Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to remove Virtumonde/Vundo infection.


  • This topic is locked This topic is locked
7 replies to this topic

#1 KangaRouX

KangaRouX

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 15 January 2009 - 06:36 PM

"S&D picked up the infection first during daily routine scan last week. Symantec found it a few days later under Trojan.Vundo. Did updates and full system scans: no-go. Booted to safe mode, and did full system scans with "VundoFix": no-go. Booted to safe mode under Admin account, and did full system scans again with "VirtumundoBeGone v1.5": no-go. Did pre-boot scan after POST: no-go. I have never had an infection I couldn't use forum guides to get rid of, so this is my first "Help my infection!" post ever. Thank you for your help." -RouX-


DDS (Ver_09-01-07.01) - NTFSx86
Run by Owner at 16:18:25.59 on Thu 01/15/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1384 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner.FOXDRAGON\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {03b7f1ad-0a65-4ea7-baa1-8701c42c88da} - c:\windows\system32\ruyezijo.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [P2kAutostart] c:\documents and settings\owner.foxdragon\desktop\p2kcommander-v3.2.6\P2kAutostart.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRunOnce: [SpybotDeletingB7938] command /c del "c:\windows\system32\zojatuba.dll_old"
uRunOnce: [SpybotDeletingD5090] cmd /c del "c:\windows\system32\zojatuba.dll_old"
uRunOnce: [SpybotDeletingB8635] command /c del "c:\windows\system32\jowudosu.dll_old"
uRunOnce: [SpybotDeletingD8448] cmd /c del "c:\windows\system32\jowudosu.dll_old"
mRun: [FIREBOX] c:\program files\presonus\1394audiodriver_firebox\FIREBOX Control.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [CPM332837a3] Rundll32.exe "c:\windows\system32\famatima.dll",a
mRun: [podemigaba] Rundll32.exe "c:\windows\system32\nohosizi.dll",s
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA7875] command /c del "c:\windows\system32\zojatuba.dll_old"
mRunOnce: [SpybotDeletingC7474] cmd /c del "c:\windows\system32\zojatuba.dll_old"
mRunOnce: [SpybotDeletingA7999] command /c del "c:\windows\system32\jowudosu.dll_old"
mRunOnce: [SpybotDeletingC5150] cmd /c del "c:\windows\system32\jowudosu.dll_old"
StartupFolder: c:\docume~1\owner~1.fox\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe

Gamma Loader.exe
StartupFolder: c:\docume~1\owner~1.fox\startm~1\programs\startup\firebo~1.lnk - c:\program files\presonus\1394audiodriver_firebox\FireBox

Mixer.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\ udyjsu.dll trskrq.dll c:\windows\system32\lunazuse.dll pltyrh.dll c:\windows\system32\famatima.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\famatima.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\famatima.dll
LSA: Notification Packages = scecli c:\windows\system32\lunazuse.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.fox\applic~1\mozilla\firefox\profiles\vkjfgol9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\lively\nplively.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-11-18 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5

99376]
R3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;c:\windows\system32\drivers\KORGUMDS.SYS [2004-7-12 12544]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090109.003\naveng.sys [2009-1-9 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090109.003\navex15.sys [2009-1-9 876112]
R3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2008-10-8 97152]
R3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2008-10-8 24576]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-21 9344]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-12-3 15656]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2007-11-11 2749224]
S3 CrucialSMBusScan;CrucialSMBusScan;\??\c:\windows\system32\drivers\crucialsmbusscan.sys -->

c:\windows\system32\drivers\CrucialSMBusScan.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-6-22 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-6-22 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-6-22 21504]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-11-18 16896]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
S4 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
S4 gupdate1c8e2e637230915;Google Update Service (gupdate1c8e2e637230915);c:\program files\google\update\GoogleUpdate.exe

[2008-7-10 133104]
S4 MS Common Service;MS Common Service;c:\windows\system32\mscomserv.exe --> c:\windows\system32\mscomserv.exe [?]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-01-15 16:09 120 ---sh--- c:\windows\system32\ulesosul.ini
2009-01-15 16:09 131,874 a--sh--- c:\windows\system32\pltyrh.dll
2009-01-15 03:09 131,718 a--sh--- c:\windows\system32\trskrq.dll
2009-01-15 03:08 120 ---sh--- c:\windows\system32\usoduwoj.ini
2009-01-14 18:24 38,620 a---h--- c:\windows\system32\mlfcache.dat
2009-01-14 14:08 120 ---sh--- c:\windows\system32\adufobis.ini
2009-01-14 14:08 131,815 a--sh--- c:\windows\system32\udyjsu.dll
2009-01-14 02:08 2,098 ---sh--- c:\windows\system32\mimoyibi.exe
2009-01-13 08:06 120 ---sh--- c:\windows\system32\ayunijuh.ini
2009-01-12 20:06 120 ---sh--- c:\windows\system32\abedubep.ini
2009-01-12 18:35 96,978 a------- C:\VirtumundoBeGone.exe
2009-01-12 07:05 121 ---sh--- c:\windows\system32\olodekar.ini
2009-01-11 19:31 <DIR> --d----- C:\VundoFix Backups
2009-01-11 19:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-11 19:04 121 ---sh--- c:\windows\system32\uyezolen.ini
2009-01-11 07:17 120 ---sh--- c:\windows\system32\emisefom.ini
2009-01-10 19:16 120 ---sh--- c:\windows\system32\akonejar.ini
2009-01-10 07:16 120 ---sh--- c:\windows\system32\ubevumey.ini
2009-01-09 19:16 120 ---sh--- c:\windows\system32\izamewoh.ini
2009-01-09 07:09 120 ---sh--- c:\windows\system32\irawesak.ini
2009-01-08 19:08 120 ---sh--- c:\windows\system32\ofehojew.ini
2009-01-08 07:08 120 ---sh--- c:\windows\system32\udiveweh.ini
2009-01-07 19:08 120 ---sh--- c:\windows\system32\ufayinik.ini
2009-01-07 07:07 120 ---sh--- c:\windows\system32\umehikow.ini
2009-01-06 19:07 120 ---sh--- c:\windows\system32\ekefiset.ini
2009-01-06 06:00 120 ---sh--- c:\windows\system32\upeyepep.ini
2009-01-05 18:01 120 ---sh--- c:\windows\system32\anuripoy.ini
2009-01-05 06:03 120 ---sh--- c:\windows\system32\idazogev.ini
2009-01-04 13:01 120 ---sh--- c:\windows\system32\uzifaguf.ini
2009-01-03 18:05 120 ---sh--- c:\windows\system32\unebodal.ini
2009-01-03 06:05 120 ---sh--- c:\windows\system32\otisifin.ini
2009-01-02 18:04 121 ---sh--- c:\windows\system32\ipopetef.ini
2009-01-02 06:04 121 ---sh--- c:\windows\system32\onajijuj.ini
2009-01-01 17:03 121 ---sh--- c:\windows\system32\ohevamah.ini
2009-01-01 05:03 120 ---sh--- c:\windows\system32\owametew.ini
2008-12-31 17:02 120 ---sh--- c:\windows\system32\osusahuh.ini
2008-12-31 05:02 1,262,075 ---sh--- c:\windows\system32\imutirav.ini
2008-12-30 17:02 1,262,084 ---sh--- c:\windows\system32\ojujinik.ini
2008-12-22 20:28 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\OrbNetworks
2008-12-22 20:28 <DIR> --d----- c:\program files\Winamp Remote
2008-12-22 20:27 129,784 -------- c:\windows\system32\pxafs.dll
2008-12-22 20:27 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2008-12-22 20:27 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-22 20:27 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-20 22:06 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2008-12-20 22:06 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2008-12-20 22:06 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2008-12-20 22:06 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2008-12-20 22:06 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2008-12-20 22:06 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2008-12-20 22:06 8,704 a------- c:\windows\system32\kbdjpn.dll
2008-12-20 22:06 8,192 a------- c:\windows\system32\kbdkor.dll
2008-12-20 22:06 6,144 a------- c:\windows\system32\kbd106.dll
2008-12-20 22:06 6,144 a------- c:\windows\system32\kbd101c.dll
2008-12-20 22:06 6,144 a------- c:\windows\system32\kbd101b.dll
2008-12-20 22:06 5,632 a------- c:\windows\system32\kbd103.dll
2008-12-16 18:46 <DIR> --d----- c:\program files\AviSynth 2.5
2008-12-16 18:45 <DIR> --d----- c:\program files\eRightSoft

