Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Just Won't Go Away


  • This topic is locked This topic is locked
55 replies to this topic

#1 amnesia

amnesia

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 05 March 2009 - 11:24 PM

Hi;

I need help with a Virtumonde/Vundo infection. It first showed up with the computer being very slow and the browser (IE) being hijacked with multiple windows suggesting virus removal etc.

I did a scan with spybot S&D and found multiple instances of Virtumonde & virtumonde.prx in files such as c:\windows\systen32\enozafi.dll and lunazuse.dll, zoyuhovo.dll, biniyogi.dll, azagurofi.ini, and more.

Spybot also reported:
WIN32.DNSChanger.axi:[SBI $407BD188] Executable (C:\windows\sustem32\kdsws.exe) and
microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $21695B76 Settings Registry Value]

There were also many other registry keys infected. I instructed spybot to fix the problem, but on repeat scans it seems to reappear! Ad-Aware doesn't report any infection. VUNDOFIX doesn't report any infection. NAV intermittantly warns of trojan.Vundo infection which it says it has removed. I ran SDFix and yet the problem persists. Now Teatimer keeps giving popups saying "spybot deleting B9374 system32\lunazuse...." and "Spybot Deleting D7845 system32\enozafi......." I have blocked these changes.
I tried to run a Kaspersky online scan but got the "IE ran into trouble and must shut down" There were lots of infected files already at this point in the scan, but I couldn't retrieve them before it shut down.

I appologize for all the crap on the computer as it's my kids!
Can you help me?

Thank you in advance
Amnesia

**I have also attached the SDFix report (report.txt) as well as the NAV Virus alerts log**



DDS.txt report:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Jelfy at 19:53:05.37 on Thu 03/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.117 [GMT -8:00]

AV: AVG 7.5.516 *On-access scanning enabled* (Outdated)
AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Norton AntiVirus\navapsvc.exe
C:\Nexon\MapleStory\npkcmsvc.exe
D:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Jelfy\Desktop\VIRUS SCANNER\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: {18e77802-3df0-42a3-849a-112d179191cb} - c:\windows\system32\hihutabo.dll
BHO: Miniclip: {4e7bd74f-2b8d-469e-89b3-be29f5d3e32d} - c:\windows\downlo~1\MINICL~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: {a76b75e4-7267-b4fa-20b4-098d0618e96b}: {b69e8160-d890-4b02-af4b-76274e57b67a} - c:\windows\system32\adaceq.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - d:\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Miniclip: {4e7bd74f-2b8d-469e-89b3-be29f5d3e32d} - c:\windows\downlo~1\MINICL~1.DLL
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\msgr.en-us.en-ca\msntb.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - d:\norton antivirus\NavShExt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB9347] command /c del "c:\windows\system32\lunazuse.dll_old"
uRunOnce: [SpybotDeletingD7845] cmd /c del "c:\windows\system32\lunazuse.dll_old"
uRunOnce: [SpybotDeletingB490] command /c del "c:\windows\system32\lenozafi.dll_old"
uRunOnce: [SpybotDeletingD4095] cmd /c del "c:\windows\system32\lenozafi.dll_old"
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [POINTER] point32.exe
mRun: [TPP Auto Loader] c:\windows\tppaldr.exe
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [petafekiku] Rundll32.exe "c:\windows\system32\jolemovu.dll",s
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [24a23766] rundll32.exe "c:\windows\system32\lenozafi.dll",b
mRunOnce: [SpybotDeletingA5527] command /c del "c:\windows\system32\lunazuse.dll_old"
mRunOnce: [SpybotDeletingC935] cmd /c del "c:\windows\system32\lunazuse.dll_old"
mRunOnce: [SpybotDeletingA5724] command /c del "c:\windows\system32\lenozafi.dll_old"
mRunOnce: [SpybotDeletingC1762] cmd /c del "c:\windows\system32\lenozafi.dll_old"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus\AirPlus.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - hxxp://www.miniclip.com/toolbar/minicliptoolbar.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908757231
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38006.8132407407
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {2E98EA25-E79A-4BBC-94E7-FE818B23CC09} = 208.67.220.220,208.67.222.222
TCP: {3700FC48-CC40-44F5-8A39-38C3E59E6892} = 208.67.220.220,208.67.222.222
TCP: {B2C1D279-AE11-42C2-8234-2E9CE07481C3} = 208.67.220.220,208.67.222.222
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\kavemoda.dll c:\windows\system32\lakayepo.dll c:\windows\system32\lunazuse.dll adaceq.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lunazuse.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\lunazuse.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli c:\windows\system32\kavemoda.dll

============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2003-9-12 132899]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-2-11 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-2-11 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-2-11 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-2-11 10760]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2003-9-12 46810]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-5-22 279264]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-2-11 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-2-11 49664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]
R2 navapsvc;Norton AntiVirus Auto Protect Service;d:\norton antivirus\NAVAPSVC.EXE [2008-2-9 116336]
R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2008-2-9 35552]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090304.017\NAVENG.Sys [2009-3-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090304.017\NavEx15.Sys [2009-3-4 876144]
R3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2008-2-9 235744]
S2 CX88XBAR;MSI 8606 Crossbar;c:\windows\system32\drivers\CX88XBar.SYS [2004-4-29 9159]
S2 Microsoft Inet Services;Microsoft Inet Services;c:\windows\system32\_svchost.exe -a --> c:\windows\system32\_svchost.exe -A [?]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]
S3 Hl_mull;Hl_mull;c:\windows\system32\drivers\hl_mull.sys [2004-6-29 29024]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2004-1-20 15360]
S3 pmxscan;Visioneer USB Service;c:\windows\system32\drivers\usbscan.sys [2008-1-26 15104]
S3 SQ931;V-Gear TalkCam RX7;c:\windows\system32\drivers\Capt931a.sys [2008-1-3 526464]
S3 TPPFX;USB Storage Adapter FX (TPP);c:\windows\system32\drivers\TPPFX.SYS [2004-7-3 32256]
S3 XDva226;XDva226;\??\c:\windows\system32\xdva226.sys --> c:\windows\system32\XDva226.sys [?]
S4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2004-4-4 34916]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]

=============== Created Last 30 ================

2009-03-05 16:52 142,336 a--sh--- c:\windows\system32\dseasv.dll
2009-03-05 16:52 102,400 a--sh--- c:\windows\system32\zesigema.dll
2009-03-05 16:52 142,336 a--sh--- c:\windows\system32\busiwela.dll
2009-03-05 16:51 105,984 a--sh--- c:\windows\system32\holuyibi.dll
2009-03-04 20:33 <DIR> --d----- c:\windows\ERUNT
2009-03-04 17:39 <DIR> --d----- C:\SDFix
2009-03-04 17:32 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 17:32 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-04 11:03 121 ---sh--- c:\windows\system32\ifazonel.ini
2009-03-04 10:49 141,312 a--sh--- c:\windows\system32\cfyqtr.dll
2009-03-04 10:49 141,312 a--sh--- c:\windows\system32\mabarili.dll
2009-03-03 22:49 142,848 a--sh--- c:\windows\system32\vedofumu.dll
2009-03-03 22:49 142,848 a--sh--- c:\windows\system32\adaceq.dll
2009-03-03 22:49 15,804 a--sh--- c:\windows\system32\zefumiwu.dll
2009-03-03 22:48 107,520 a--sh--- c:\windows\system32\wutivoba.dll
2009-03-03 22:01 <DIR> --d----- C:\VundoFix Backups
2009-03-03 07:48 142,848 a--sh--- c:\windows\system32\zfntxk.dll
2009-03-03 07:48 142,848 a--sh--- c:\windows\system32\bewodanu.dll
2009-03-03 07:48 103,936 a--sh--- c:\windows\system32\ruzarewu.dll
2009-03-02 23:22 382 a------- c:\windows\wininit.ini
2009-03-02 21:29 141,824 a------- c:\windows\system32\xhjwqd.dll
2009-03-02 19:50 141,824 a------- c:\windows\system32\puvezisu.dll
2009-02-28 19:44 109,568 a--sh--- c:\windows\system32\bufufodu.dll
2009-02-28 08:17 144,384 a------- c:\windows\system32\vyfhuu.dll
2009-02-28 07:40 144,384 a------- c:\windows\system32\hisakihi.dll
2009-02-27 20:16 121 ---sh--- c:\windows\system32\egazihum.ini
2009-02-27 20:16 143,360 a------- c:\windows\system32\mdkjgw.dll
2009-02-27 19:40 143,360 a------- c:\windows\system32\daletoje.dll
2009-02-27 19:40 109,056 a------- c:\windows\system32\halihupe.dll
2009-02-27 19:40 102,912 a------- c:\windows\system32\muhizage.dll
2009-02-27 08:16 143,360 a------- c:\windows\system32\qwbnzi.dll
2009-02-27 07:40 143,360 a------- c:\windows\system32\kawomogo.dll
2009-02-27 07:40 110,080 a------- c:\windows\system32\butobuko.dll
2009-02-26 20:20 121 ---sh--- c:\windows\system32\iyusobib.ini
2009-02-26 20:16 144,384 a------- c:\windows\system32\plzpzr.dll
2009-02-26 19:48 2,098 ---sh--- c:\windows\system32\nayulowo.dll
2009-02-26 19:40 144,384 a------- c:\windows\system32\zulipivu.dll
2009-02-26 19:40 110,592 a------- c:\windows\system32\riketuti.dll
2009-02-26 19:40 104,448 -------- c:\windows\system32\bibosuyi.dll
2009-02-26 08:13 142,848 a------- c:\windows\system32\jkyjvz.dll
2009-02-26 07:40 142,848 a------- c:\windows\system32\siyokume.dll
2009-02-26 07:40 104,448 a------- c:\windows\system32\dizezuki.dll
2009-02-25 01:47 141,824 a------- c:\windows\system32\nkbjoi.dll
2009-02-25 01:40 109,056 a------- c:\windows\system32\firupifo.dll
2009-02-25 01:40 141,824 a------- c:\windows\system32\kimupabe.dll
2009-02-24 13:37 143,872 a--sh--- c:\windows\system32\spjufb.dll
2009-02-14 11:11 56 ---shr-- c:\windows\system32\243ECC9E36.sys
2009-02-14 11:10 952 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-14 11:07 <DIR> --d----- c:\program files\common files\Enterbrain
2009-02-07 22:55 230,752 a------- c:\windows\patchw32.dll
2009-02-07 22:55 118,176 a------- c:\windows\patchw.dll
2009-02-07 22:50 <DIR> --d----- c:\program files\Outspark
2009-02-07 19:48 <DIR> --d----- c:\program files\DNA

==================== Find3M ====================

2009-02-24 13:37 103,424 a--sh--- c:\windows\system32\regopimu.dll
2009-02-24 13:37 143,872 a--sh--- c:\windows\system32\jurugezu.dll
2009-02-24 13:37 110,080 a--sh--- c:\windows\system32\zolatode.dll
2005-02-24 17:40 1,112 a------- c:\docume~1\jelfy\applic~1\ViewerApp.dat
2003-07-16 18:26 448,640 ac------ c:\windows\inf\EL2K_N64.sys
2003-07-16 18:22 147,328 ac------ c:\windows\inf\EL2K_XP.sys
2003-06-02 23:47 147,328 ac------ c:\windows\inf\EL2K_2K.sys
1998-11-17 12:09 24,576 a------- c:\windows\inf\Vizpnpin.exe
1998-10-12 12:23 40,960 a------- c:\windows\inf\vizpnp\Vipersti.dll
1998-07-30 13:44 19,112 a------- c:\windows\inf\vizpnp\Pmxscan.sys
2007-11-05 19:29 32 a--sh--- c:\windows\{629E3D0B-AA63-400C-AB8B-208478DFE17B}.dat
2006-05-03 01:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
0000-00-00 00:00 70,656 a--sh--- c:\windows\system32\hihutabo.dll
0000-00-00 00:00 70,656 a--sh--- c:\windows\system32\jolemovu.dll
0000-00-00 00:00 70,656 a--sh--- c:\windows\system32\kavemoda.dll
2007-02-21 02:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 04:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2007-11-05 19:29 32 a--sh--- c:\windows\system32\{9964F7E5-4FFD-473C-A8F1-47CF4E306B4B}.dat

============= FINISH: 19:56:05.79 ===============

Attached Files


Edited by amnesia, 05 March 2009 - 11:53 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:28 PM

Posted 18 March 2009 - 09:10 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 amnesia

amnesia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 22 March 2009 - 12:16 PM

Hi:

Thanks for the reply.
Since it's been a while, here's a fresh DDS scan.

As an update, my computer is running very slow, and plagued with "popup boxes"

My spybot keeps notifying that a system startup global entry is being denied: ..........cpm279104fa

Thanks in advance for your help.


