.
.
------- File Associations -------
.
inffile=c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 02:33:10
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1606980848-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,15"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,22"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,23"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,24"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="c:\\WINDOWS\\system32\\shell32.dll,-175"
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-137"
"{2227A280-3AEA-1069-A2DE-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-138"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="c:\\WINDOWS\\system32\\shell32.dll,38"
"AudioCD"="c:\\WINDOWS\\System32\\shell32.dll,40"
"{FBF23B42-E3F0-101B-8488-00AA003E56F8}"="c:\\WINDOWS\\system32\\shell32.dll,220"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="c:\\WINDOWS\\system32\\mydocs.dll,0"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="c:\\WINDOWS\\system32\\main.cpl,10"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="c:\\WINDOWS\\system32\\wiashext.dll,0"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="c:\\WINDOWS\\system32\\mstask.dll,-100"
"{88C6C381-2E85-11D0-94DE-444553540000}"="c:\\WINDOWS\\System32\\occache.dll,0"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="c:\\Program Files\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL,0"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="c:\\WINDOWS\\System32\\shdocvw.dll,-20785"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="c:\\WINDOWS\\System32\\webcheck.dll,0"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="c:\\WINDOWS\\system32\\syncui.dll,0"

[HKEY_USERS\S-1-5-21-73586283-1606980848-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20388785-35A4-EC5F-4258-17B0BFF0F8AD}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iapknbkfggagbihgdf"=hex:69,61,62,70,6d,67,64,68,6a,61,66,70,70,62,6e,6a,6b,62,
00,00
"hafkgjfkfacceahl"=hex:6a,61,6c,70,65,67,63,66,6e,61,70,66,66,6f,6b,61,68,62,
61,64,00,22
"ialnemhmaiaeokhaib"=hex:63,61,62,70,63,69,00,00
"ablnejaiaipniajhamnljeoknbninhfedh"=hex:61,61,00,00
"maonjickecbolimpebddcphabh"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(900)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton SystemWorks\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\progra~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\Tablet.exe
c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2009-02-05 2:41:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 10:40:52

Pre-Run: 30,272,241,664 bytes free
Post-Run: 30,435,676,160 bytes free

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

708


____________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:04 AM, on 2/5/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\jht\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\System32\LVComS.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\WECPUpdate.exe -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] c:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer
O4 - HKCU\..\Run: [PlayNC Launcher] D:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [ypagerps1] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps1.DLL"
O4 - HKUS\S-1-5-21-73586283-1606980848-1060284298-1003\..\Run: [SpybotSD TeaTimer] c:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1606980848-1060284298-1003\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer (User '?')
O4 - HKUS\S-1-5-21-73586283-1606980848-1060284298-1003\..\Run: [PlayNC Launcher] D:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized (User '?')
O4 - HKUS\S-1-5-21-73586283-1606980848-1060284298-1003\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User '?')
O4 - HKUS\S-1-5-21-73586283-1606980848-1060284298-1003\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User '?')
O4 - HKUS\S-1-5-21-73586283-1606980848-1060284298-1003\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-73586283-1606980848-1060284298-1003\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-73586283-1606980848-1060284298-1003\..\RunOnce: [ypagerps1] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps1.DLL" (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-73586283-1606980848-1060284298-1003 Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe (User '?')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O18 - Protocol: offline-8876480 - {AE75AA28-4B08-41D3-A3C0-25CDCE70B859} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: Google - http://www.google.com/
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\cerius2\My Documents\Music\My Pictures\artwork\websites\alien\alien.html

--
End of file - 12758 bytes

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 05 February 2009 - 06:48 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\eliteskt32.exe
c:\windows\javahi.exe

Folder::
c:\program files\seekmo

RegLock::
[HKEY_USERS\S-1-5-21-73586283-1606980848-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
[HKEY_USERS\S-1-5-21-73586283-1606980848-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20388785-35A4-EC5F-4258-17B0BFF0F8AD}*]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"seekmo"=-
"csrss"=-
[-HKEY_USERS\S-1-5-21-73586283-1606980848-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20388785-35A4-EC5F-4258-17B0BFF0F8AD}*]

DirLook::
C:\2x

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users