==================== Find3M ====================

2009-01-15 16:09 127,858 a--sh--- c:\windows\system32\famatima.dll
2009-01-15 16:09 131,874 a--sh--- c:\windows\system32\zofudube.dll
2009-01-15 16:09 86,149 a--sh--- c:\windows\system32\lusoselu.dll
2009-01-15 15:09 68,792 a--sh--- c:\windows\system32\tibezili.dll
2009-01-15 03:09 131,718 a--sh--- c:\windows\system32\diyidubo.dll
2009-01-14 14:08 131,815 a--sh--- c:\windows\system32\bowubomu.dll
2009-01-14 14:08 100,190 a--sh--- c:\windows\system32\tenedefi.dll
2009-01-14 14:08 86,684 -------- c:\windows\system32\sibofuda.dll
2009-01-13 08:06 99,665 a--sh--- c:\windows\system32\vogomiyi.dll
2009-01-13 08:06 87,834 a--sh--- c:\windows\system32\hujinuya.dll
2009-01-12 20:06 87,675 -------- c:\windows\system32\pebudeba.dll
2009-01-12 19:05 63,144 a--sh--- c:\windows\system32\telopezo.dll
2009-01-12 07:05 90,737 a--sh--- c:\windows\system32\rakedolo.dll
2009-01-11 19:04 91,430 -------- c:\windows\system32\nelozeyu.dll
2009-01-11 07:17 90,751 a------- c:\windows\system32\mofesime.dll
2009-01-11 07:17 103,059 a------- c:\windows\system32\bafubide.dll
2009-01-10 19:16 90,847 -------- c:\windows\system32\rajenoka.dll
2009-01-10 07:16 90,806 -------- c:\windows\system32\yemuvebu.dll
2009-01-09 19:09 66,876 a------- c:\windows\system32\zadupuda.dll
2008-10-26 12:15 233,472 a------- c:\windows\system32\REX Shared Library.dll
2008-02-13 18:11 12,214 a------- c:\program files\INSTALL.LOG
2008-01-27 14:35 32 a------- c:\docume~1\alluse~1.win\applic~1\ezsid.dat
2007-04-30 13:32 25,600 a------- c:\documents and settings\owner.foxdragon\usbsermptxp.sys
2007-04-30 13:32 22,768 a------- c:\documents and settings\owner.foxdragon\usbsermpt.sys
2007-04-30 08:51 92,064 a------- c:\documents and settings\owner.foxdragon\mqdmmdm.sys
2007-04-30 08:51 79,328 a------- c:\documents and settings\owner.foxdragon\mqdmserd.sys
2007-04-30 08:51 66,656 a------- c:\documents and settings\owner.foxdragon\mqdmbus.sys
2007-04-30 08:51 9,232 a------- c:\documents and settings\owner.foxdragon\mqdmmdfl.sys
2007-04-30 08:51 6,208 a------- c:\documents and settings\owner.foxdragon\mqdmcmnt.sys
2007-04-30 08:51 5,936 a------- c:\documents and settings\owner.foxdragon\mqdmwhnt.sys
2007-04-30 08:51 4,048 a------- c:\documents and settings\owner.foxdragon\mqdmcr.sys
2001-08-07 16:32 122,880 a------- c:\windows\inf\agfa\message.exe
1999-07-06 17:00 6 ---shr-- c:\windows\@@desktop.dat
0000-00-00 00:00 54,272 a--sh--- c:\windows\system32\buvoyaki.dll
2007-01-21 07:07 8 ---shr-- c:\windows\system32\E2344BABF2.sys
0000-00-00 00:00 64,512 a--sh--- c:\windows\system32\fepuyepe.dll
2006-05-03 02:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
0000-00-00 00:00 68,792 a--sh--- c:\windows\system32\lunazuse.dll
2007-02-21 03:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 05:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
0000-00-00 00:00 68,792 a--sh--- c:\windows\system32\nohosizi.dll
0000-00-00 00:00 68,792 a--sh--- c:\windows\system32\ruyezijo.dll
0000-00-00 00:00 110,592 a--sh--- c:\windows\system32\vugumali.dll