Amnesia



DDS (Ver_09-03-16.01) - NTFSx86
Run by Jelfy at 8:55:32.68 on Sun 03/22/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.186 [GMT -8:00]

AV: AVG 7.5.516 *On-access scanning enabled* (Outdated)
AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Norton AntiVirus\navapsvc.exe
C:\Nexon\MapleStory\npkcmsvc.exe
D:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jelfy\Desktop\VIRUS SCANNER\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: {a2a817c5-8b3c-2689-7704-19f673249281}: {18294237-6f91-4077-9862-c3b85c718a2a} - c:\windows\system32\lpqmbc.dll
BHO: {18e77802-3df0-42a3-849a-112d179191cb} - c:\windows\system32\hihutabo.dll
BHO: Miniclip: {4e7bd74f-2b8d-469e-89b3-be29f5d3e32d} - c:\windows\downlo~1\MINICL~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - d:\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Miniclip: {4e7bd74f-2b8d-469e-89b3-be29f5d3e32d} - c:\windows\downlo~1\MINICL~1.DLL
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\msgr.en-us.en-ca\msntb.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - d:\norton antivirus\NavShExt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB9347] command /c del "c:\windows\system32\lunazuse.dll_old"
uRunOnce: [SpybotDeletingD7845] cmd /c del "c:\windows\system32\lunazuse.dll_old"
uRunOnce: [SpybotDeletingB490] command /c del "c:\windows\system32\lenozafi.dll_old"
uRunOnce: [SpybotDeletingD4095] cmd /c del "c:\windows\system32\lenozafi.dll_old"
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [POINTER] point32.exe
mRun: [TPP Auto Loader] c:\windows\tppaldr.exe
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [petafekiku] Rundll32.exe "c:\windows\system32\jolemovu.dll",s
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [24a23766] rundll32.exe "c:\windows\system32\lenozafi.dll",b
mRun: [CPM279104fa] Rundll32.exe "c:\windows\system32\famuhare.dll",a
mRunOnce: [SpybotDeletingA5527] command /c del "c:\windows\system32\lunazuse.dll_old"
mRunOnce: [SpybotDeletingC935] cmd /c del "c:\windows\system32\lunazuse.dll_old"
mRunOnce: [SpybotDeletingA5724] command /c del "c:\windows\system32\lenozafi.dll_old"
mRunOnce: [SpybotDeletingC1762] cmd /c del "c:\windows\system32\lenozafi.dll_old"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus\AirPlus.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - hxxp://www.miniclip.com/toolbar/minicliptoolbar.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908757231
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38006.8132407407
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {2E98EA25-E79A-4BBC-94E7-FE818B23CC09} = 208.67.220.220,208.67.222.222
TCP: {3700FC48-CC40-44F5-8A39-38C3E59E6892} = 208.67.220.220,208.67.222.222
TCP: {B2C1D279-AE11-42C2-8234-2E9CE07481C3} = 208.67.220.220,208.67.222.222
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\kavemoda.dll c:\windows\system32\lakayepo.dll c:\windows\system32\lunazuse.dll c:\windows\system32\famuhare.dll c:\windows\system32\suyivaye.dll lpqmbc.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\suyivaye.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\suyivaye.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli c:\windows\system32\kavemoda.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-2-11 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-2-11 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-2-11 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-2-11 10760]

=============== Created Last 30 ================

2009-03-22 03:20 121 ---sh--- c:\windows\system32\iyepibuj.ini
2009-03-22 03:20 142,336 a------- c:\windows\system32\eldjhl.dll
2009-03-22 02:30 100,864 a------- c:\windows\system32\jubipeyi.dll
2009-03-22 02:20 142,336 a------- c:\windows\system32\hapudira.dll
2009-03-22 02:20 106,496 a------- c:\windows\system32\famuhare.dll
2009-03-21 15:19 121 a--sh--- c:\windows\system32\unosehuw.ini
2009-03-21 14:29 141,824 a--sh--- c:\windows\system32\rdnmqa.dll
2009-03-21 14:29 141,824 a--sh--- c:\windows\system32\ravuripo.dll
2009-03-21 14:20 104,448 a------- c:\windows\system32\dilajule.dll
2009-03-21 03:19 121 ---sh--- c:\windows\system32\ojaloyoh.ini
2009-03-21 03:19 141,312 a------- c:\windows\system32\wdtmdz.dll
2009-03-21 02:28 2,098 ---sh--- c:\windows\system32\payukiji.dll
2009-03-21 02:20 141,312 a------- c:\windows\system32\rikajiro.dll
2009-03-21 02:20 106,496 a------- c:\windows\system32\suyivaye.dll
2009-03-21 02:20 101,888 -------- c:\windows\system32\hoyolajo.dll
2009-03-20 15:18 121 ---sh--- c:\windows\system32\adiyuded.ini
2009-03-20 15:18 141,312 a------- c:\windows\system32\bhtjkt.dll
2009-03-20 14:20 141,312 a------- c:\windows\system32\farivano.dll
2009-03-20 14:20 107,520 a------- c:\windows\system32\botobijo.dll
2009-03-20 14:20 100,864 -------- c:\windows\system32\deduyida.dll
2009-03-20 03:18 121 ---sh--- c:\windows\system32\atodifur.ini
2009-03-20 03:18 140,288 a------- c:\windows\system32\alqydw.dll
2009-03-20 02:28 56,656 a--sh--- c:\windows\system32\litovelu.dll
2009-03-20 02:20 140,288 a------- c:\windows\system32\tadanahe.dll
2009-03-20 02:20 102,912 -------- c:\windows\system32\rufidota.dll
2009-03-19 15:17 141,312 a------- c:\windows\system32\azelbu.dll
2009-03-19 15:17 10,240 a------- c:\windows\instsp2.exe
2009-03-19 14:29 106,496 a--sh--- c:\windows\system32\kiyipepi.dll.vir
2009-03-19 14:20 103,424 a------- c:\windows\system32\yavaneyu.dll
2009-03-19 14:20 141,312 a------- c:\windows\system32\vejidoyu.dll
2009-03-19 02:30 101,376 a------- c:\windows\system32\rodudaya.dll
2009-03-19 02:29 141,824 a--sh--- c:\windows\system32\lpqmbc.dll
2009-03-19 02:29 141,824 a--sh--- c:\windows\system32\jipafofa.dll
2009-03-19 02:20 106,496 a------- c:\windows\system32\subapade.dll
2009-03-16 08:59 140,800 a------- c:\windows\system32\xdobfb.dll
2009-03-16 08:40 140,800 a------- c:\windows\system32\zayiveva.dll
2009-03-16 08:28 100,864 a--sh--- c:\windows\system32\peyedibe.dll
2009-03-16 08:20 105,984 a------- c:\windows\system32\vowowono.dll
2009-03-15 20:29 102,400 a--sh--- c:\windows\system32\foromogu.dll
2009-03-15 20:29 40,624 a--sh--- c:\windows\system32\ruyovale.dll
2009-03-15 20:28 105,472 a--sh--- c:\windows\system32\mupitera.dll
2009-03-15 08:37 141,824 a------- c:\windows\system32\gmyvjv.dll
2009-03-15 08:27 107,520 a--sh--- c:\windows\system32\figusagu.dll
2009-03-15 08:27 100,864 a--sh--- c:\windows\system32\guzemese.dll
2009-03-15 08:20 141,824 a------- c:\windows\system32\wenabebi.dll
2009-03-14 20:27 141,824 a--sh--- c:\windows\system32\wfphww.dll
2009-03-14 20:27 141,824 a--sh--- c:\windows\system32\vilotubo.dll
2009-03-14 20:20 107,008 a------- c:\windows\system32\kerodaru.dll
2009-03-14 20:20 101,888 a------- c:\windows\system32\wukojohe.dll
2009-03-14 08:24 1,703,017 ---sh--- c:\windows\system32\obubebeh.ini
2009-03-14 08:24 141,312 a--sh--- c:\windows\system32\ecxrzz.dll
2009-03-13 09:39 141,312 a------- c:\windows\system32\rwbrpv.dll
2009-03-13 09:00 141,312 a------- c:\windows\system32\tajesare.dll
2009-03-13 09:00 108,544 a------- c:\windows\system32\fulonatu.dll
2009-03-13 09:00 101,888 a------- c:\windows\system32\kuhipute.dll
2009-03-13 08:39 141,312 a------- c:\windows\system32\sevgqz.dll
2009-03-13 08:32 1,933,859 ---sh--- c:\windows\system32\agewibel.ini
2009-03-13 08:32 101,888 a--sh--- c:\windows\system32\lebiwega.dll
2009-03-13 08:30 141,312 a------- c:\windows\system32\lenibaba.dll
2009-03-12 10:46 143,360 a------- c:\windows\system32\mpnnsg.dll
2009-03-12 10:07 75,664 a--sh--- c:\windows\system32\hadupope.dll
2009-03-12 10:07 49,384 a--sh--- c:\windows\system32\dokohoke.dll
2009-03-12 10:00 143,360 a------- c:\windows\system32\niwawuni.dll
2009-03-12 09:44 143,360 a------- c:\windows\system32\kxxctc.dll
2009-03-12 09:40 40,624 a--sh--- c:\windows\system32\seyuhile.dll
2009-03-12 09:40 28,944 a--sh--- c:\windows\system32\jejuligo.dll
2009-03-12 09:40 107,520 a------- c:\windows\system32\yekeyomu.dll
2009-03-12 09:13 1,835,095 ---sh--- c:\windows\system32\ogifohad.ini
2009-03-12 09:13 143,360 a--sh--- c:\windows\system32\alijvk.dll
2009-03-12 09:13 143,360 a--sh--- c:\windows\system32\kumemeyu.dll
2009-03-12 09:10 107,520 a------- c:\windows\system32\voninuti.dll
2009-03-12 08:45 1,835,095 ---sh--- c:\windows\system32\ohapekok.ini
2009-03-12 08:45 107,520 a--sh--- c:\windows\system32\zadofuni.dll
2009-03-12 08:40 143,360 a------- c:\windows\system32\segupoze.dll
2009-03-11 19:14 1,835,095 ---sh--- c:\windows\system32\imatisit.ini
2009-03-11 19:10 142,336 a--sh--- c:\windows\system32\qcxfuj.dll
2009-03-11 19:10 105,984 a------- c:\windows\system32\lufuwalo.dll
2009-03-11 19:10 142,336 a--sh--- c:\windows\system32\vazerope.dll
2009-03-11 19:10 53,764 a--sh--- c:\windows\system32\yulunore.dll
2009-03-11 18:43 68,364 a--sh--- c:\windows\system32\wasuputu.dll
2009-03-11 18:43 63,984 a--sh--- c:\windows\system32\nitalopo.dll
2009-03-11 18:40 105,984 a------- c:\windows\system32\wogeyabo.dll
2009-03-11 18:16 65,444 a--sh--- c:\windows\system32\kafonolu.dll
2009-03-11 18:16 91,724 a--sh--- c:\windows\system32\tajobosa.dll
2009-03-11 17:49 82,964 a--sh--- c:\windows\system32\lujagaje.dll
2009-03-11 17:49 77,124 a--sh--- c:\windows\system32\kabizahe.dll
2009-03-11 17:40 105,984 a------- c:\windows\system32\wutejomi.dll
2009-03-11 17:22 75,664 a--sh--- c:\windows\system32\rusatoze.dll
2009-03-11 17:22 75,664 a--sh--- c:\windows\system32\moteziwe.dll
2009-03-11 17:20 105,472 a------- c:\windows\system32\budaveko.dll
2009-03-11 16:56 94,644 a--sh--- c:\windows\system32\pahezoya.dll
2009-03-11 16:56 69,824 a--sh--- c:\windows\system32\podusafe.dll
2009-03-11 16:50 105,472 a------- c:\windows\system32\horihiju.dll
2009-03-11 16:33 1,835,082 ---sh--- c:\windows\system32\osokoyob.ini
2009-03-11 16:29 141,824 a--sh--- c:\windows\system32\abmgea.dll
2009-03-11 16:29 141,824 a--sh--- c:\windows\system32\leronohi.dll
2009-03-11 16:20 105,472 a------- c:\windows\system32\gujipeku.dll
2009-03-11 04:28 141,824 a------- c:\windows\system32\zdzybc.dll
2009-03-11 04:27 142,336 a------- c:\windows\system32\cucmen.dll
2009-03-11 04:27 142,336 a------- c:\windows\system32\mhlyjw.dll
2009-03-11 04:23 108,032 a--sh--- c:\windows\system32\suhojegu.dll
2009-03-11 04:23 50,844 a--sh--- c:\windows\system32\ranipone.dll
2009-03-11 04:20 141,824 a------- c:\windows\system32\buyopako.dll
2009-03-11 03:50 142,336 a------- c:\windows\system32\jafasatu.dll
2009-03-11 03:50 108,032 a------- c:\windows\system32\lumafeta.dll
2009-03-11 03:50 101,888 a------- c:\windows\system32\dakovebi.dll
2009-03-11 03:20 142,336 a------- c:\windows\system32\sakavisa.dll
2009-03-11 03:20 108,032 a------- c:\windows\system32\yuvujuto.dll
2009-03-11 03:20 101,888 a------- c:\windows\system32\zaleteva.dll
2009-03-11 03:02 1,835,095 ---sh--- c:\windows\system32\oyohanov.ini
2009-03-11 03:01 142,336 a------- c:\windows\system32\puocqt.dll
2009-03-11 03:01 142,336 a------- c:\windows\system32\pwibbv.dll
2009-03-11 03:01 142,336 a------- c:\windows\system32\anndpr.dll
2009-03-11 02:57 2,098 ---sh--- c:\windows\system32\ranaguho.dll
2009-03-11 02:50 142,336 a------- c:\windows\system32\kulofuvo.dll
2009-03-11 02:50 108,032 a------- c:\windows\system32\fehupuzo.dll
2009-03-11 02:50 101,888 a------- c:\windows\system32\vonahoyo.dll
2009-03-11 02:28 80,044 a--sh--- c:\windows\system32\dukakame.dll
2009-03-11 02:20 142,336 a------- c:\windows\system32\papukavo.dll
2009-03-11 02:20 108,032 a------- c:\windows\system32\fapimana.dll
2009-03-11 02:01 53,764 a--sh--- c:\windows\system32\biburuku.dll
2009-03-11 02:01 47,924 a--sh--- c:\windows\system32\binupuji.dll
2009-03-11 02:00 142,336 a------- c:\windows\system32\mawudeke.dll
2009-03-11 01:37 1,835,095 ---sh--- c:\windows\system32\asopifov.ini
2009-03-11 01:37 142,336 a------- c:\windows\system32\uwehxc.dll
2009-03-11 01:33 2,098 ---sh--- c:\windows\system32\yodutiti.dll
2009-03-11 01:33 2,098 ---sh--- c:\windows\system32\nogekago.dll
2009-03-11 01:06 2,098 ---sh--- c:\windows\system32\kajorila.dll
2009-03-11 01:00 142,336 a------- c:\windows\system32\hikemavi.dll
2009-03-11 01:00 108,032 a------- c:\windows\system32\sahanudi.dll
2009-03-11 01:00 101,888 a------- c:\windows\system32\vofiposa.dll
2009-03-11 00:39 99,024 a--sh--- c:\windows\system32\kavizazu.dll
2009-03-11 00:30 108,032 a------- c:\windows\system32\wonasuli.dll
2009-03-11 00:15 1,835,095 ---sh--- c:\windows\system32\ikayijuj.ini
2009-03-11 00:15 142,336 a------- c:\windows\system32\qtignk.dll
2009-03-11 00:14 142,336 a------- c:\windows\system32\rhsiyd.dll
2009-03-11 00:10 142,336 a------- c:\windows\system32\zuradike.dll
2009-03-11 00:10 108,032 a------- c:\windows\system32\gopigede.dll
2009-03-11 00:10 101,888 a------- c:\windows\system32\ninobuku.dll
2009-03-10 23:43 2,098 ---sh--- c:\windows\system32\venelumi.dll
2009-03-10 23:40 142,336 a------- c:\windows\system32\gegagoji.dll
2009-03-10 23:40 108,032 a------- c:\windows\system32\pisiwofo.dll
2009-03-10 23:40 101,888 a------- c:\windows\system32\munopubo.dll
2009-03-10 23:16 77,124 a--sh--- c:\windows\system32\wemipala.dll
2009-03-10 23:10 105,984 a------- c:\windows\system32\juvihawo.dll
2009-03-10 23:10 101,888 a------- c:\windows\system32\jujiyaki.dll
2009-03-10 22:53 1,835,095 ---sh--- c:\windows\system32\ahunomis.ini
2009-03-10 22:52 141,312 a------- c:\windows\system32\eiijyt.dll
2009-03-10 22:52 141,312 a------- c:\windows\system32\tpleim.dll
2009-03-10 22:52 141,312 a------- c:\windows\system32\mwcgnl.dll
2009-03-10 22:48 75,664 a--sh--- c:\windows\system32\ludiwemi.dll
2009-03-10 22:48 61,064 a--sh--- c:\windows\system32\wukahuro.dll
2009-03-10 22:40 141,312 a------- c:\windows\system32\vedogido.dll
2009-03-10 22:20 2,098 ---sh--- c:\windows\system32\nujugeze.dll
2009-03-10 22:20 105,984 a------- c:\windows\system32\wuyujedi.dll
2009-03-10 22:20 101,888 a------- c:\windows\system32\simonuha.dll
2009-03-10 22:10 141,312 a------- c:\windows\system32\muribabi.dll
2009-03-10 21:51 2,098 ---sh--- c:\windows\system32\molezovu.dll
2009-03-10 21:50 141,312 a------- c:\windows\system32\mezinoma.dll
2009-03-10 21:50 105,984 a------- c:\windows\system32\dufabuyo.dll
2009-03-10 21:50 101,888 a------- c:\windows\system32\labegefo.dll
2009-03-10 21:28 1,835,095 ---sh--- c:\windows\system32\oyuliwey.ini
2009-03-10 21:24 85,856 a--sh--- c:\windows\system32\bawuyopu.dll
2009-03-10 21:24 81,476 a--sh--- c:\windows\system32\lahuyofu.dll
2009-03-10 21:20 101,888 a------- c:\windows\system32\yewiluyo.dll
2009-03-10 12:42 12,800 a------- C:\NTDETECT.EXE
2009-03-10 10:05 142,848 a------- c:\windows\system32\znpkjw.dll
2009-03-10 09:05 68,364 a--sh--- c:\windows\system32\rogahefa.dll
2009-03-10 09:04 42,056 a--sh--- c:\windows\system32\nawobiti.dll
2009-03-10 09:00 142,848 a------- c:\windows\system32\tijojepe.dll
2009-03-09 10:14 142,848 a------- c:\windows\system32\hgbbmq.dll
2009-03-09 09:49 42,056 a--sh--- c:\windows\system32\sulozuro.dll
2009-03-09 09:49 42,056 a--sh--- c:\windows\system32\semusoji.dll
2009-03-09 09:40 142,848 a------- c:\windows\system32\lewemafa.dll
2009-03-08 21:50 65,444 a--sh--- c:\windows\system32\woyohipo.dll
2009-03-08 21:50 63,984 a--sh--- c:\windows\system32\hemeyore.dll
2009-03-08 21:49 87,316 a--sh--- c:\windows\system32\gevikeyi.dll
2009-03-08 09:51 43,516 a--sh--- c:\windows\system32\zohubuwu.dll
2009-03-08 09:51 140,288 a--sh--- c:\windows\system32\oaauhc.dll
2009-03-08 09:51 140,288 a--sh--- c:\windows\system32\rahobeto.dll
2009-03-08 09:50 108,032 a------- c:\windows\system32\hemodogo.dll
2009-03-07 17:52 141,824 a--sh--- c:\windows\system32\vegibeya.dll
2009-03-07 17:52 141,824 a--sh--- c:\windows\system32\mnxitz.dll
2009-03-07 17:52 100,864 a--sh--- c:\windows\system32\jiwusomo.dll
2009-03-07 17:51 107,008 a--sh--- c:\windows\system32\kegezadu.dll
2009-03-07 04:57 1,835,095 ---sh--- c:\windows\system32\itajoyeb.ini
2009-03-07 04:57 141,312 a------- c:\windows\system32\qjuzny.dll
2009-03-07 04:50 141,312 a------- c:\windows\system32\yavidihi.dll
2009-03-07 04:50 107,008 a------- c:\windows\system32\yohobela.dll
2009-03-06 16:57 141,312 a------- c:\windows\system32\vziwri.dll
2009-03-06 16:51 121 ---sh--- c:\windows\system32\ohelamem.ini
2009-03-06 16:51 105,984 a--sh--- c:\windows\system32\dahuladu.dll
2009-03-06 16:50 141,312 a------- c:\windows\system32\noyufayo.dll
2009-03-06 04:52 107,520 a--sh--- c:\windows\system32\jeruhoho.dll
2009-03-06 04:52 99,840 a--sh--- c:\windows\system32\dozafuna.dll
2009-03-06 04:51 142,336 a--sh--- c:\windows\system32\kuukcn.dll
2009-03-06 04:51 142,336 a--sh--- c:\windows\system32\gomonoye.dll
2009-03-05 16:52 142,336 a--sh--- c:\windows\system32\dseasv.dll
2009-03-05 16:52 102,400 a--sh--- c:\windows\system32\zesigema.dll
2009-03-05 16:52 142,336 a--sh--- c:\windows\system32\busiwela.dll
2009-03-05 16:51 105,984 a--sh--- c:\windows\system32\holuyibi.dll
2009-03-04 20:33 <DIR> --d----- c:\windows\ERUNT
2009-03-04 17:39 <DIR> --d----- C:\SDFix
2009-03-04 17:32 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 17:32 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-04 11:03 121 ---sh--- c:\windows\system32\ifazonel.ini
2009-03-04 10:49 141,312 a--sh--- c:\windows\system32\cfyqtr.dll
2009-03-04 10:49 141,312 a--sh--- c:\windows\system32\mabarili.dll
2009-03-03 22:49 142,848 a--sh--- c:\windows\system32\vedofumu.dll
2009-03-03 22:49 142,848 a--sh--- c:\windows\system32\adaceq.dll
2009-03-03 22:49 15,804 a--sh--- c:\windows\system32\zefumiwu.dll
2009-03-03 22:48 107,520 a--sh--- c:\windows\system32\wutivoba.dll
2009-03-03 22:01 <DIR> --d----- C:\VundoFix Backups
2009-03-03 07:48 142,848 a--sh--- c:\windows\system32\zfntxk.dll
2009-03-03 07:48 142,848 a--sh--- c:\windows\system32\bewodanu.dll
2009-03-03 07:48 103,936 a--sh--- c:\windows\system32\ruzarewu.dll
2009-03-02 23:22 382 a------- c:\windows\wininit.ini
2009-03-02 21:29 141,824 a------- c:\windows\system32\xhjwqd.dll
2009-03-02 19:50 141,824 a------- c:\windows\system32\puvezisu.dll
2009-02-28 19:44 109,568 a--sh--- c:\windows\system32\bufufodu.dll
2009-02-28 08:17 144,384 a------- c:\windows\system32\vyfhuu.dll
2009-02-28 07:40 144,384 a------- c:\windows\system32\hisakihi.dll
2009-02-27 20:16 121 ---sh--- c:\windows\system32\egazihum.ini
2009-02-27 20:16 143,360 a------- c:\windows\system32\mdkjgw.dll
2009-02-27 19:40 143,360 a------- c:\windows\system32\daletoje.dll
2009-02-27 19:40 109,056 a------- c:\windows\system32\halihupe.dll
2009-02-27 19:40 102,912 a------- c:\windows\system32\muhizage.dll
2009-02-27 08:16 143,360 a------- c:\windows\system32\qwbnzi.dll
2009-02-27 07:40 143,360 a------- c:\windows\system32\kawomogo.dll
2009-02-27 07:40 110,080 a------- c:\windows\system32\butobuko.dll
2009-02-26 20:20 121 ---sh--- c:\windows\system32\iyusobib.ini
2009-02-26 20:16 144,384 a------- c:\windows\system32\plzpzr.dll
2009-02-26 19:48 2,098 ---sh--- c:\windows\system32\nayulowo.dll
2009-02-26 19:40 144,384 a------- c:\windows\system32\zulipivu.dll
2009-02-26 19:40 110,592 a------- c:\windows\system32\riketuti.dll
2009-02-26 19:40 104,448 -------- c:\windows\system32\bibosuyi.dll
2009-02-26 08:13 142,848 a------- c:\windows\system32\jkyjvz.dll
2009-02-26 07:40 142,848 a------- c:\windows\system32\siyokume.dll
2009-02-26 07:40 104,448 a------- c:\windows\system32\dizezuki.dll
2009-02-25 01:47 141,824 a------- c:\windows\system32\nkbjoi.dll
2009-02-25 01:40 109,056 a------- c:\windows\system32\firupifo.dll
2009-02-25 01:40 141,824 a------- c:\windows\system32\kimupabe.dll
2009-02-24 13:37 143,872 a--sh--- c:\windows\system32\spjufb.dll

