Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde (?) Infection


  • Please log in to reply
8 replies to this topic

#1 mrvsqz

mrvsqz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 17 April 2009 - 11:22 PM

Hello,

I was on Firefox a couple days ago and all the sudden, multiple IE browser windows popped up out of nowhere. They wouldn't stop, so I rebooted my computer. When I started Firefox again, I would periodically get pop-up advertisements and my browser was slow.

I realized I had an infection and tried to remove it with Avast, Advanced SystemCare, Ad-Aware, Spybot, and MBAM. Spybot stopped the pop-ups for a while, but they returned upon rebooting my computer. Running MBAM also stopped the pop-ups for a while until all the IE windows popped up again, just like the first time I was infected, and now I keep getting pop-ups while in Firefox.

Nothing so far has worked to remove this thing and I would greatly appreciate assistance! This is the first infection I have had in years and it's giving me headaches. If anybody could help me out, thank you so much!

DDS (Ver_09-03-16.01) - NTFSx86
Run by Marlena Vasquez at 21:08:47.80 on Fri 04/17/2009
Internet Explorer: 7.0.6000.16809 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.180 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090417-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Marlena Vasquez\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar =
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [hakimopube] Rundll32.exe "c:\programdata\zefebilu\zefebilu.dll",s
uRun: [90abb579] rundll32.exe "c:\programdata\muyotohe\muyotohe.dll",b
uRun: [CPM939886e5] Rundll32.exe "c:\programdata\mejimaba\mejimaba.dll",a
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\marlen~1\appdata\roaming\mozilla\firefox\profiles\b05rmcjt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\users\marlena vasquez\appdata\roaming\mozilla\firefox\profiles\b05rmcjt.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-24 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-24 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-24 51792]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2005-5-9 71336]

=============== Created Last 30 ================

2009-04-17 20:40 <DIR> --d----- c:\programdata\mejimaba
2009-04-17 20:40 <DIR> --d----- c:\progra~2\mejimaba
2009-04-17 20:40 <DIR> --d----- c:\programdata\sogibujo
2009-04-17 20:40 <DIR> --d----- c:\programdata\muyotohe
2009-04-17 20:40 <DIR> --d----- c:\progra~2\sogibujo
2009-04-17 20:40 <DIR> --d----- c:\progra~2\muyotohe
2009-04-17 00:17 <DIR> --d----- c:\programdata\piwigiki
2009-04-17 00:17 <DIR> --d----- c:\programdata\hulayoba
2009-04-17 00:17 <DIR> --d----- c:\progra~2\piwigiki
2009-04-17 00:17 <DIR> --d----- c:\progra~2\hulayoba
2009-04-16 13:20 <DIR> --d----- c:\users\marlen~1\appdata\roaming\Malwarebytes
2009-04-16 13:20 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-16 13:20 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 13:20 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-16 13:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-16 13:20 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-16 12:19 <DIR> --d----- c:\programdata\zefebilu
2009-04-16 12:19 <DIR> --d----- c:\programdata\supamadi
2009-04-16 12:19 <DIR> --d----- c:\programdata\bolijida
2009-04-16 12:19 <DIR> --d----- c:\progra~2\zefebilu
2009-04-16 12:19 <DIR> --d----- c:\progra~2\supamadi
2009-04-16 12:19 <DIR> --d----- c:\progra~2\bolijida
2009-04-16 12:18 <DIR> --d----- c:\programdata\suliweya
2009-04-16 12:18 <DIR> --d----- c:\programdata\papulihe
2009-04-16 12:18 <DIR> --d----- c:\programdata\lazusoju
2009-04-16 12:18 <DIR> --d----- c:\progra~2\suliweya
2009-04-16 12:18 <DIR> --d----- c:\progra~2\papulihe
2009-04-16 12:18 <DIR> --d----- c:\progra~2\lazusoju
2009-04-16 00:34 <DIR> --d----- c:\programdata\Lavasoft
2009-04-16 00:09 <DIR> --d----- c:\programdata\yijazowi
2009-04-16 00:09 <DIR> --d----- c:\programdata\napokoku
2009-04-16 00:09 <DIR> --d----- c:\progra~2\yijazowi
2009-04-16 00:09 <DIR> --d----- c:\progra~2\napokoku
2009-04-16 00:03 <DIR> --d----- c:\programdata\mihisolo
2009-04-16 00:03 <DIR> --d----- c:\programdata\kerebodi
2009-04-16 00:03 <DIR> --d----- c:\programdata\bokatini
2009-04-16 00:03 <DIR> --d----- c:\progra~2\mihisolo
2009-04-16 00:03 <DIR> --d----- c:\progra~2\kerebodi
2009-04-16 00:03 <DIR> --d----- c:\progra~2\bokatini
2009-03-24 19:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-24 19:23 <DIR> --d----- c:\users\marlen~1\appdata\roaming\IObit
2009-03-24 19:23 <DIR> --d----- c:\program files\IObit
2009-03-24 19:09 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-03-24 18:57 <DIR> --d----- c:\programdata\Avg7
2009-03-24 16:38 <DIR> --d----- c:\users\marlen~1\appdata\roaming\LimeWire
2009-03-24 16:35 <DIR> --d----- c:\program files\LimeWire