============= FINISH: 16:19:40.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 16 January 2009 - 04:34 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 KangaRouX

KangaRouX
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 16 January 2009 - 09:36 AM

ComboFix 09-01-15.01 - Owner 2009-01-16 7:19:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1470 [GMT -7:00]
Running from: c:\documents and settings\Owner.FOXDRAGON\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\INSTALL.LOG
c:\windows\jestertb.dll
c:\windows\system32\abedubep.ini
c:\windows\system32\adufobis.ini
c:\windows\system32\akonejar.ini
c:\windows\system32\anuripoy.ini
c:\windows\system32\atotaweb.ini
c:\windows\system32\ayunijuh.ini
c:\windows\system32\bafubide.dll
c:\windows\system32\bewatota.dll
c:\windows\system32\blyuim.dll
c:\windows\system32\bowubomu.dll
c:\windows\system32\dikewape.dll
c:\windows\system32\diyidubo.dll
c:\windows\system32\ekefiset.ini
c:\windows\system32\emisefom.ini
c:\windows\system32\hujinuya.dll
c:\windows\system32\idazogev.ini
c:\windows\system32\imutirav.ini
c:\windows\system32\ipopetef.ini
c:\windows\system32\irawesak.ini
c:\windows\system32\izamewoh.ini
c:\windows\system32\lsprst7.dll
c:\windows\system32\lunazuse.dll
c:\windows\system32\lusoselu.dll
c:\windows\system32\mofesime.dll
c:\windows\system32\nelozeyu.dll
c:\windows\system32\nohosizi.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\ofehojew.ini
c:\windows\system32\ohevamah.ini
c:\windows\system32\ojujinik.ini
c:\windows\system32\olodekar.ini
c:\windows\system32\onajijuj.ini
c:\windows\system32\osusahuh.ini
c:\windows\system32\otisifin.ini
c:\windows\system32\owametew.ini
c:\windows\system32\pebudeba.dll
c:\windows\system32\pltyrh.dll
c:\windows\system32\rajenoka.dll
c:\windows\system32\rakedolo.dll
c:\windows\system32\ruyezijo.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\sibofuda.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\telopezo.dll
c:\windows\system32\tenedefi.dll
c:\windows\system32\tibezili.dll
c:\windows\system32\trskrq.dll
c:\windows\system32\ubevumey.ini
c:\windows\system32\udiveweh.ini
c:\windows\system32\udyjsu.dll
c:\windows\system32\ufayinik.ini
c:\windows\system32\ulesosul.ini
c:\windows\system32\umehikow.ini
c:\windows\system32\unebodal.ini
c:\windows\system32\upeyepep.ini
c:\windows\system32\usoduwoj.ini
c:\windows\system32\uyezolen.ini
c:\windows\system32\uzifaguf.ini
c:\windows\system32\vogomiyi.dll
c:\windows\system32\yemuvebu.dll
c:\windows\system32\zadupuda.dll
c:\windows\system32\zofudube.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MS_COMMON_SERVICE
-------\Service_MS Common Service


((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-14 18:24 . 2009-01-14 18:24 38,620 --ah----- c:\windows\system32\mlfcache.dat
2009-01-14 02:08 . 2009-01-14 02:08 2,098 ---hs---- c:\windows\system32\mimoyibi.exe
2009-01-12 18:35 . 2009-01-12 18:35 96,978 --a------ C:\VirtumundoBeGone.exe
2009-01-11 19:31 . 2009-01-11 19:31 <DIR> d-------- C:\VundoFix Backups
2009-01-11 19:30 . 2009-01-11 19:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-31 11:50 . 2008-12-31 11:50 <DIR> d---s---- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2008-12-22 20:28 . 2009-01-11 18:24 <DIR> d-------- c:\program files\Winamp Remote
2008-12-22 20:28 . 2008-12-24 16:53 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\OrbNetworks
2008-12-22 20:27 . 2008-12-22 20:29 <DIR> d-------- c:\program files\Winamp
2008-12-22 20:27 . 2008-12-22 20:37 <DIR> d-------- c:\documents and settings\Owner.FOXDRAGON\Application Data\Winamp
2008-12-22 20:27 . 2007-03-07 16:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-22 20:27 . 2007-03-07 16:51 43,528 --------- c:\windows\system32\drivers\PxHelp20.sys
2008-12-22 20:27 . 2007-03-07 16:51 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-22 20:27 . 2007-03-07 16:51 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-20 22:06 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-12-20 22:06 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-12-20 22:06 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-12-20 22:06 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-12-20 22:06 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-12-20 22:06 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2008-12-16 18:46 . 2008-12-16 18:46 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-16 18:45 . 2008-12-16 18:45 <DIR> d-------- c:\program files\eRightSoft
2008-12-16 11:21 . 2008-12-16 11:21 <DIR> d-------- c:\program files\RelevantKnowledge
2008-12-16 11:21 . 2008-12-16 16:12 <DIR> d-------- c:\program files\MP3MyMP3
2008-12-16 10:20 . 2008-12-16 10:20 <DIR> d-------- C:\3gptemp
2008-12-16 09:55 . 2008-12-16 09:56 <DIR> d-------- c:\program files\QuickMediaConverter
2008-12-16 09:45 . 2008-12-16 09:45 <DIR> d-------- c:\program files\MIKSOFT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 14:26 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-16 14:24 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\WTablet
2009-01-16 14:24 --------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\WTablet
2009-01-13 01:02 --------- d-----w c:\program files\Trend Micro
2009-01-12 14:28 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\Skype
2009-01-12 02:30 --------- d-----w c:\program files\Java
2009-01-12 01:24 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\skypePM
2009-01-12 01:24 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\nView_Wallpaper
2009-01-12 00:22 --------- d-----w c:\program files\Trillian
2009-01-06 06:30 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\uTorrent
2008-12-31 00:31 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-21 22:02 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\Ahead
2008-12-07 04:33 --------- d-----w c:\program files\PuTTY
2008-12-04 23:41 --------- d-----w c:\program files\iTunes
2008-12-04 23:41 --------- d-----w c:\program files\iPod
2008-12-04 23:41 --------- d-----w c:\program files\Common Files\Apple
2008-12-04 23:41 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-04 23:36 --------- d-----w c:\program files\QuickTime
2008-12-04 23:26 --------- d-----w c:\program files\Safari
2008-12-04 01:02 --------- d-----w c:\program files\Common Files\Adobe
2008-12-03 23:22 --------- d-----w c:\program files\Tablet
2008-11-19 04:34 --------- d-----w c:\program files\Syncrosoft
2008-11-19 00:03 --------- d-----w c:\program files\Steinberg
2008-01-27 21:35 32 ----a-w c:\documents and settings\All Users.WINDOWS\Application Data\ezsid.dat
2007-04-30 20:32 25,600 ----a-w c:\documents and settings\Owner.FOXDRAGON\usbsermptxp.sys
2007-04-30 20:32 22,768 ----a-w c:\documents and settings\Owner.FOXDRAGON\usbsermpt.sys
2007-04-30 15:51 92,064 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmmdm.sys
2007-04-30 15:51 9,232 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmmdfl.sys
2007-04-30 15:51 79,328 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmserd.sys
2007-04-30 15:51 66,656 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmbus.sys
2007-04-30 15:51 6,208 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmcmnt.sys
2007-04-30 15:51 5,936 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmwhnt.sys
2007-04-30 15:51 4,048 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmcr.sys
1999-07-07 00:00 6 --sh--r c:\windows\@@desktop.dat
1601-01-01 00:12 54,272 --sha-w c:\windows\system32\buvoyaki.dll
2007-01-21 14:07 8 --sh--r c:\windows\system32\E2344BABF2.sys
1601-01-01 00:12 64,512 --sha-w c:\windows\system32\fepuyepe.dll
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
1601-01-01 00:12 110,592 --sha-w c:\windows\system32\vugumali.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-03-31 507904]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB7938"="command" [X]
"SpybotDeletingD5090"="del" [X]
"SpybotDeletingB8635"="command" [X]
"SpybotDeletingD8448"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FIREBOX"="c:\program files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe" [2005-01-28 1003520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"CPM332837a3"="c:\windows\system32\fudafiyo.dll" [2009-01-16 127687]