==================== Find3M ====================

2009-03-14 08:24 100,864 -------- c:\windows\system32\hebebubo.dll
2009-03-14 08:24 141,312 a--sh--- c:\windows\system32\tigifofi.dll
2009-03-14 08:24 105,984 a--sh--- c:\windows\system32\bihomimo.dll
2009-02-24 13:37 103,424 a--sh--- c:\windows\system32\regopimu.dll
2009-02-24 13:37 143,872 a--sh--- c:\windows\system32\jurugezu.dll
2009-02-24 13:37 110,080 a--sh--- c:\windows\system32\zolatode.dll
2005-02-24 17:40 1,112 a------- c:\docume~1\jelfy\applic~1\ViewerApp.dat
2003-07-16 18:26 448,640 ac------ c:\windows\inf\EL2K_N64.sys
2003-07-16 18:22 147,328 ac------ c:\windows\inf\EL2K_XP.sys
2003-06-02 23:47 147,328 ac------ c:\windows\inf\EL2K_2K.sys
1998-11-17 12:09 24,576 a------- c:\windows\inf\Vizpnpin.exe
1998-10-12 12:23 40,960 a------- c:\windows\inf\vizpnp\Vipersti.dll
1998-07-30 13:44 19,112 a------- c:\windows\inf\vizpnp\Pmxscan.sys
2007-11-05 19:29 32 a--sh--- c:\windows\{629E3D0B-AA63-400C-AB8B-208478DFE17B}.dat
2006-05-03 01:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
0000-00-00 00:00 70,656 a--sh--- c:\windows\system32\hihutabo.dll
0000-00-00 00:00 70,656 a--sh--- c:\windows\system32\jolemovu.dll
0000-00-00 00:00 70,656 a--sh--- c:\windows\system32\kavemoda.dll
2007-02-21 02:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 04:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2007-11-05 19:29 32 a--sh--- c:\windows\system32\{9964F7E5-4FFD-473C-A8F1-47CF4E306B4B}.dat

============= FINISH: 9:01:25.79 ===============

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 22 March 2009 - 12:22 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable SpyBot's TeaTimer:
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 amnesia

amnesia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 22 March 2009 - 09:35 PM

Hi Panda;

I ran comboFix no problem. It took about 20 minutes (including the reboot). I now have GMER running, and I was just wondering how fast it should be going? It has been running about 6 hours and it is still on documents and settings! I don't mind waiting, but I was just wondering if it's supposed to be this slow.

Thanks
Amnesia

#6 amnesia

amnesia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 22 March 2009 - 10:31 PM

Well, no sooner did I submit the previous post, did it finish!