c:\documents and settings\Owner.FOXDRAGON\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
FireBox Mixer (2).lnk - c:\program files\PreSonus\1394AudioDriver_FIREBox\FireBox Mixer.exe [2008-10-08 1019904]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2007-01-21 114688]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Owner.FOXDRAGON\Desktop\Deskbleepz\StandingStill.png
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\fudafiyo.dll" [2009-01-16 127687]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fudafiyo.dll [2009-01-16 127687]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\fudafiyo.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"VIDC.X264"= x264vfw.dll
"midi6"= KORGUMDD.DRV

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\lunazuse.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 07:57 133016 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 00:01 135264 c:\program files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-05-31 04:33 122941 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 12:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-23 00:00 385024 c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-21 16:44 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-21 16:48 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-02-26 14:08 2289664 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-19 11:26 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-12-07 15:08 21686568 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 13:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2005-11-15 12:28 85744 c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-19 11:26 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TabletService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WMP54GSVC"=2 (0x2)
"StarWindService"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"MS Common Service"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"gupdate1c8e2e637230915"=2 (0x2)
"DefWatch"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Documents and Settings\\Owner.FOXDRAGON\\My Documents\\Appz\\utorrent.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Motorola\\PST\\P2KDataLogger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\WINDOWS\\system32\\Wacom_Tablet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\WTablet\\Wacom_TabletUser.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-11-18 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-05 99376]
R3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;c:\windows\system32\drivers\KORGUMDS.SYS [2004-07-12 12544]
R3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2008-10-08 97152]
R3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2008-10-08 24576]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-04-21 9344]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-12-03 15656]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2007-11-11 2749224]
S3 CrucialSMBusScan;CrucialSMBusScan;\??\c:\windows\system32\drivers\CrucialSMBusScan.sys --> c:\windows\system32\drivers\CrucialSMBusScan.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-06-22 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-06-22 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-06-22 21504]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-11-18 16896]
S4 gupdate1c8e2e637230915;Google Update Service (gupdate1c8e2e637230915);c:\program files\Google\Update\GoogleUpdate.exe [2008-07-10 133104]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-04 11:09]

2009-01-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45]

2009-01-16 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-14 12:39]
.
- - - - ORPHANS REMOVED - - - -

BHO-{03b7f1ad-0a65-4ea7-baa1-8701c42c88da} - c:\windows\system32\ruyezijo.dll
HKCU-Run-P2kAutostart - c:\documents and settings\Owner.FOXDRAGON\Desktop\P2kCommander-V3.2.6\P2kAutostart.exe
Notify-WgaLogon - (no file)
MSConfigStartUp-CPM332837a3 - c:\windows\system32\riwuhiko.dll
MSConfigStartUp-podemigaba - c:\windows\system32\fiweboka.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.FOXDRAGON\Application Data\Mozilla\Firefox\Profiles\vkjfgol9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Lively\nplively.dll
FF - plugin: c:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 07:26:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2E29FD1C-8E93-4d17-8893-DD18E3D36851}\Version*Version]
"Version"=hex:77,13,b3,c5,71,86,e0,24,ba,d0,17,b0,26,2a,9f,14,c1,53,f1,8f,93,
df,20,1a,fe,67,53,8a,f4,86,fc,49,4c,96,d0,ff,7b,93,40,84,6f,bd,2f,a5,1f,d7,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\discWelder BRONZE\Version*Version]
"Version"=hex:77,13,b3,c5,71,86,e0,24,ba,d0,17,b0,26,2a,9f,14,c1,53,f1,8f,93,
df,20,1a,fe,67,53,8a,f4,86,fc,49,4c,96,d0,ff,7b,93,40,84,6f,bd,2f,a5,1f,d7,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-16 7:31:44 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-01-16 14:31:41

Pre-Run: 6,343,516,160 bytes free
Post-Run: 6,767,173,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /FASTDETECT /NOEXECUTE=OPTIN

383 --- E O F --- 2008-11-29 20:58:29



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:06 AM, on 1/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [FIREBOX] C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CPM332837a3] Rundll32.exe "C:\WINDOWS\system32\fudafiyo.dll",a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: FireBox Mixer (2).lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FireBox Mixer.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: FireBox Mixer (2).lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FireBox Mixer.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: FireBox Mixer (2).lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FireBox Mixer.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\fudafiyo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fudafiyo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fudafiyo.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Owner.FOXDRAGON\Desktop\Deskbleepz\StandingStill.png

--
End of file - 5604 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 16 January 2009 - 09:49 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\mimoyibi.exe
c:\windows\system32\buvoyaki.dll
c:\windows\system32\fepuyepe.dll
c:\windows\system32\vugumali.dll
c:\windows\system32\fudafiyo.dll
c:\windows\system32\lunazuse.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB7938"=-
"SpybotDeletingD5090"=-
"SpybotDeletingB8635"=-
"SpybotDeletingD8448"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPM332837a3"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 KangaRouX

KangaRouX
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 16 January 2009 - 03:54 PM

"Looks to me like you got it..."

ComboFix 09-01-16.01 - Owner 2009-01-16 13:39:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1490 [GMT -7:00]
Running from: c:\documents and settings\Owner.FOXDRAGON\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.FOXDRAGON\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\buvoyaki.dll
c:\windows\system32\fepuyepe.dll
c:\windows\system32\fudafiyo.dll
c:\windows\system32\lunazuse.dll
c:\windows\system32\mimoyibi.exe
c:\windows\system32\vugumali.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\buvoyaki.dll
c:\windows\system32\fepuyepe.dll
c:\windows\system32\fudafiyo.dll
c:\windows\system32\mimoyibi.exe
c:\windows\system32\vugumali.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-14 18:24 . 2009-01-14 18:24 38,620 --ah----- c:\windows\system32\mlfcache.dat
2009-01-12 18:35 . 2009-01-12 18:35 96,978 --a------ C:\VirtumundoBeGone.exe
2009-01-11 19:31 . 2009-01-11 19:31 <DIR> d-------- C:\VundoFix Backups
2009-01-11 19:30 . 2009-01-11 19:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-31 11:50 . 2008-12-31 11:50 <DIR> d---s---- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2008-12-22 20:28 . 2009-01-11 18:24 <DIR> d-------- c:\program files\Winamp Remote
2008-12-22 20:28 . 2008-12-24 16:53 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\OrbNetworks
2008-12-22 20:27 . 2008-12-22 20:29 <DIR> d-------- c:\program files\Winamp
2008-12-22 20:27 . 2008-12-22 20:37 <DIR> d-------- c:\documents and settings\Owner.FOXDRAGON\Application Data\Winamp
2008-12-22 20:27 . 2007-03-07 16:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-22 20:27 . 2007-03-07 16:51 43,528 --------- c:\windows\system32\drivers\PxHelp20.sys
2008-12-22 20:27 . 2007-03-07 16:51 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-22 20:27 . 2007-03-07 16:51 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-20 22:06 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-12-20 22:06 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-12-20 22:06 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-12-20 22:06 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-12-20 22:06 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-12-20 22:06 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-12-20 22:06 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2008-12-16 18:46 . 2008-12-16 18:46 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-16 18:45 . 2008-12-16 18:45 <DIR> d-------- c:\program files\eRightSoft
2008-12-16 11:21 . 2008-12-16 11:21 <DIR> d-------- c:\program files\RelevantKnowledge
2008-12-16 11:21 . 2008-12-16 16:12 <DIR> d-------- c:\program files\MP3MyMP3
2008-12-16 10:20 . 2008-12-16 10:20 <DIR> d-------- C:\3gptemp
2008-12-16 09:55 . 2008-12-16 09:56 <DIR> d-------- c:\program files\QuickMediaConverter
2008-12-16 09:45 . 2008-12-16 09:45 <DIR> d-------- c:\program files\MIKSOFT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 20:44 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-16 20:44 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\WTablet
2009-01-16 14:24 --------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\WTablet
2009-01-13 01:02 --------- d-----w c:\program files\Trend Micro
2009-01-12 14:28 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\Skype
2009-01-12 02:30 --------- d-----w c:\program files\Java
2009-01-12 01:24 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\skypePM
2009-01-12 01:24 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\nView_Wallpaper
2009-01-12 00:22 --------- d-----w c:\program files\Trillian
2009-01-06 06:30 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\uTorrent
2008-12-31 00:31 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-21 22:02 --------- d-----w c:\documents and settings\Owner.FOXDRAGON\Application Data\Ahead
2008-12-07 04:33 --------- d-----w c:\program files\PuTTY
2008-12-04 23:41 --------- d-----w c:\program files\iTunes
2008-12-04 23:41 --------- d-----w c:\program files\iPod
2008-12-04 23:41 --------- d-----w c:\program files\Common Files\Apple
2008-12-04 23:41 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-04 23:36 --------- d-----w c:\program files\QuickTime
2008-12-04 23:26 --------- d-----w c:\program files\Safari
2008-12-04 01:02 --------- d-----w c:\program files\Common Files\Adobe
2008-12-03 23:22 --------- d-----w c:\program files\Tablet
2008-11-19 04:34 --------- d-----w c:\program files\Syncrosoft
2008-11-19 00:03 --------- d-----w c:\program files\Steinberg
2008-01-27 21:35 32 ----a-w c:\documents and settings\All Users.WINDOWS\Application Data\ezsid.dat
2007-04-30 20:32 25,600 ----a-w c:\documents and settings\Owner.FOXDRAGON\usbsermptxp.sys
2007-04-30 20:32 22,768 ----a-w c:\documents and settings\Owner.FOXDRAGON\usbsermpt.sys
2007-04-30 15:51 92,064 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmmdm.sys
2007-04-30 15:51 9,232 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmmdfl.sys
2007-04-30 15:51 79,328 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmserd.sys
2007-04-30 15:51 66,656 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmbus.sys
2007-04-30 15:51 6,208 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmcmnt.sys
2007-04-30 15:51 5,936 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmwhnt.sys
2007-04-30 15:51 4,048 ----a-w c:\documents and settings\Owner.FOXDRAGON\mqdmcr.sys
1999-07-07 00:00 6 --sh--r c:\windows\@@desktop.dat
2007-01-21 14:07 8 --sh--r c:\windows\system32\E2344BABF2.sys
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-16_ 7.30.31.21 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-03-31 507904]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"P2kAutostart"="c:\documents and settings\Owner.FOXDRAGON\Desktop\P2kCommander-V3.2.6\P2kAutostart.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FIREBOX"="c:\program files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe" [2005-01-28 1003520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]

c:\documents and settings\Owner.FOXDRAGON\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
FireBox Mixer (2).lnk - c:\program files\PreSonus\1394AudioDriver_FIREBox\FireBox Mixer.exe [2008-10-08 1019904]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2007-01-21 114688]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Owner.FOXDRAGON\Desktop\Deskbleepz\StandingStill.png
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"VIDC.X264"= x264vfw.dll
"midi6"= KORGUMDD.DRV