Here's the results:


ComboFix 09-03-19.02 - Jelfy 2009-03-22 13:56:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.133 [GMT -8:00]
Running from: c:\documents and settings\Jelfy\Desktop\VIRUS SCANNER\ComboFix.exe
AV: AVG 7.5.516 *On-access scanning disabled* (Outdated)
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\abmgea.dll
c:\windows\system32\adaceq.dll
c:\windows\system32\adiyuded.ini
c:\windows\system32\agewibel.ini
c:\windows\system32\ahunomis.ini
c:\windows\system32\alijvk.dll
c:\windows\system32\alqydw.dll
c:\windows\system32\anndpr.dll
c:\windows\system32\asopifov.ini
c:\windows\system32\atodifur.ini
c:\windows\system32\azelbu.dll
c:\windows\system32\bawuyopu.dll
c:\windows\system32\bewodanu.dll
c:\windows\system32\bhtjkt.dll
c:\windows\system32\bibosuyi.dll
c:\windows\system32\biburuku.dll
c:\windows\system32\bihomimo.dll
c:\windows\system32\binupuji.dll
c:\windows\system32\botobijo.dll
c:\windows\system32\budaveko.dll
c:\windows\system32\bufufodu.dll
c:\windows\system32\busiwela.dll
c:\windows\system32\butobuko.dll
c:\windows\system32\buyopako.dll
c:\windows\system32\cfyqtr.dll
c:\windows\system32\cucmen.dll
c:\windows\system32\dahuladu.dll
c:\windows\system32\dakovebi.dll
c:\windows\system32\daletoje.dll
c:\windows\system32\deduyida.dll
c:\windows\system32\dilajule.dll
c:\windows\system32\dizezuki.dll
c:\windows\system32\dokohoke.dll
c:\windows\system32\dozafuna.dll
c:\windows\system32\dseasv.dll
c:\windows\system32\dufabuyo.dll
c:\windows\system32\dukakame.dll
c:\windows\system32\ecxrzz.dll
c:\windows\system32\egazihum.ini
c:\windows\system32\eiijyt.dll
c:\windows\system32\eldjhl.dll
c:\windows\system32\famuhare.dll
c:\windows\system32\fapimana.dll
c:\windows\system32\farivano.dll
c:\windows\system32\fehupuzo.dll
c:\windows\system32\figusagu.dll
c:\windows\system32\firupifo.dll
c:\windows\system32\foromogu.dll
c:\windows\system32\fulonatu.dll
c:\windows\system32\gegagoji.dll
c:\windows\system32\gevikeyi.dll
c:\windows\system32\gmyvjv.dll
c:\windows\system32\gomonoye.dll
c:\windows\system32\gopigede.dll
c:\windows\system32\gujipeku.dll
c:\windows\system32\guzemese.dll
c:\windows\system32\hadupope.dll
c:\windows\system32\halihupe.dll
c:\windows\system32\hapudira.dll
c:\windows\system32\hebebubo.dll
c:\windows\system32\hemeyore.dll
c:\windows\system32\hemodogo.dll
c:\windows\system32\hgbbmq.dll
c:\windows\system32\hihutabo.dll
c:\windows\system32\hikemavi.dll
c:\windows\system32\hisakihi.dll
c:\windows\system32\holuyibi.dll
c:\windows\system32\horihiju.dll
c:\windows\system32\hoyolajo.dll
c:\windows\system32\ifazonel.ini
c:\windows\system32\ikayijuj.ini
c:\windows\system32\imatisit.ini
c:\windows\system32\itajoyeb.ini
c:\windows\system32\iyepibuj.ini
c:\windows\system32\iyusobib.ini
c:\windows\system32\jafasatu.dll
c:\windows\system32\jejuligo.dll
c:\windows\system32\jeruhoho.dll
c:\windows\system32\jipafofa.dll
c:\windows\system32\jiwusomo.dll
c:\windows\system32\jkyjvz.dll
c:\windows\system32\jolemovu.dll
c:\windows\system32\jubipeyi.dll
c:\windows\system32\jujiyaki.dll
c:\windows\system32\jurugezu.dll
c:\windows\system32\juvihawo.dll
c:\windows\system32\kabizahe.dll
c:\windows\system32\kafonolu.dll
c:\windows\system32\kavemoda.dll
c:\windows\system32\kavizazu.dll
c:\windows\system32\kawomogo.dll
c:\windows\system32\kegezadu.dll
c:\windows\system32\kerodaru.dll
c:\windows\system32\kimupabe.dll
c:\windows\system32\kiyipepi.dll.vir
c:\windows\system32\koos.exe
c:\windows\system32\kprof
c:\windows\system32\kuhipute.dll
c:\windows\system32\kulofuvo.dll
c:\windows\system32\kumemeyu.dll
c:\windows\system32\kuukcn.dll
c:\windows\system32\kxxctc.dll
c:\windows\system32\labegefo.dll
c:\windows\system32\lahuyofu.dll
c:\windows\system32\lebiwega.dll
c:\windows\system32\lenibaba.dll
c:\windows\system32\leronohi.dll
c:\windows\system32\lewemafa.dll
c:\windows\system32\litovelu.dll
c:\windows\system32\lpqmbc.dll
c:\windows\system32\ludiwemi.dll
c:\windows\system32\lufuwalo.dll
c:\windows\system32\lujagaje.dll
c:\windows\system32\lumafeta.dll
c:\windows\system32\mabarili.dll
c:\windows\system32\mawudeke.dll
c:\windows\system32\mdkjgw.dll
c:\windows\system32\mezinoma.dll
c:\windows\system32\mhlyjw.dll
c:\windows\system32\mnxitz.dll
c:\windows\system32\moteziwe.dll
c:\windows\system32\mpnnsg.dll
c:\windows\system32\muhizage.dll
c:\windows\system32\munopubo.dll
c:\windows\system32\mupitera.dll
c:\windows\system32\muribabi.dll
c:\windows\system32\mwcgnl.dll
c:\windows\system32\nawobiti.dll
c:\windows\system32\ninobuku.dll
c:\windows\system32\nitalopo.dll
c:\windows\system32\niwawuni.dll
c:\windows\system32\nkbjoi.dll
c:\windows\system32\noyufayo.dll
c:\windows\system32\oaauhc.dll
c:\windows\system32\obubebeh.ini
c:\windows\system32\ogifohad.ini
c:\windows\system32\ohapekok.ini
c:\windows\system32\ohelamem.ini
c:\windows\system32\ojaloyoh.ini
c:\windows\system32\osokoyob.ini
c:\windows\system32\oyohanov.ini
c:\windows\system32\oyuliwey.ini
c:\windows\system32\pahezoya.dll
c:\windows\system32\papukavo.dll
c:\windows\system32\peyedibe.dll
c:\windows\system32\pisiwofo.dll
c:\windows\system32\plzpzr.dll
c:\windows\system32\podusafe.dll
c:\windows\system32\poof
c:\windows\system32\puocqt.dll
c:\windows\system32\puvezisu.dll
c:\windows\system32\pwibbv.dll
c:\windows\system32\qcxfuj.dll
c:\windows\system32\qjuzny.dll
c:\windows\system32\qtignk.dll
c:\windows\system32\qwbnzi.dll
c:\windows\system32\rahobeto.dll
c:\windows\system32\ranipone.dll
c:\windows\system32\ravuripo.dll
c:\windows\system32\rdnmqa.dll
c:\windows\system32\regopimu.dll
c:\windows\system32\rhsiyd.dll
c:\windows\system32\rikajiro.dll
c:\windows\system32\riketuti.dll
c:\windows\system32\rodudaya.dll
c:\windows\system32\rogahefa.dll
c:\windows\system32\rufidota.dll
c:\windows\system32\rusatoze.dll
c:\windows\system32\ruyovale.dll
c:\windows\system32\ruzarewu.dll
c:\windows\system32\rwbrpv.dll
c:\windows\system32\sahanudi.dll
c:\windows\system32\sakavisa.dll
c:\windows\system32\segupoze.dll
c:\windows\system32\semusoji.dll
c:\windows\system32\sevgqz.dll
c:\windows\system32\seyuhile.dll
c:\windows\system32\simonuha.dll
c:\windows\system32\siyokume.dll
c:\windows\system32\spjufb.dll
c:\windows\system32\subapade.dll
c:\windows\system32\suhojegu.dll
c:\windows\system32\sulozuro.dll
c:\windows\system32\suyivaye.dll
c:\windows\system32\tadanahe.dll
c:\windows\system32\tajesare.dll
c:\windows\system32\tajobosa.dll
c:\windows\system32\tigifofi.dll
c:\windows\system32\tijojepe.dll
c:\windows\system32\tpleim.dll
c:\windows\system32\unosehuw.ini
c:\windows\system32\uwehxc.dll
c:\windows\system32\vazerope.dll
c:\windows\system32\vedofumu.dll
c:\windows\system32\vedogido.dll
c:\windows\system32\vegibeya.dll
c:\windows\system32\vejidoyu.dll
c:\windows\system32\vilotubo.dll
c:\windows\system32\vofiposa.dll
c:\windows\system32\vonahoyo.dll
c:\windows\system32\voninuti.dll
c:\windows\system32\vowowono.dll
c:\windows\system32\vyfhuu.dll
c:\windows\system32\vziwri.dll
c:\windows\system32\wasuputu.dll
c:\windows\system32\wdtmdz.dll
c:\windows\system32\wemipala.dll
c:\windows\system32\wenabebi.dll
c:\windows\system32\wfphww.dll
c:\windows\system32\wogeyabo.dll
c:\windows\system32\wonasuli.dll
c:\windows\system32\woyohipo.dll
c:\windows\system32\wukahuro.dll
c:\windows\system32\wukojohe.dll
c:\windows\system32\wutejomi.dll
c:\windows\system32\wutivoba.dll
c:\windows\system32\wuyujedi.dll
c:\windows\system32\xdobfb.dll
c:\windows\system32\xhjwqd.dll
c:\windows\system32\yavidihi.dll
c:\windows\system32\yekeyomu.dll
c:\windows\system32\yewiluyo.dll
c:\windows\system32\yohobela.dll
c:\windows\system32\yulunore.dll
c:\windows\system32\yuvujuto.dll
c:\windows\system32\zadofuni.dll
c:\windows\system32\zaleteva.dll
c:\windows\system32\zayiveva.dll
c:\windows\system32\zdzybc.dll
c:\windows\system32\zefumiwu.dll
c:\windows\system32\zesigema.dll
c:\windows\system32\zfntxk.dll
c:\windows\system32\znpkjw.dll
c:\windows\system32\zohubuwu.dll
c:\windows\system32\zolatode.dll
c:\windows\system32\zulipivu.dll
c:\windows\system32\zuradike.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KPROF
-------\Legacy_NDISWON
-------\Legacy_POOF