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 07:57 133016 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 00:01 135264 c:\program files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-05-31 04:33 122941 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 12:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-23 00:00 385024 c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-21 16:44 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-21 16:48 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-02-26 14:08 2289664 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-19 11:26 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-12-07 15:08 21686568 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 13:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2005-11-15 12:28 85744 c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-19 11:26 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TabletService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WMP54GSVC"=2 (0x2)
"StarWindService"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"MS Common Service"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"gupdate1c8e2e637230915"=2 (0x2)
"DefWatch"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Documents and Settings\\Owner.FOXDRAGON\\My Documents\\Appz\\utorrent.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Motorola\\PST\\P2KDataLogger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\WINDOWS\\system32\\Wacom_Tablet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\WTablet\\Wacom_TabletUser.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-11-18 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-05 99376]
R3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;c:\windows\system32\drivers\KORGUMDS.SYS [2004-07-12 12544]
R3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2008-10-08 97152]
R3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2008-10-08 24576]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-04-21 9344]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-12-03 15656]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2007-11-11 2749224]
S3 CrucialSMBusScan;CrucialSMBusScan;\??\c:\windows\system32\drivers\CrucialSMBusScan.sys --> c:\windows\system32\drivers\CrucialSMBusScan.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-06-22 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-06-22 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-06-22 21504]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-11-18 16896]
S4 gupdate1c8e2e637230915;Google Update Service (gupdate1c8e2e637230915);c:\program files\Google\Update\GoogleUpdate.exe [2008-07-10 133104]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-04 11:09]

2009-01-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45]

2009-01-16 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-14 12:39]
.
- - - - ORPHANS REMOVED - - - -

BHO-{03b7f1ad-0a65-4ea7-baa1-8701c42c88da} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.FOXDRAGON\Application Data\Mozilla\Firefox\Profiles\vkjfgol9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Lively\nplively.dll
FF - plugin: c:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 13:44:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2E29FD1C-8E93-4d17-8893-DD18E3D36851}\Version*Version]
"Version"=hex:77,13,b3,c5,71,86,e0,24,ba,d0,17,b0,26,2a,9f,14,c1,53,f1,8f,93,
df,20,1a,fe,67,53,8a,f4,86,fc,49,4c,96,d0,ff,7b,93,40,84,6f,bd,2f,a5,1f,d7,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\discWelder BRONZE\Version*Version]
"Version"=hex:77,13,b3,c5,71,86,e0,24,ba,d0,17,b0,26,2a,9f,14,c1,53,f1,8f,93,
df,20,1a,fe,67,53,8a,f4,86,fc,49,4c,96,d0,ff,7b,93,40,84,6f,bd,2f,a5,1f,d7,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-16 13:50:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 20:50:56
ComboFix2.txt 2009-01-16 14:31:49

Pre-Run: 6,748,184,576 bytes free
Post-Run: 6,737,416,192 bytes free

296 --- E O F --- 2008-11-29 20:58:29



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:46 PM, on 1/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [FIREBOX] C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Owner.FOXDRAGON\Desktop\P2kCommander-V3.2.6\P2kAutostart.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: FireBox Mixer (2).lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FireBox Mixer.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: FireBox Mixer (2).lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FireBox Mixer.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: FireBox Mixer (2).lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FireBox Mixer.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Owner.FOXDRAGON\Desktop\Deskbleepz\StandingStill.png

--
End of file - 5305 bytes

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 16 January 2009 - 04:11 PM

Lets do a double scan...


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Run DDS again.. Post these logs in your next reply...

1. Malwarebytes'
2. ESET Online Scanner
3. DDS.txt
4. Tell me, how's the computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 KangaRouX

KangaRouX
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 17 January 2009 - 11:29 AM

"The system seems fine except for the fact that scans keep picking things up."

Malwarebytes' Anti-Malware 1.33
Database version: 1659
Windows 5.1.2600 Service Pack 2

1/16/2009 6:09:12 PM
mbam-log-2009-01-16 (18-09-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 287508
Time elapsed: 2 hour(s), 45 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\`Sensory\Acid\Acid Pro 5.0 + Keygen\SONY ACID PRO 5.0c & Sound Forge 8.0b\SONY ACID PRO 5.0c & Sound Forge 8.0b (130MB)\SONY ACID Pro 5.0c (90.2MB (12 August 2005)\keygen\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\`Sensory\Acid\Acid Pro 5.0 + Keygen\SONY ACID PRO 5.0c & Sound Forge 8.0b\SONY ACID PRO 5.0c & Sound Forge 8.0b (130MB)\SONY Sound Forge 8.0b (40.5MB) (12 August 2005)\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\blyuim.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bowubomu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dikewape.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\diyidubo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hujinuya.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pebudeba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pltyrh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tenedefi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\trskrq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\udyjsu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vogomiyi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zofudube.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP819\A0054241.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP819\A0055209.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP819\A0055210.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP819\A0055239.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP821\A0055310.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP821\A0055311.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP824\A0055498.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055628.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055629.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055630.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055631.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055634.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055653.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055654.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055660.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055662.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055665.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055674.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFB9931E-6557-4B90-92A7-4EF7EA066F6E}\RP827\A0055677.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sejamoya.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ratanofi.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karezabu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lugikuno.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\rlls.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\rlservice.exe (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\rlvknlg.exe (Spyware.Marketscore) -> Quarantined and deleted successfully.



# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3772 (20090116)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=9b89d07d3dbe6f489ec62e8d0f01c476
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-17 05:20:24
# local_time=2009-01-16 10:20:24 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=513957
# found=60
# scan_time=12144
C:\Documents and Settings\Owner.FOXDRAGON\Desktop\Cubase and Reason Audio Stuff [www.yahaa.org]\Digital.Filter.Plus.v2.2.rar probably unknown NewHeur_PE virus (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\Desktop\Cubase and Reason Audio Stuff [www.yahaa.org]\Digital.Filter.Plus.v2.2.rar »RAR »Digital.Filter.Plus.v2.2\b-ndfp22.zip probably unknown NewHeur_PE virus (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\Desktop\Cubase and Reason Audio Stuff [www.yahaa.org]\Digital.Filter.Plus.v2.2.rar »RAR »Digital.Filter.Plus.v2.2\b-ndfp22.zip »ZIP »B-NDFP22.rar probably unknown NewHeur_PE virus (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\Desktop\Cubase and Reason Audio Stuff [www.yahaa.org]\Digital.Filter.Plus.v2.2.rar »RAR »Digital.Filter.Plus.v2.2\b-ndfp22.zip »ZIP »B-NDFP22.rar »RAR »dfplus.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Bubblegum\bgc.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Bubblegum\bgc.exe »WISE »TBEZA127Q.exe Win32/Adware.QuickSearchBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Bubblegum\bgc.exe »WISE »NNEZTA388.exe Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Bubblegum\bgc.exe »WISE »Trickler3103_PIC_fs_DMPT.exe Win32/Adware.Gator.Trickler.E application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Bubblegum\bgc.exe »WISE »EZThemes_m3tsp8.exe Win32/TrojanDropper.Small.GT trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Bubblegum\bgc.exe »WISE »ezStub22.exe Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\DevilMayCry\admc.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\DevilMayCry\admc.exe »WISE »TBEZA127Q.exe Win32/Adware.QuickSearchBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\DevilMayCry\admc.exe »WISE »NNEZTA388.exe Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\DevilMayCry\admc.exe »WISE »Trickler3103_PIC_fs_DMPT.exe Win32/Adware.Gator.Trickler.E application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\DevilMayCry\admc.exe »WISE »EZThemes_m3tsp8.exe Win32/TrojanDropper.Small.GT trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\DevilMayCry\admc.exe »WISE »ezStub22.exe Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Edward\edward.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Edward\edward.exe »WISE »TBEZA127Q.exe Win32/Adware.QuickSearchBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Edward\edward.exe »WISE »NNEZTA388.exe Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Edward\edward.exe »WISE »Trickler3103_PIC_fs_DMPT.exe Win32/Adware.Gator.Trickler.E application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Edward\edward.exe »WISE »EZThemes_m3tsp8.exe Win32/TrojanDropper.Small.GT trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Edward\edward.exe »WISE »ezStub22.exe Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Iria\iria-zta.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Iria\iria-zta.exe »WISE »TBEZA127Q.exe Win32/Adware.QuickSearchBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Iria\iria-zta.exe »WISE »NNEZTA388.exe Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Iria\iria-zta.exe »WISE »Trickler3103_PIC_fs_DMPT.exe Win32/Adware.Gator.Trickler.E application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Iria\iria-zta.exe »WISE »EZThemes_m3tsp8.exe Win32/TrojanDropper.Small.GT trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Iria\iria-zta.exe »WISE »ezStub22.exe Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\mononoke\mononoke.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\mononoke\mononoke.exe »WISE »TBEZA127Q.exe Win32/Adware.QuickSearchBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\mononoke\mononoke.exe »WISE »NNEZTA388.exe Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\mononoke\mononoke.exe »WISE »setup-cp.2.200-7.exe probably a variant of Win32/Adware.Agent application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\mononoke\mononoke.exe »WISE »EZThemes_m3tsp8.exe Win32/TrojanDropper.Small.GT trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\mononoke\mononoke.exe »WISE »ezStub22.exe Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Oddworld\oddstuff.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Oddworld\oddstuff.exe »WISE »TBEZA127Q.exe Win32/Adware.QuickSearchBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Oddworld\oddstuff.exe »WISE »NNEZTA388.exe Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Oddworld\oddstuff.exe »WISE »Trickler3103_PIC_fs_DMPT.exe Win32/Adware.Gator.Trickler.E application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Oddworld\oddstuff.exe »WISE »EZThemes_m3tsp8.exe Win32/TrojanDropper.Small.GT trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\Oddworld\oddstuff.exe »WISE »ezStub22.exe Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\SonicAdventure\sonicadventure.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\SonicAdventure\sonicadventure.exe »WISE »TBEZA127Q.exe Win32/Adware.QuickSearchBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\SonicAdventure\sonicadventure.exe »WISE »NNEZTA388.exe Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\SonicAdventure\sonicadventure.exe »WISE »Trickler3103_PIC_fs_DMPT.exe Win32/Adware.Gator.Trickler.E application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\SonicAdventure\sonicadventure.exe »WISE »EZThemes_m3tsp8.exe Win32/TrojanDropper.Small.GT trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Deskrap\Themes\SonicAdventure\sonicadventure.exe »WISE »ezStub22.exe Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Diskrap\Cubase and Reason Audio Stuff [www.yahaa.org].rar probably unknown NewHeur_PE virus (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Diskrap\Cubase and Reason Audio Stuff [www.yahaa.org].rar »RAR »Cubase and Reason Audio Stuff [www.yahaa.org]\Digital.Filter.Plus.v2.2.rar probably unknown NewHeur_PE virus (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Diskrap\Cubase and Reason Audio Stuff [www.yahaa.org].rar »RAR »Cubase and Reason Audio Stuff [www.yahaa.org]\Digital.Filter.Plus.v2.2.rar »RAR »Digital.Filter.Plus.v2.2\b-ndfp22.zip probably unknown NewHeur_PE virus (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Diskrap\Cubase and Reason Audio Stuff [www.yahaa.org].rar »RAR »Cubase and Reason Audio Stuff [www.yahaa.org]\Digital.Filter.Plus.v2.2.rar »RAR »Digital.Filter.Plus.v2.2\b-ndfp22.zip »ZIP »B-NDFP22.rar probably unknown NewHeur_PE virus (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner.FOXDRAGON\My Documents\Backup\Diskrap\Cubase and Reason Audio Stuff [www.yahaa.org].rar »RAR »Cubase and Reason Audio Stuff [www.yahaa.org]\Digital.Filter.Plus.v2.2.rar »RAR »Digital.Filter.Plus.v2.2\b-ndfp22.zip »ZIP »B-NDFP22.rar »RAR »dfplus.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\lunazuse.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\nohosizi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ruyezijo.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\tibezili.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\fezovezi.dll.tmp Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\jekupeju.dll.tmp Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\zububofi.dll.tmp Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\etc\cache08\os32.ini IRC/Cloner.B trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\etc\cache08\WinOS.hlp IRC/Cloner.G trojan (unable to clean - deleted) 00000000000000000000000000000000