((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-21 02:28 . 2009-03-21 02:28 2,098 ---hs---- c:\windows\system32\payukiji.dll
2009-03-19 15:17 . 2009-03-19 15:17 10,240 --a------ c:\windows\instsp2.exe
2009-03-19 14:20 . 2009-03-19 15:17 103,424 --a------ c:\windows\system32\yavaneyu.dll
2009-03-11 02:57 . 2009-03-11 02:57 2,098 ---hs---- c:\windows\system32\ranaguho.dll
2009-03-11 01:33 . 2009-03-11 01:33 2,098 ---hs---- c:\windows\system32\yodutiti.dll
2009-03-11 01:33 . 2009-03-11 01:33 2,098 ---hs---- c:\windows\system32\nogekago.dll
2009-03-11 01:06 . 2009-03-11 01:06 2,098 ---hs---- c:\windows\system32\kajorila.dll
2009-03-10 23:43 . 2009-03-10 23:43 2,098 ---hs---- c:\windows\system32\venelumi.dll
2009-03-10 22:20 . 2009-03-10 22:20 2,098 ---hs---- c:\windows\system32\nujugeze.dll
2009-03-10 21:51 . 2009-03-10 21:51 2,098 ---hs---- c:\windows\system32\molezovu.dll
2009-03-10 12:42 . 2009-03-10 12:42 12,800 --a------ C:\NTDETECT.EXE
2009-03-04 20:33 . 2009-03-04 20:34 <DIR> d-------- c:\windows\ERUNT
2009-03-04 17:39 . 2009-03-04 21:54 <DIR> d-------- C:\SDFix
2009-03-04 17:32 . 2009-03-04 17:31 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-04 17:32 . 2009-03-04 17:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-03 22:01 . 2009-03-03 22:01 <DIR> d-------- C:\VundoFix Backups
2009-03-02 23:22 . 2009-03-04 23:22 382 --a------ c:\windows\wininit.ini
2009-02-26 19:48 . 2009-02-26 19:48 2,098 ---hs---- c:\windows\system32\nayulowo.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 22:09 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-22 21:47 --------- d-----w c:\documents and settings\Jelfy\Application Data\AVG7
2009-03-19 19:22 --------- d-----w c:\documents and settings\Holly\Application Data\AdobeUM
2009-03-18 22:54 73,728 ----a-w c:\windows\Internet Logs\xDB543.tmp
2009-03-18 22:54 1,283,584 ----a-w c:\windows\Internet Logs\xDB542.tmp
2009-03-16 02:42 --------- d-----w c:\documents and settings\Zenen\Application Data\DNA
2009-03-16 02:39 36,864 ----a-w c:\windows\Internet Logs\xDB541.tmp
2009-03-16 02:39 1,279,488 ----a-w c:\windows\Internet Logs\xDB540.tmp
2009-03-15 22:01 --------- d-----w c:\program files\DNA
2009-03-15 20:58 43,008 ----a-w c:\windows\Internet Logs\xDB53F.tmp
2009-03-15 20:58 1,285,632 ----a-w c:\windows\Internet Logs\xDB53E.tmp
2009-03-14 16:29 22,528 ----a-w c:\windows\Internet Logs\xDB53D.tmp
2009-03-14 16:27 1,281,536 ----a-w c:\windows\Internet Logs\xDB53C.tmp
2009-03-13 20:39 13,312 ----a-w c:\windows\Internet Logs\xDB53B.tmp
2009-03-13 20:39 1,272,320 ----a-w c:\windows\Internet Logs\xDB53A.tmp
2009-03-13 20:28 415,744 ----a-w c:\windows\Internet Logs\xDB539.tmp
2009-03-13 20:28 1,320,960 ----a-w c:\windows\Internet Logs\xDB538.tmp
2009-03-10 04:48 24,576 ----a-w c:\windows\Internet Logs\xDB537.tmp
2009-03-10 04:48 1,276,416 ----a-w c:\windows\Internet Logs\xDB536.tmp
2009-03-10 04:22 380,928 ----a-w c:\windows\Internet Logs\xDB535.tmp
2009-03-10 04:22 1,280,512 ----a-w c:\windows\Internet Logs\xDB534.tmp
2009-03-08 21:04 430,592 ----a-w c:\windows\Internet Logs\xDB533.tmp
2009-03-08 20:40 1,294,336 ----a-w c:\windows\Internet Logs\xDB532.tmp
2009-03-07 18:07 1,298,944 ----a-w c:\windows\Internet Logs\xDB530.tmp
2009-03-07 18:06 2,191,360 ----a-w c:\windows\Internet Logs\xDB531.tmp
2009-03-06 02:48 176,640 ----a-w c:\windows\Internet Logs\xDB52F.tmp
2009-03-06 02:45 1,276,416 ----a-w c:\windows\Internet Logs\xDB52E.tmp
2009-03-06 00:33 92,160 ----a-w c:\windows\Internet Logs\xDB52D.tmp
2009-03-06 00:33 1,272,320 ----a-w c:\windows\Internet Logs\xDB52C.tmp
2009-03-05 18:16 593,408 ----a-w c:\windows\Internet Logs\xDB52B.tmp
2009-03-05 18:16 1,275,392 ----a-w c:\windows\Internet Logs\xDB52A.tmp
2009-03-05 07:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-05 06:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-05 01:31 --------- d-----w c:\program files\Java
2009-03-02 21:40 14,902,854 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_03_01_22_32_12.dmp.zip
2009-03-02 15:43 1,101,312 ----a-w c:\windows\Internet Logs\xDB528.tmp
2009-03-02 15:42 92,672 ----a-w c:\windows\Internet Logs\xDB529.tmp
2009-03-02 02:56 19,968 ----a-w c:\windows\Internet Logs\xDB527.tmp
2009-03-02 02:55 1,112,064 ----a-w c:\windows\Internet Logs\xDB526.tmp
2009-03-02 02:43 300,032 ----a-w c:\windows\Internet Logs\xDB525.tmp
2009-03-02 02:43 1,101,824 ----a-w c:\windows\Internet Logs\xDB524.tmp
2009-02-28 20:13 15,130,683 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_02_28_07_32_21.dmp.zip
2009-02-28 20:12 14,631,393 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_02_28_07_32_09.dmp.zip
2009-02-28 19:37 293,376 ----a-w c:\windows\Internet Logs\xDB523.tmp
2009-02-28 19:37 1,104,384 ----a-w c:\windows\Internet Logs\xDB522.tmp
2009-02-25 21:03 51,712 ----a-w c:\windows\Internet Logs\xDB521.tmp
2009-02-25 21:02 1,086,976 ----a-w c:\windows\Internet Logs\xDB520.tmp
2009-02-24 22:03 1,084,416 ----a-w c:\windows\Internet Logs\xDB51E.tmp
2009-02-24 21:37 110,080 ----a-w c:\windows\Internet Logs\xDB51F.tmp
2009-02-22 20:20 24,064 ----a-w c:\windows\Internet Logs\xDB51D.tmp
2009-02-22 20:20 1,061,376 ----a-w c:\windows\Internet Logs\xDB51C.tmp
2009-02-22 06:12 195,584 ----a-w c:\windows\Internet Logs\xDB51B.tmp
2009-02-22 06:12 1,061,376 ----a-w c:\windows\Internet Logs\xDB51A.tmp
2009-02-20 06:07 204,288 ----a-w c:\windows\Internet Logs\xDB519.tmp
2009-02-20 06:03 1,062,912 ----a-w c:\windows\Internet Logs\xDB518.tmp
2009-02-19 17:10 800,256 ----a-w c:\windows\Internet Logs\xDB517.tmp
2009-02-19 17:10 1,068,544 ----a-w c:\windows\Internet Logs\xDB516.tmp
2009-02-15 16:54 29,184 ----a-w c:\windows\Internet Logs\xDB515.tmp
2009-02-15 16:03 1,057,280 ----a-w c:\windows\Internet Logs\xDB514.tmp
2009-02-14 23:24 44,032 ----a-w c:\windows\Internet Logs\xDB513.tmp
2009-02-14 23:24 1,061,888 ----a-w c:\windows\Internet Logs\xDB512.tmp
2009-02-14 19:07 --------- d-----w c:\program files\Common Files\Enterbrain
2009-02-14 16:21 50,688 ----a-w c:\windows\Internet Logs\xDB511.tmp
2009-02-14 16:21 1,051,648 ----a-w c:\windows\Internet Logs\xDB510.tmp
2009-02-14 00:07 257,536 ----a-w c:\windows\Internet Logs\xDB50F.tmp
2009-02-14 00:07 1,072,640 ----a-w c:\windows\Internet Logs\xDB50E.tmp
2009-02-11 17:11 179,200 ----a-w c:\windows\Internet Logs\xDB50D.tmp
2009-02-11 17:11 1,065,472 ----a-w c:\windows\Internet Logs\xDB50C.tmp
2009-02-10 05:45 83,968 ----a-w c:\windows\Internet Logs\xDB50B.tmp
2009-02-10 05:45 1,045,504 ----a-w c:\windows\Internet Logs\xDB50A.tmp
2009-02-10 02:59 19,456 ----a-w c:\windows\Internet Logs\xDB509.tmp
2009-02-10 02:59 1,047,552 ----a-w c:\windows\Internet Logs\xDB508.tmp
2009-02-10 02:56 25,088 ----a-w c:\windows\Internet Logs\xDB507.tmp
2009-02-10 02:50 1,050,624 ----a-w c:\windows\Internet Logs\xDB506.tmp
2009-02-09 21:22 71,680 ----a-w c:\windows\Internet Logs\xDB505.tmp
2009-02-09 21:22 1,049,600 ----a-w c:\windows\Internet Logs\xDB504.tmp
2009-02-09 04:02 132,096 ----a-w c:\windows\Internet Logs\xDB503.tmp
2009-02-09 04:02 1,051,648 ----a-w c:\windows\Internet Logs\xDB502.tmp
2009-02-08 19:40 1,048,576 ----a-w c:\windows\Internet Logs\xDB500.tmp
2009-02-08 19:21 56,832 ----a-w c:\windows\Internet Logs\xDB501.tmp
2009-02-08 07:02 282,624 ----a-w c:\windows\Internet Logs\xDB4FF.tmp
2009-02-08 07:02 1,065,472 ----a-w c:\windows\Internet Logs\xDB4FE.tmp
2009-02-08 06:50 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 06:50 --------- d-----w c:\program files\Outspark
2009-02-07 03:09 38,400 ----a-w c:\windows\Internet Logs\xDB4FD.tmp
2009-02-07 03:09 1,016,832 ----a-w c:\windows\Internet Logs\xDB4FC.tmp
2009-02-06 04:04 651,776 ----a-w c:\windows\Internet Logs\xDB4FB.tmp
2009-02-06 04:04 1,025,024 ----a-w c:\windows\Internet Logs\xDB4FA.tmp
2009-02-01 07:01 316,416 ----a-w c:\windows\Internet Logs\xDB4F9.tmp
2009-02-01 05:33 1,011,200 ----a-w c:\windows\Internet Logs\xDB4F8.tmp
2009-01-30 02:26 72,192 ----a-w c:\windows\Internet Logs\xDB4F7.tmp
2009-01-30 02:26 1,035,264 ----a-w c:\windows\Internet Logs\xDB4F6.tmp
2009-01-29 17:42 26,310,790 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-01-29 17:38 1,701,888 ----a-w c:\windows\Internet Logs\xDB4F5.tmp
2009-01-29 17:38 1,026,048 ----a-w c:\windows\Internet Logs\xDB4F4.tmp
2009-01-26 19:49 --------- d-----w c:\documents and settings\Zenen\Application Data\MSN6
2009-01-26 18:25 31,232 ----a-w c:\windows\Internet Logs\xDB4F3.tmp
2009-01-26 18:25 1,003,008 ----a-w c:\windows\Internet Logs\xDB4F2.tmp
2009-01-26 18:08 265,216 ----a-w c:\windows\Internet Logs\xDB4F1.tmp
2009-01-26 18:08 1,004,032 ----a-w c:\windows\Internet Logs\xDB4F0.tmp
2007-11-06 03:29 32 --sha-w c:\windows\{629E3D0B-AA63-400C-AB8B-208478DFE17B}.dat
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
2007-11-06 03:29 32 --sha-w c:\windows\system32\{9964F7E5-4FFD-473C-A8F1-47CF4E306B4B}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 335872]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"TPP Auto Loader"="c:\windows\tppaldr.exe" [2002-06-23 118784]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-11-28 902432]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-08-08 1169456]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-08-08 1945424]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-08-08 148760]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-04 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus.lnk - c:\program files\D-Link AirPlus\AirPlus.exe [2004-01-20 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
backup=c:\windows\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinScheduler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinScheduler.lnk
backup=c:\windows\pss\InterVideo WinScheduler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PaperPort OneTouch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PaperPort OneTouch.lnk
backup=c:\windows\pss\PaperPort OneTouch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snsicon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snsicon.lnk
backup=c:\windows\pss\Snsicon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Holly^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Holly\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Holly^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\Holly\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-02-11 19:37 579072 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fbdirect]
--a------ 1998-11-17 19:10 227328 c:\paprport\FBDirect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWUTOOLBOX]
--a------ 2005-09-19 10:31 352256 c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PP7600usb]
--a------ 1998-11-17 19:10 227328 c:\paprport\FBDirect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-01-09 09:21 253952 c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-01-13 10:19 757760 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-01-13 14:05 69632 c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-06-03 21:05 32881 c:\program files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-25 21:39 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
--a------ 2005-04-14 01:14 106496 c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"V2i Protector"=2 (0x2)
"PhotoshopElementsDeviceConnect"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2003-09-12 132899]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2003-09-12 46810]
S2 CX88XBAR;MSI 8606 Crossbar;c:\windows\system32\drivers\CX88XBar.SYS [2004-04-29 9159]
S2 Microsoft Inet Services;Microsoft Inet Services;c:\windows\System32\_svchost.exe -A --> c:\windows\System32\_svchost.exe -A [?]
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
S3 Hl_mull;Hl_mull;c:\windows\system32\drivers\hl_mull.sys [2004-06-29 29024]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2004-01-20 15360]
S3 pmxscan;Visioneer USB Service;c:\windows\system32\drivers\usbscan.sys [2008-01-26 15104]
S3 SQ931;V-Gear TalkCam RX7;c:\windows\system32\drivers\Capt931a.sys [2008-01-03 526464]
S3 TPPFX;USB Storage Adapter FX (TPP);c:\windows\system32\drivers\TPPFX.SYS [2004-07-03 32256]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
S4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2004-04-04 34916]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - POOF
*Deregistered* - poof
.
Contents of the 'Scheduled Tasks' folder

2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 09:04]
.
- - - - ORPHANS REMOVED - - - -

BHO-{18294237-6f91-4077-9862-c3b85c718a2a} - c:\windows\system32\lpqmbc.dll
BHO-{18e77802-3df0-42a3-849a-112d179191cb} - c:\windows\system32\hihutabo.dll
HKLM-Run-24a23766 - c:\windows\system32\lenozafi.dll
HKLM-Run-POINTER - point32.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-WMedia32 - wmedia32.exe


.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {2E98EA25-E79A-4BBC-94E7-FE818B23CC09} = 208.67.220.220,208.67.222.222
TCP: {3700FC48-CC40-44F5-8A39-38C3E59E6892} = 208.67.220.220,208.67.222.222
TCP: {B2C1D279-AE11-42C2-8234-2E9CE07481C3} = 208.67.220.220,208.67.222.222
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 14:09:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kprof]
"ImagePath"="\??\c:\windows\System32\kprof"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\poof]
"ImagePath"="System32\poof"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kprof]
"ImagePath"="\??\c:\windows\System32\kprof"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\poof]
"ImagePath"="System32\poof"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1144)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1200)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Microsoft Hardware\Mouse\point32.exe
c:\program files\Java\jre6\bin\jqs.exe
d:\norton antivirus\NAVAPSVC.EXE
c:\nexon\MapleStory\npkcmsvc.exe
d:\program files\Photodex\ProShowGold\scsiaccess.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\fxssvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-03-22 14:13:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-22 22:13:19

Pre-Run: 32,877,895,680 bytes free
Post-Run: 34,395,414,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
615




GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-22 18:53:20
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwConnectPort [0xB6BC75CD] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwDeleteKey [0xB6BDB110] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwDeleteValueKey [0xB6BDB070] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwLoadKey [0xB6BDB190] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwOpenProcess [0xB6BDAAB0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwReplaceKey [0xB6BDB240] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwRestoreKey [0xB6BDB2C0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwSecureConnectPort [0xB6BC76F5] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwSetValueKey [0xB6BDAFC0] <-- ROOTKIT !!!

INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B65A316D
INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B65A2FC2

Code F87B4406 ZwCreateFile
Code F87B529C ZwCreateKey
Code F87B5178 ZwEnumerateKey
Code F87B523C ZwEnumerateValueKey
Code F87B42B8 ZwOpenFile
Code F87B5330 ZwOpenKey
Code F87B411C ZwQueryDirectoryFile
Code F87B5D52 ZwTerminateProcess
Code F87B4405 NtCreateFile
Code F87B42B7 NtOpenFile
Code F87B411B NtQueryDirectoryFile

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwOpenKey 80571CBC 5 Bytes JMP F87B5334
PAGE ntoskrnl.exe!ZwCreateKey 80577284 5 Bytes JMP F87B52A0
PAGE ntoskrnl.exe!ZwEnumerateKey 805783FA 5 Bytes JMP F87B517C
PAGE ntoskrnl.exe!NtCreateFile 8057D3B5 5 Bytes JMP F87B440A
PAGE ntoskrnl.exe!NtOpenFile 8057D529 5 Bytes JMP F87B42BC
PAGE ntoskrnl.exe!NtQueryDirectoryFile 8057FAD8 5 Bytes JMP F87B4120
PAGE ntoskrnl.exe!ZwTerminateProcess 8058C549 5 Bytes JMP F87B5D56
PAGE ntoskrnl.exe!ZwEnumerateValueKey 8058F60D 5 Bytes JMP F87B5240
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B6BCB310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B6BCB5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B6BCB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B6BCB490] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B6BCB490] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B6BCB310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B6BCB5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B6BCB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B6BCB310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B6BCB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B6BCB5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B6BCB490] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B6BCB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B6BCB5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B6BCB310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B6BE69C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B6BCB490] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B6BCB310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B6BCB5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B6BCB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B6BCB310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B6BCB490] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B6BCB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B6BCB5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \FileSystem\Fastfat \Fat PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Modules - GMER 1.0.15 ----

Module poof (*** hidden *** ) F87B3000-F87BD000 (40960 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\kprof (*** hidden *** ) [SYSTEM] kprof <-- ROOTKIT !!!
Service System32\poof (*** hidden *** ) [BOOT] poof <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\kprof
Reg HKLM\SYSTEM\ControlSet002\Services\kprof@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kprof@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\kprof@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\kprof@ImagePath \??\C:\WINDOWS\System32\kprof
Reg HKLM\SYSTEM\ControlSet002\Services\kprof\Security
Reg HKLM\SYSTEM\ControlSet002\Services\kprof\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\poof
Reg HKLM\SYSTEM\ControlSet002\Services\poof@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\poof@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\poof@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\poof@ImagePath System32\poof
Reg HKLM\SYSTEM\ControlSet002\Services\poof\Security
Reg HKLM\SYSTEM\ControlSet002\Services\poof\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\kprof
Reg HKLM\SYSTEM\CurrentControlSet\Services\kprof@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kprof@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kprof@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kprof@ImagePath \??\C:\WINDOWS\System32\kprof
Reg HKLM\SYSTEM\CurrentControlSet\Services\kprof\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\kprof\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\poof
Reg HKLM\SYSTEM\CurrentControlSet\Services\poof@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\poof@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\poof@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\poof@ImagePath System32\poof
Reg HKLM\SYSTEM\CurrentControlSet\Services\poof\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\poof\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet004\Services\kprof
Reg HKLM\SYSTEM\ControlSet004\Services\kprof@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\kprof@Start 1
Reg HKLM\SYSTEM\ControlSet004\Services\kprof@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\kprof@ImagePath \??\C:\WINDOWS\System32\kprof
Reg HKLM\SYSTEM\ControlSet004\Services\kprof\Security
Reg HKLM\SYSTEM\ControlSet004\Services\kprof\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet004\Services\poof
Reg HKLM\SYSTEM\ControlSet004\Services\poof@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\poof@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\poof@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\poof@ImagePath System32\poof
Reg HKLM\SYSTEM\ControlSet004\Services\poof\Security
Reg HKLM\SYSTEM\ControlSet004\Services\poof\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.15 ----

File C:\Qoobox\Quarantine\C\WINDOWS\system32\kprof.vir 7040 bytes
File C:\Qoobox\Quarantine\C\WINDOWS\system32\poof.vir 37632 bytes

---- EOF - GMER 1.0.15 ----

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 23 March 2009 - 07:21 AM

Hello.

That is a nasty infection.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\system32\payukiji.dll
    c:\windows\instsp2.exe
    c:\windows\system32\yavaneyu.dll
    c:\windows\system32\ranaguho.dll
    c:\windows\system32\yodutiti.dll
    c:\windows\system32\nogekago.dll
    c:\windows\system32\kajorila.dll
    c:\windows\system32\venelumi.dll
    c:\windows\system32\nujugeze.dll
    c:\windows\system32\molezovu.dll
    C:\NTDETECT.EXE
    c:\windows\system32\nayulowo.dll
    c:\windows\System32\_svchost.exe
    
    Rootkit::
    C:\WINDOWS\System32\kprof
    C:\WINDOWS\System32\poof
    
    Driver::
    Microsoft Inet Services
    kprof
    poof
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

---
AVG7 is outdated. Please uninstall it using Add/Remove Programs.

Then, install a new antivirus.After installing, update the database, run a full system scan and remove any items found.

Please post back with:
-the ComboFix log
-the MalwareBytes log
-a new GMER log (taken after MalwareBytes)
-a new DDS log (taken after installing the antivirus)

I know it's a bit much, but with these types of infections, we have to nuke it completely.

With Regards,
The Panda

#8 amnesia

amnesia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 23 March 2009 - 09:37 PM

Hi Panda:

Thanks for all the info.
Which backdoor virus is it that I'm infected with?
Doesn't the fact that all my computers are behind a router as well as software firewall (zonealarm) limit the likelihood that info was stolen?


I will re-format and re-install the OS as the computer is due for a cleanup anyways.
It is partitioned to a C & D drive and the D drive has all my photos on it. Is it risky to leave the D drive, or should that be re-formatted and partitioned as well? If I back up the photos and data and then re-format/repartition, how do I know that the backup of the photos and data won't re-infect the system once it is restored? How far do you need to go?

The other question is how do I find out if this virus is on any of the other computers on my network? I have antivirus software and spybot but they all give different results, and spybot indicated that virtumonde was on another computer in my house which I use to do my banking!!!


Thanks
Amnesia

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 24 March 2009 - 07:22 AM

Hello.

Data files such as photos, music and text are safe to keep. These files are not "executed" so they cannot be infected with malicious code.

The infection is not a common one and is unamed.
C:\WINDOWS\System32\kprof
C:\WINDOWS\System32\poof

The infection was able to hide those files, meaning it had enough full control of your computer.
---
I would suggest starting off in the Am I infected forum for your other machines.

With Regards,
The Panda

#10 amnesia

amnesia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 29 March 2009 - 01:20 PM

WOW!!!
That was a lot of work!

I tried to follow your instructions to the letter.
Here are all the logs:






ComboFix 09-03-19.02 - Jelfy 2009-03-28 13:12:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.193 [GMT -8:00]
Running from: c:\documents and settings\Jelfy\Desktop\VIRUS SCANNER\ComboFix.exe
Command switches used :: c:\documents and settings\Jelfy\Desktop\VIRUS SCANNER\CFScript.txt
AV: AVG 7.5.516 *On-access scanning disabled* (Outdated)
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

FILE ::
C:\NTDETECT.EXE
c:\windows\instsp2.exe
c:\windows\System32\_svchost.exe
c:\windows\system32\kajorila.dll
c:\windows\system32\molezovu.dll
c:\windows\system32\nayulowo.dll
c:\windows\system32\nogekago.dll
c:\windows\system32\nujugeze.dll
c:\windows\system32\payukiji.dll
c:\windows\system32\ranaguho.dll
c:\windows\system32\venelumi.dll
c:\windows\system32\yavaneyu.dll
c:\windows\system32\yodutiti.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\NTDETECT.EXE
c:\windows\instsp2.exe
c:\windows\system32\kajorila.dll
c:\windows\system32\koos.exe
c:\windows\System32\kprof
c:\windows\system32\molezovu.dll
c:\windows\system32\nayulowo.dll
c:\windows\system32\nogekago.dll
c:\windows\system32\nujugeze.dll
c:\windows\system32\payukiji.dll
c:\windows\System32\poof
c:\windows\system32\ranaguho.dll
c:\windows\system32\venelumi.dll
c:\windows\system32\yavaneyu.dll
c:\windows\system32\yodutiti.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MICROSOFT_INET_SERVICES
-------\Legacy_POOF
-------\Service_kprof
-------\Service_Microsoft Inet Services
-------\Service_poof