DDS (Ver_09-01-07.01) - NTFSx86
Run by Owner at 9:24:35.89 on Sat 01/17/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1293 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner.FOXDRAGON\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [P2kAutostart] c:\documents and settings\owner.foxdragon\desktop\p2kcommander-v3.2.6\P2kAutostart.exe
mRun: [FIREBOX] c:\program files\presonus\1394audiodriver_firebox\FIREBOX Control.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\owner~1.fox\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\owner~1.fox\startm~1\programs\startup\firebo~1.lnk - c:\program files\presonus\1394audiodriver_firebox\FireBox Mixer.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.fox\applic~1\mozilla\firefox\profiles\vkjfgol9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\lively\nplively.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-11-18 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;c:\windows\system32\drivers\KORGUMDS.SYS [2004-7-12 12544]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090116.004\naveng.sys [2009-1-16 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090116.004\navex15.sys [2009-1-16 876112]
R3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2008-10-8 97152]
R3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2008-10-8 24576]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-21 9344]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-12-3 15656]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2007-11-11 2749224]
S3 CrucialSMBusScan;CrucialSMBusScan;\??\c:\windows\system32\drivers\crucialsmbusscan.sys --> c:\windows\system32\drivers\CrucialSMBusScan.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-6-22 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-6-22 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-6-22 21504]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-11-18 16896]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
S4 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
S4 gupdate1c8e2e637230915;Google Update Service (gupdate1c8e2e637230915);c:\program files\google\update\GoogleUpdate.exe [2008-7-10 133104]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]

=============== Created Last 30 ================

2009-01-16 18:14 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-01-16 14:14 <DIR> --d----- c:\docume~1\owner~1.fox\applic~1\Malwarebytes
2009-01-16 14:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 14:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 14:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 14:14 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-01-16 06:43 <DIR> a-dshr-- C:\cmdcons
2009-01-16 06:41 161,792 a------- c:\windows\SWREG.exe
2009-01-16 06:41 98,816 a------- c:\windows\sed.exe
2009-01-14 18:24 38,620 a---h--- c:\windows\system32\mlfcache.dat
2009-01-12 18:35 96,978 a------- C:\VirtumundoBeGone.exe
2009-01-11 19:31 <DIR> --d----- C:\VundoFix Backups
2009-01-11 19:30 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-22 20:28 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\OrbNetworks
2008-12-22 20:28 <DIR> --d----- c:\program files\Winamp Remote
2008-12-22 20:27 129,784 -------- c:\windows\system32\pxafs.dll
2008-12-22 20:27 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2008-12-22 20:27 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-22 20:27 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-20 22:06 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2008-12-20 22:06 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2008-12-20 22:06 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2008-12-20 22:06 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2008-12-20 22:06 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2008-12-20 22:06 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2008-12-20 22:06 8,704 a------- c:\windows\system32\kbdjpn.dll
2008-12-20 22:06 8,192 a------- c:\windows\system32\kbdkor.dll
2008-12-20 22:06 6,144 a------- c:\windows\system32\kbd106.dll
2008-12-20 22:06 6,144 a------- c:\windows\system32\kbd101c.dll
2008-12-20 22:06 6,144 a------- c:\windows\system32\kbd101b.dll
2008-12-20 22:06 5,632 a------- c:\windows\system32\kbd103.dll

==================== Find3M ====================

2009-01-15 16:09 127,858 a--sh--- c:\windows\system32\famatima.dll
2008-10-26 12:15 233,472 a------- c:\windows\system32\REX Shared Library.dll
2008-01-27 14:35 32 a------- c:\docume~1\alluse~1.win\applic~1\ezsid.dat
2007-04-30 13:32 25,600 a------- c:\documents and settings\owner.foxdragon\usbsermptxp.sys
2007-04-30 13:32 22,768 a------- c:\documents and settings\owner.foxdragon\usbsermpt.sys
2007-04-30 08:51 92,064 a------- c:\documents and settings\owner.foxdragon\mqdmmdm.sys
2007-04-30 08:51 79,328 a------- c:\documents and settings\owner.foxdragon\mqdmserd.sys
2007-04-30 08:51 66,656 a------- c:\documents and settings\owner.foxdragon\mqdmbus.sys
2007-04-30 08:51 9,232 a------- c:\documents and settings\owner.foxdragon\mqdmmdfl.sys
2007-04-30 08:51 6,208 a------- c:\documents and settings\owner.foxdragon\mqdmcmnt.sys
2007-04-30 08:51 5,936 a------- c:\documents and settings\owner.foxdragon\mqdmwhnt.sys
2007-04-30 08:51 4,048 a------- c:\documents and settings\owner.foxdragon\mqdmcr.sys
2001-08-07 16:32 122,880 a------- c:\windows\inf\agfa\message.exe
1999-07-06 17:00 6 ---shr-- c:\windows\@@desktop.dat
2007-01-21 07:07 8 ---shr-- c:\windows\system32\E2344BABF2.sys
2006-05-03 02:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 03:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 05:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 9:25:20.53 ===============

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 17 January 2009 - 03:14 PM

Don't worry.. ESET Online Scanner does it job very well :thumbsup:

Please find and delete this folder manually (if present)..

c:\program files\RelevantKnowledge


Now, lets do some cleanup...


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between combofix and /u is needed

    Posted Image



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users