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-04 20:33 . 2009-03-04 20:34 <DIR> d-------- c:\windows\ERUNT
2009-03-04 17:39 . 2009-03-04 21:54 <DIR> d-------- C:\SDFix
2009-03-04 17:32 . 2009-03-04 17:31 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-04 17:32 . 2009-03-04 17:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-03 22:01 . 2009-03-03 22:01 <DIR> d-------- C:\VundoFix Backups
2009-03-02 23:22 . 2009-03-04 23:22 382 --a------ c:\windows\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 21:23 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-22 21:47 --------- d-----w c:\documents and settings\Jelfy\Application Data\AVG7
2009-03-19 19:22 --------- d-----w c:\documents and settings\Holly\Application Data\AdobeUM
2009-03-18 22:54 73,728 ----a-w c:\windows\Internet Logs\xDB543.tmp
2009-03-18 22:54 1,283,584 ----a-w c:\windows\Internet Logs\xDB542.tmp
2009-03-16 02:42 --------- d-----w c:\documents and settings\Zenen\Application Data\DNA
2009-03-16 02:39 36,864 ----a-w c:\windows\Internet Logs\xDB541.tmp
2009-03-16 02:39 1,279,488 ----a-w c:\windows\Internet Logs\xDB540.tmp
2009-03-15 22:01 --------- d-----w c:\program files\DNA
2009-03-15 20:58 43,008 ----a-w c:\windows\Internet Logs\xDB53F.tmp
2009-03-15 20:58 1,285,632 ----a-w c:\windows\Internet Logs\xDB53E.tmp
2009-03-14 16:29 22,528 ----a-w c:\windows\Internet Logs\xDB53D.tmp
2009-03-14 16:27 1,281,536 ----a-w c:\windows\Internet Logs\xDB53C.tmp
2009-03-13 20:39 13,312 ----a-w c:\windows\Internet Logs\xDB53B.tmp
2009-03-13 20:39 1,272,320 ----a-w c:\windows\Internet Logs\xDB53A.tmp
2009-03-13 20:28 415,744 ----a-w c:\windows\Internet Logs\xDB539.tmp
2009-03-13 20:28 1,320,960 ----a-w c:\windows\Internet Logs\xDB538.tmp
2009-03-10 04:48 24,576 ----a-w c:\windows\Internet Logs\xDB537.tmp
2009-03-10 04:48 1,276,416 ----a-w c:\windows\Internet Logs\xDB536.tmp
2009-03-10 04:22 380,928 ----a-w c:\windows\Internet Logs\xDB535.tmp
2009-03-10 04:22 1,280,512 ----a-w c:\windows\Internet Logs\xDB534.tmp
2009-03-08 21:04 430,592 ----a-w c:\windows\Internet Logs\xDB533.tmp
2009-03-08 20:40 1,294,336 ----a-w c:\windows\Internet Logs\xDB532.tmp
2009-03-07 18:07 1,298,944 ----a-w c:\windows\Internet Logs\xDB530.tmp
2009-03-07 18:06 2,191,360 ----a-w c:\windows\Internet Logs\xDB531.tmp
2009-03-06 02:48 176,640 ----a-w c:\windows\Internet Logs\xDB52F.tmp
2009-03-06 02:45 1,276,416 ----a-w c:\windows\Internet Logs\xDB52E.tmp
2009-03-06 00:33 92,160 ----a-w c:\windows\Internet Logs\xDB52D.tmp
2009-03-06 00:33 1,272,320 ----a-w c:\windows\Internet Logs\xDB52C.tmp
2009-03-05 18:16 593,408 ----a-w c:\windows\Internet Logs\xDB52B.tmp
2009-03-05 18:16 1,275,392 ----a-w c:\windows\Internet Logs\xDB52A.tmp
2009-03-05 07:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-05 06:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-05 01:31 --------- d-----w c:\program files\Java
2009-03-02 21:40 14,902,854 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_03_01_22_32_12.dmp.zip
2009-03-02 15:43 1,101,312 ----a-w c:\windows\Internet Logs\xDB528.tmp
2009-03-02 15:42 92,672 ----a-w c:\windows\Internet Logs\xDB529.tmp
2009-03-02 02:56 19,968 ----a-w c:\windows\Internet Logs\xDB527.tmp
2009-03-02 02:55 1,112,064 ----a-w c:\windows\Internet Logs\xDB526.tmp
2009-03-02 02:43 300,032 ----a-w c:\windows\Internet Logs\xDB525.tmp
2009-03-02 02:43 1,101,824 ----a-w c:\windows\Internet Logs\xDB524.tmp
2009-02-28 20:13 15,130,683 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_02_28_07_32_21.dmp.zip
2009-02-28 20:12 14,631,393 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_02_28_07_32_09.dmp.zip
2009-02-28 19:37 293,376 ----a-w c:\windows\Internet Logs\xDB523.tmp
2009-02-28 19:37 1,104,384 ----a-w c:\windows\Internet Logs\xDB522.tmp
2009-02-25 21:03 51,712 ----a-w c:\windows\Internet Logs\xDB521.tmp
2009-02-25 21:02 1,086,976 ----a-w c:\windows\Internet Logs\xDB520.tmp
2009-02-24 22:03 1,084,416 ----a-w c:\windows\Internet Logs\xDB51E.tmp
2009-02-24 21:37 110,080 ----a-w c:\windows\Internet Logs\xDB51F.tmp
2009-02-22 20:20 24,064 ----a-w c:\windows\Internet Logs\xDB51D.tmp
2009-02-22 20:20 1,061,376 ----a-w c:\windows\Internet Logs\xDB51C.tmp
2009-02-22 06:12 195,584 ----a-w c:\windows\Internet Logs\xDB51B.tmp
2009-02-22 06:12 1,061,376 ----a-w c:\windows\Internet Logs\xDB51A.tmp
2009-02-20 06:07 204,288 ----a-w c:\windows\Internet Logs\xDB519.tmp
2009-02-20 06:03 1,062,912 ----a-w c:\windows\Internet Logs\xDB518.tmp
2009-02-19 17:10 800,256 ----a-w c:\windows\Internet Logs\xDB517.tmp
2009-02-19 17:10 1,068,544 ----a-w c:\windows\Internet Logs\xDB516.tmp
2009-02-15 16:54 29,184 ----a-w c:\windows\Internet Logs\xDB515.tmp
2009-02-15 16:03 1,057,280 ----a-w c:\windows\Internet Logs\xDB514.tmp
2009-02-14 23:24 44,032 ----a-w c:\windows\Internet Logs\xDB513.tmp
2009-02-14 23:24 1,061,888 ----a-w c:\windows\Internet Logs\xDB512.tmp
2009-02-14 19:07 --------- d-----w c:\program files\Common Files\Enterbrain
2009-02-14 16:21 50,688 ----a-w c:\windows\Internet Logs\xDB511.tmp
2009-02-14 16:21 1,051,648 ----a-w c:\windows\Internet Logs\xDB510.tmp
2009-02-14 00:07 257,536 ----a-w c:\windows\Internet Logs\xDB50F.tmp
2009-02-14 00:07 1,072,640 ----a-w c:\windows\Internet Logs\xDB50E.tmp
2009-02-11 17:11 179,200 ----a-w c:\windows\Internet Logs\xDB50D.tmp
2009-02-11 17:11 1,065,472 ----a-w c:\windows\Internet Logs\xDB50C.tmp
2009-02-10 05:45 83,968 ----a-w c:\windows\Internet Logs\xDB50B.tmp
2009-02-10 05:45 1,045,504 ----a-w c:\windows\Internet Logs\xDB50A.tmp
2009-02-10 02:59 19,456 ----a-w c:\windows\Internet Logs\xDB509.tmp
2009-02-10 02:59 1,047,552 ----a-w c:\windows\Internet Logs\xDB508.tmp
2009-02-10 02:56 25,088 ----a-w c:\windows\Internet Logs\xDB507.tmp
2009-02-10 02:50 1,050,624 ----a-w c:\windows\Internet Logs\xDB506.tmp
2009-02-09 21:22 71,680 ----a-w c:\windows\Internet Logs\xDB505.tmp
2009-02-09 21:22 1,049,600 ----a-w c:\windows\Internet Logs\xDB504.tmp
2009-02-09 04:02 132,096 ----a-w c:\windows\Internet Logs\xDB503.tmp
2009-02-09 04:02 1,051,648 ----a-w c:\windows\Internet Logs\xDB502.tmp
2009-02-08 19:40 1,048,576 ----a-w c:\windows\Internet Logs\xDB500.tmp
2009-02-08 19:21 56,832 ----a-w c:\windows\Internet Logs\xDB501.tmp
2009-02-08 07:02 282,624 ----a-w c:\windows\Internet Logs\xDB4FF.tmp
2009-02-08 07:02 1,065,472 ----a-w c:\windows\Internet Logs\xDB4FE.tmp
2009-02-08 06:50 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 06:50 --------- d-----w c:\program files\Outspark
2009-02-07 03:09 38,400 ----a-w c:\windows\Internet Logs\xDB4FD.tmp
2009-02-07 03:09 1,016,832 ----a-w c:\windows\Internet Logs\xDB4FC.tmp
2009-02-06 04:04 651,776 ----a-w c:\windows\Internet Logs\xDB4FB.tmp
2009-02-06 04:04 1,025,024 ----a-w c:\windows\Internet Logs\xDB4FA.tmp
2009-02-01 07:01 316,416 ----a-w c:\windows\Internet Logs\xDB4F9.tmp
2009-02-01 05:33 1,011,200 ----a-w c:\windows\Internet Logs\xDB4F8.tmp
2009-01-30 02:26 72,192 ----a-w c:\windows\Internet Logs\xDB4F7.tmp
2009-01-30 02:26 1,035,264 ----a-w c:\windows\Internet Logs\xDB4F6.tmp
2009-01-29 17:42 26,310,790 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-01-29 17:38 1,701,888 ----a-w c:\windows\Internet Logs\xDB4F5.tmp
2009-01-29 17:38 1,026,048 ----a-w c:\windows\Internet Logs\xDB4F4.tmp
2009-01-26 18:25 31,232 ----a-w c:\windows\Internet Logs\xDB4F3.tmp
2009-01-26 18:25 1,003,008 ----a-w c:\windows\Internet Logs\xDB4F2.tmp
2009-01-26 18:08 265,216 ----a-w c:\windows\Internet Logs\xDB4F1.tmp
2009-01-26 18:08 1,004,032 ----a-w c:\windows\Internet Logs\xDB4F0.tmp
2009-01-25 01:54 226,304 ----a-w c:\windows\Internet Logs\xDB4EF.tmp
2007-11-06 03:29 32 --sha-w c:\windows\{629E3D0B-AA63-400C-AB8B-208478DFE17B}.dat
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
2007-11-06 03:29 32 --sha-w c:\windows\system32\{9964F7E5-4FFD-473C-A8F1-47CF4E306B4B}.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-22_14.11.48.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-28 21:23:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_57c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 335872]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"TPP Auto Loader"="c:\windows\tppaldr.exe" [2002-06-23 118784]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-11-28 902432]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-08-08 1169456]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-08-08 1945424]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-08-08 148760]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-04 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus.lnk - c:\program files\D-Link AirPlus\AirPlus.exe [2004-01-20 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
backup=c:\windows\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinScheduler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinScheduler.lnk
backup=c:\windows\pss\InterVideo WinScheduler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PaperPort OneTouch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PaperPort OneTouch.lnk
backup=c:\windows\pss\PaperPort OneTouch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snsicon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snsicon.lnk
backup=c:\windows\pss\Snsicon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Holly^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Holly\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Holly^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\Holly\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-02-11 19:37 579072 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fbdirect]
--a------ 1998-11-17 19:10 227328 c:\paprport\FBDirect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWUTOOLBOX]
--a------ 2005-09-19 10:31 352256 c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PP7600usb]
--a------ 1998-11-17 19:10 227328 c:\paprport\FBDirect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-01-09 09:21 253952 c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-01-13 10:19 757760 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-01-13 14:05 69632 c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-06-03 21:05 32881 c:\program files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-25 21:39 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
--a------ 2005-04-14 01:14 106496 c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"V2i Protector"=2 (0x2)
"PhotoshopElementsDeviceConnect"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2003-09-12 132899]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2003-09-12 46810]
S2 CX88XBAR;MSI 8606 Crossbar;c:\windows\system32\drivers\CX88XBar.SYS [2004-04-29 9159]
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
S3 Hl_mull;Hl_mull;c:\windows\system32\drivers\hl_mull.sys [2004-06-29 29024]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2004-01-20 15360]
S3 pmxscan;Visioneer USB Service;c:\windows\system32\drivers\usbscan.sys [2008-01-26 15104]
S3 SQ931;V-Gear TalkCam RX7;c:\windows\system32\drivers\Capt931a.sys [2008-01-03 526464]
S3 TPPFX;USB Storage Adapter FX (TPP);c:\windows\system32\drivers\TPPFX.SYS [2004-07-03 32256]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
S4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2004-04-04 34916]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
.
Contents of the 'Scheduled Tasks' folder

2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-28 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 09:04]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {2E98EA25-E79A-4BBC-94E7-FE818B23CC09} = 208.67.220.220,208.67.222.222
TCP: {3700FC48-CC40-44F5-8A39-38C3E59E6892} = 208.67.220.220,208.67.222.222
TCP: {B2C1D279-AE11-42C2-8234-2E9CE07481C3} = 208.67.220.220,208.67.222.222
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 13:23:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1144)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1200)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\nexon\MapleStory\npkcmsvc.exe
d:\program files\Photodex\ProShowGold\scsiaccess.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\fxssvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-03-28 13:26:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 21:26:43
ComboFix2.txt 2009-03-22 22:13:26

Pre-Run: 38,715,183,104 bytes free
Post-Run: 38,736,097,280 bytes free

370








Malwarebytes' Anti-Malware 1.35
Database version: 1911
Windows 5.1.2600 Service Pack 2

3/28/2009 2:09:48 PM
mbam-log-2009-03-28 (14-09-48).txt

Scan type: Quick Scan
Objects scanned: 104371
Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)









GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-29 06:54:47
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwConnectPort [0xB6D3B5CD]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwDeleteKey [0xB6D4F110]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwDeleteValueKey [0xB6D4F070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwLoadKey [0xB6D4F190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwOpenProcess [0xB6D4EAB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwReplaceKey [0xB6D4F240]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwRestoreKey [0xB6D4F2C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwSecureConnectPort [0xB6D3B6F5]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwSetValueKey [0xB6D4EFC0]

INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B657616D
INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B6575FC2

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 25E 804E4A98 4 Bytes JMP 6C67B6D4

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B6D3F310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B6D3F5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B6D3F6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B6D3F490] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B6D3F490] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B6D3F310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B6D3F5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B6D3F6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B6D3F310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B6D3F6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B6D3F5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B6D3F490] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B6D3F6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B6D3F5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B6D3F310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B6D5A9C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B6D3F490] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B6D3F310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B6D3F5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B6D3F6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B6D3F310] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B6D3F490] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B6D3F6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B6D3F5A0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \FileSystem\Fastfat \Fat PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

---- EOF - GMER 1.0.15 ----












AVG Antivirus 8.5 (updated) Log report:





"C:\Documents and Settings\Jelfy\Local Settings\Temporary Internet Files\Content.IE5\49IVWL6F\d[1].htm";"Trojan horse Generic12.CBKK";"Moved to Virus Vault"
"C:\Documents and Settings\Jelfy\Local Settings\Temporary Internet Files\Content.IE5\49IVWL6F\d[2].htm";"Trojan horse Generic12.CBKR";"Moved to Virus Vault"
"C:\Documents and Settings\Jelfy\Local Settings\Temporary Internet Files\Content.IE5\49IVWL6F\d[3].htm";"Trojan horse Generic12.CCBI";"Moved to Virus Vault"
"C:\Documents and Settings\Jelfy\Local Settings\Temporary Internet Files\Content.IE5\49IVWL6F\d[4].htm";"Trojan horse Generic13.WM";"Moved to Virus Vault"
"C:\Documents and Settings\Jelfy\Local Settings\Temporary Internet Files\Content.IE5\C1AVC5I7\d[1].htm";"Trojan horse Generic12.CBQT";"Moved to Virus Vault"
"C:\Documents and Settings\Jelfy\Local Settings\Temporary Internet Files\Content.IE5\C1AVC5I7\d[2].htm";"Trojan horse Generic12.CBTT";"Moved to Virus Vault"
"C:\Documents and Settings\Jelfy\Local Settings\Temporary Internet Files\Content.IE5\S5AJK9EZ\d[1].htm";"Trojan horse Generic12.BZSU";"Moved to Virus Vault"
"C:\Documents and Settings\Jelfy\Local Settings\Temporary Internet Files\Content.IE5\S5AJK9EZ\d[2].htm";"Trojan horse Generic13.AZC";"Moved to Virus Vault"
"C:\Documents and Settings\Jelfy\Local Settings\Temporary Internet Files\Content.IE5\S5AJK9EZ\d[3].htm";"Trojan horse Generic12.CBGQ";"Moved to Virus Vault"
"C:\Documents and Settings\Jelfy\Local Settings\Temporary Internet Files\Content.IE5\S5AJK9EZ\d[4].htm";"Trojan horse Generic13.EH";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\G9YVGTQF\d[1].htm";"Trojan horse Generic13.OB";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\G9YVGTQF\d[2].htm";"Trojan horse Generic12.CBFQ";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\G9YVGTQF\d[3].htm";"Trojan horse Generic13.FF";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\G9YVGTQF\d[4].htm";"Trojan horse Generic13.FI";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\GP6V0LMB\d[1].htm";"Trojan horse Generic13.O";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\GP6V0LMB\d[2].htm";"Trojan horse Generic13.CUA";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\K96JC5A7\d[1].htm";"Trojan horse Generic12.CBLY";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\K96JC5A7\d[2].htm";"Trojan horse Generic13.CZP";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\K96JC5A7\d[3].htm";"Trojan horse Generic12.CCCB";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\K96JC5A7\d[4].htm";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\W52JSXUN\d[1].htm";"Trojan horse Generic13.FE";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\W52JSXUN\d[2].htm";"Trojan horse Generic13.JOP";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\W52JSXUN\d[3].htm";"Trojan horse Generic13.AMC";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\W52JSXUN\d[4].htm";"Trojan horse Generic13.FA";"Moved to Virus Vault"
"C:\Documents and Settings\Zenen\Local Settings\Temporary Internet Files\Content.IE5\W52JSXUN\d[5].htm";"Trojan horse Generic13.CHM";"Moved to Virus Vault"
"C:\Program Files\321Studios\Platinum\ResDll.dll";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\SDFix\backups\catchme.zip";"Virus identified I-Worm/Nulprot.E";"Moved to Virus Vault"
"C:\SDFix\backups\catchme.zip:\NdisWon.sys";"Virus identified I-Worm/Nulprot.E";"Moved to Virus Vault"
"C:\WINDOWS\system32\updates228.exe";"Trojan horse Proxy.XEX";"Moved to Virus Vault"
"C:\WINDOWS\system32\updates295.exe";"Trojan horse Generic9.AHDR";"Moved to Virus Vault"
"C:\WINDOWS\system32\updates298.exe";"Virus identified I-Worm/Nuwar.C";"Moved to Virus Vault"
"C:\WINDOWS\system32\updates303.exe";"Trojan horse DNSChanger.K";"Moved to Virus Vault"
"D:\Downloads\DVD Xcopy.zip";"Virus found Win32/Heur";"Deleted"
"D:\Downloads\DVD Xcopy.zip:\DXC_Platinum_v3.2.0_full_install.exe";"Virus found Win32/Heur";"Deleted"
"D:\Downloads\DVD Xcopy.zip:\DXC_Platinum_v3.2.0_full_install.exe:\ns_00003";"Virus found Win32/Heur";"Deleted"
"D:\Downloads\DVD Xcopy.zip:\DXC_Platinum_v3.2.0_full_install.exe:\ns_00006";"Virus found Win32/Heur";"Deleted"
"D:\Downloads\DVD Xcopy.zip:\DXC_Platinum_v3.2.0_full_install.exe:\ns_00017";"Virus found Win32/Heur";"Deleted"
"D:\Downloads\DVD Xcopy.zip:\DXC_Platinum_v3.2.0_full_install.exe:\ns_00024";"Virus found Win32/Heur";"Deleted"









UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/20/2002 7:12:46 PM
System Uptime: 3/29/2009 7:33:59 AM (3 hours ago)

Motherboard: ASUSTeK Computer Inc. | | P4P800
Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU 1 | 2998/200mhz
Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU 1 | 2998/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 60 GiB total, 35.817 GiB free.
D: is FIXED (NTFS) - 406 GiB total, 291.442 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP3: 3/22/2009 6:47:22 PM - System Checkpoint
RP4: 3/23/2009 7:48:53 PM - System Checkpoint
RP5: 3/27/2009 4:25:54 PM - System Checkpoint
RP6: 3/28/2009 1:10:36 PM - ComboFix created restore point
RP7: 3/29/2009 2:54:20 AM - System Checkpoint
RP8: 3/29/2009 7:26:18 AM - Installed AVG Free 8.5
RP9: 3/29/2009 9:47:28 AM - Avg8 Update

==== Installed Programs ======================

Ad-Aware
Adobe Acrobat 5.0
Adobe Acrobat 6.0 Professional
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 3.0
AnyDVD
Apple Mobile Device Support
Apple Software Update
ArcSoft Camera Suite 1.3
ArcSoft Funhouse
ArcSoft PhotoImpression 3.0
ASUS Probe V2.21.03
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HydraVision
Audacity 1.2.2
AutoUpdate
Avery Assistant for the Personal Label Printer
Avery DesignPro
AVG 8.5
AviSynth 2.5
Baxter Stationery
Before You Know It 3.6
BHA B's Recorder GOLD 5.32
Black Gold Teletext Lite
BlackBerry Desktop Software 4.2.2
Bonjour
Boomerang Stationery
BufferChm
C-Dilla Licence Management System
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
Cheat Engine 5.4
Cheat Engine 5.5
CodeStuff Starter
Compatibility Pack for the 2007 Office system
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Panorama1Config
Cucusoft DVD to iPod + iPod Video Converter Suite 7.18.7.11
CueTour
D-Link AirPlus
Dark River Stationery
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DocProc
DocumentViewer
DocumentViewerQFolder
DVD Decrypter (Remove Only)
DVD Photo Slideshow Pro 7.40
DVD Shrink 3.1.4
DVD X Rescue
DVDXCopy Platinum 3.2.0
Easy CD & DVD Creator 6
eSupportQFolder
FullDPAppQFolder
Game Maker 7.0
Google Earth
HASP Device Driver
HP Document Viewer 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Officejet Pro K550 Series
HP Product Detection
HP Scanjet 4800 series
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
hpg4850
hpg4850QFolder
HPProductAssistant
Image Resizer Powertoy Clone for Windows
ImageMatics StillMotion PE
ImageMatics StillMotion PE Plus
InstantShareDevices
InterActual Player
InterVideo MSIPVS
InterVideo MSIPVS 3
iPod for Windows 2005-06-26
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java™ 6 Update 12
JumpStart 1st Grade v1.5
JumpStart Parent Resource Center v1.0
LiveReg (Symantec Corporation)
LiveUpdate 1.7 (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Flash Player
MagicTune3.6
Malwarebytes' Anti-Malware
MapleStory
MemoryShow Pro 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Forest Floor Stationery
Microsoft IntelliPoint 4.1
Microsoft IntelliType Pro 2.2
Microsoft Office 2000 Premium
Microsoft Publisher 2002
Microsoft Visual C++ 2005 Redistributable
Miniclip
Misc
mobile PhoneTools
MobileMe Control Panel
MovieEdit Task
Mr. Potato Head Uninstaller
MSI Radio
MSN Toolbar
MSXML 6.0 Parser
My Bar-Bat Mitzvah Companion 3.0
My Kitchen Stationery
Natural Color
Net MD Simple Burner
Norton AntiVirus 2003
Norton WMI Update
OpenMG Limited Patch 4.0-04-08-02-01
OpenMG Secure Module 4.0.00
Palm Desktop
PanoStandAlone
Photodex Presenter
PhotoGallery
PhotoStitch
Pinstripe Stationery
PowerQuest Drive Image 7.0
ProShow Gold
Quick Screen Capture 2.2
Quicken Deluxe 2000
QuickTime
RandMap
RAW Image Task 2.0
RealPlayer
RemoteCapture Task 1.1
RGSS-RTP Standard
Roll
Roxio Media Manager
RPGXP
Scan
ScannerCopy
Seagate DiscWizard
Second Nature - Winter Beauty
Shockwave
SkinsHP1
SolutionCenter
Sonic_PrimoSDK
SonicStage 2.1.00
Sony Net MD Help
Sony USB Driver
SoundMAX
SpongeBob SquarePants® Operation Krabby Patty
Spybot - Search & Destroy
SUPER © Version 2008.bld.33 (Sep 2, 2008)
The Print Shop®
TOD
Toolbox
Twill Stationery
U.R.Celeb 1.03
UGuide
USB Storage Adapter FX (TPP)
V-Gear TalkCam RX7
Videora iPod touch Converter 4.03
Visioneer 7600 USB Scanner Driver
Visioneer PaperPort 5.3
Wallpaper Stationery
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WindSlayer
WinPrint
WinRAR archiver
WinZip
Xvid 1.1.3 final uninstall
YouTube Downloader App 1.01
ZoneAlarm

==== Event Viewer Messages From Past Week ========

3/22/2009 7:08:11 PM, error: Service Control Manager [7000] - The MSI 8606 Tuner service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/22/2009 7:08:11 PM, error: Service Control Manager [7000] - The MSI 8606 Crossbar service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/22/2009 7:08:11 PM, error: Service Control Manager [7000] - The MSI 8606 Audio Capture service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/22/2009 7:08:11 PM, error: Service Control Manager [7000] - The MSI 8606 Video Capture service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/22/2009 7:07:53 PM, error: NetBT [4307] - Initialization failed because the transport refused to open initial Addresses.
3/22/2009 6:52:07 PM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
3/22/2009 6:39:46 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer DESKTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3700FC48-CC40-44F5-8. The master browser is stopping or an election is being forced.
3/22/2009 2:11:53 PM, error: Service Control Manager [7016] - The GEARSecurity service has reported an invalid current state 0.
3/22/2009 2:08:45 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/28/2009 8:40:52 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls. Reference error message: Insufficient system resources exist to complete the requested service. .
3/28/2009 8:40:52 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\System32\browseui.dll. Reference error message: The operation completed successfully. .
3/28/2009 8:41:43 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'GMER_Log_a .. al.log.lnk' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/28/2009 8:44:03 PM, error: DCOM [10000] - Unable to start a DCOM Server: {CD79C623-E1B7-47CF-A685-2E8A882BA3F8}. The error: "%1450" Happened while starting this command: "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe" -Embedding
3/28/2009 8:44:24 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll. Reference error message: The operation completed successfully. .
3/28/2009 8:44:25 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WindowsShell.manifest. Reference error message: The operation completed successfully. .
3/28/2009 8:44:26 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\MLANG.dll. Reference error message: The operation completed successfully. .
3/29/2009 7:30:34 AM, error: Service Control Manager [7034] - The SymWMI Service service terminated unexpectedly. It has done this 1 time(s).
3/29/2009 7:36:51 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
3/29/2009 7:36:51 AM, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================












DDS (Ver_09-03-16.01) - NTFSx86
Run by Jelfy at 10:13:01.09 on Sun 03/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.149 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Nexon\MapleStory\npkcmsvc.exe
D:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jelfy\Desktop\VIRUS SCANNER\dds.com

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Miniclip: {4e7bd74f-2b8d-469e-89b3-be29f5d3e32d} - c:\windows\downlo~1\MINICL~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - d:\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Miniclip: {4e7bd74f-2b8d-469e-89b3-be29f5d3e32d} - c:\windows\downlo~1\MINICL~1.DLL
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\msgr.en-us.en-ca\msntb.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - d:\norton antivirus\NavShExt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [TPP Auto Loader] c:\windows\tppaldr.exe
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus\AirPlus.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - hxxp://www.miniclip.com/toolbar/minicliptoolbar.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217908757231
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38006.8132407407
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {2E98EA25-E79A-4BBC-94E7-FE818B23CC09} = 208.67.220.220,208.67.222.222
TCP: {3700FC48-CC40-44F5-8A39-38C3E59E6892} = 208.67.220.220,208.67.222.222
TCP: {B2C1D279-AE11-42C2-8234-2E9CE07481C3} = 208.67.220.220,208.67.222.222
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2003-9-12 132899]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-29 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-11 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-29 108552]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2003-9-12 46810]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-5-22 279264]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-29 298264]
R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2008-2-9 35552]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 CX88XBAR;MSI 8606 Crossbar;c:\windows\system32\drivers\CX88XBar.SYS [2004-4-29 9159]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]
S3 Hl_mull;Hl_mull;c:\windows\system32\drivers\hl_mull.sys [2004-6-29 29024]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2004-1-20 15360]
S3 navapsvc;Norton AntiVirus Auto Protect Service;d:\norton antivirus\NAVAPSVC.EXE [2008-2-9 116336]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090318.006\NAVENG.Sys [2009-3-22 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090318.006\NavEx15.Sys [2009-3-22 876144]
S3 pmxscan;Visioneer USB Service;c:\windows\system32\drivers\usbscan.sys [2008-1-26 15104]
S3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2008-2-9 235744]
S3 SQ931;V-Gear TalkCam RX7;c:\windows\system32\drivers\Capt931a.sys [2008-1-3 526464]
S3 TPPFX;USB Storage Adapter FX (TPP);c:\windows\system32\drivers\TPPFX.SYS [2004-7-3 32256]
S3 XDva226;XDva226;\??\c:\windows\system32\xdva226.sys --> c:\windows\system32\XDva226.sys [?]
S4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2004-4-4 34916]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]

=============== Created Last 30 ================

2009-03-29 07:39 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-29 07:26 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-29 07:26 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-29 07:26 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-29 07:26 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-29 07:26 <DIR> --d----- c:\program files\AVG
2009-03-29 07:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-28 13:31 <DIR> --d----- c:\docume~1\jelfy\applic~1\Malwarebytes
2009-03-28 13:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-28 13:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-28 13:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-28 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-22 13:52 <DIR> a-dshr-- C:\cmdcons
2009-03-22 13:50 161,792 a------- c:\windows\SWREG.exe
2009-03-22 13:50 98,816 a------- c:\windows\sed.exe
2009-03-04 20:33 <DIR> --d----- c:\windows\ERUNT
2009-03-04 17:39 <DIR> --d----- C:\SDFix
2009-03-04 17:32 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 17:32 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-03 22:01 <DIR> --d----- C:\VundoFix Backups
2009-03-02 23:22 382 a------- c:\windows\wininit.ini

==================== Find3M ====================

2005-02-24 17:40 1,112 a------- c:\docume~1\jelfy\applic~1\ViewerApp.dat
2003-07-16 18:26 448,640 ac------ c:\windows\inf\EL2K_N64.sys
2003-07-16 18:22 147,328 ac------ c:\windows\inf\EL2K_XP.sys
2003-06-02 23:47 147,328 ac------ c:\windows\inf\EL2K_2K.sys
1998-11-17 12:09 24,576 a------- c:\windows\inf\Vizpnpin.exe
1998-10-12 12:23 40,960 a------- c:\windows\inf\vizpnp\Vipersti.dll
1998-07-30 13:44 19,112 a------- c:\windows\inf\vizpnp\Pmxscan.sys
2007-11-05 19:29 32 a--sh--- c:\windows\{629E3D0B-AA63-400C-AB8B-208478DFE17B}.dat
2006-05-03 01:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 02:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 04:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2007-11-05 19:29 32 a--sh--- c:\windows\system32\{9964F7E5-4FFD-473C-A8F1-47CF4E306B4B}.dat

============= FINISH: 10:13:52.56 ===============

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 29 March 2009 - 01:38 PM

Hello amnesia.

That looks much better.

Let's get one more scan off to check for anything we've missed.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Any problems at the moment?

With Regards,
The Panda

#12 amnesia

amnesia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 29 March 2009 - 01:43 PM

No problems, but I haven't actually used the computer other than what you have instructed me to do.

I'll run those scans and post the results


Amnesia

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 29 March 2009 - 02:10 PM

Okay. Hear from you later.

The Panda

#14 amnesia

amnesia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 29 March 2009 - 04:32 PM

Hi Panda;

I'm trying to run Kaspersky, but everytime it goes for about 30 minutes and then I get a notification that:

"ScanningProcess.exe has encountered a problem an needs to close" I'm able to see the log up to this point, but not save it. There were about 20 "threats" at that point.

I'm trying again. I've turned off all processes that I can find for AVG and Norton. I'm still running ZoneAlarm.

What now?

Amnesia

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 29 March 2009 - 08:06 PM

Hello.

I didn't notice that you still had Norton installed.

It is not recommended that have more than one AV installed.. In addition to wasting resources, the programs may detect virus signatures in the other and cause false positives. The different drivers used by the programs can cause crashes.

Please uninstall them until you are only running one antivirus using Add/Remove Programs.

If Norton's suscription is no longer active, uninstall that.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users