==================== Find3M ====================

2009-02-08 18:59 2,028,032 a------- c:\windows\system32\win32k.sys
2008-12-11 18:15 174 a--sh--- c:\program files\desktop.ini
2008-09-01 20:23 86,016 a------- c:\windows\inf\infstrng.dat
2008-09-01 20:23 86,016 a------- c:\windows\inf\infstor.dat
2008-09-01 20:23 51,200 a------- c:\windows\inf\infpub.dat
2008-06-16 03:06 665,600 a------- c:\windows\inf\drvindex.dat
2008-02-21 16:56 126 a------- c:\users\marlen~1\appdata\roaming\wklnhst.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-01-05 13:20 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 21:10:57.73 ===============

Attached Files


Edited by mrvsqz, 17 April 2009 - 11:23 PM.


BC AdBot (Login to Remove)

 


#2 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 22 April 2009 - 09:40 AM

Hello! :thumbup2:
My name is peku006 and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.
Posted Image
Posted Image

#3 mrvsqz

mrvsqz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 24 April 2009 - 01:56 AM

Thank you so much for helping me! I assume you want the log that ComboFix provided. Here it is:

ComboFix 09-04-24.01 - Marlena Vasquez 04/23/2009 22:42.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.325 [GMT -7:00]
Running from: c:\users\Marlena Vasquez\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090423-0] *On-access scanning disabled* (Updated)
.
/wow section - STAGE 1

/wow section - STAGE 40


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\duwedeba\duwedeba.dll
c:\programdata\papevili\papevili.dll
c:\programdata\zefebilu\zefebilu.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-23 22:04 . 2009-04-24 05:46 -------- d-----w c:\users\All Users\papevili
2009-04-23 22:04 . 2009-04-24 05:46 -------- d-----w c:\programdata\papevili
2009-04-23 22:04 . 2009-04-23 22:04 -------- d-----w c:\users\All Users\miwunado
2009-04-23 22:04 . 2009-04-23 22:04 -------- d-----w c:\users\All Users\jajeluno
2009-04-23 22:04 . 2009-04-23 22:04 -------- d-----w c:\programdata\miwunado
2009-04-23 22:04 . 2009-04-23 22:04 -------- d-----w c:\programdata\jajeluno
2009-04-23 07:56 . 2009-04-23 07:56 -------- d-----w c:\users\All Users\tawekole
2009-04-23 07:56 . 2009-04-23 07:56 -------- d-----w c:\programdata\tawekole
2009-04-23 07:56 . 2009-04-24 05:46 -------- d-----w c:\users\All Users\duwedeba
2009-04-23 07:56 . 2009-04-24 05:46 -------- d-----w c:\programdata\duwedeba
2009-04-23 07:56 . 2009-04-23 07:56 -------- d-----w c:\users\All Users\neniweja
2009-04-23 07:56 . 2009-04-23 07:56 -------- d-----w c:\programdata\neniweja
2009-04-19 19:35 . 2009-04-19 19:35 -------- d-----w c:\users\All Users\dunumeda
2009-04-19 19:35 . 2009-04-19 19:35 -------- d-----w c:\programdata\dunumeda
2009-04-19 19:34 . 2009-04-19 23:28 -------- d-----w c:\users\All Users\vajutuhi
2009-04-19 19:34 . 2009-04-19 23:28 -------- d-----w c:\programdata\vajutuhi
2009-04-19 19:34 . 2009-04-19 19:34 -------- d-----w c:\users\All Users\gisujewo
2009-04-19 19:34 . 2009-04-19 19:34 -------- d-----w c:\programdata\gisujewo
2009-04-19 05:17 . 2009-04-19 05:39 -------- d-----w c:\users\All Users\zomesasu
2009-04-19 05:17 . 2009-04-19 05:39 -------- d-----w c:\programdata\zomesasu
2009-04-19 05:17 . 2009-04-19 05:17 -------- d-----w c:\users\All Users\yawususi
2009-04-19 05:17 . 2009-04-19 05:17 -------- d-----w c:\users\All Users\dizupiva
2009-04-19 05:17 . 2009-04-19 05:17 -------- d-----w c:\programdata\yawususi
2009-04-19 05:17 . 2009-04-19 05:17 -------- d-----w c:\programdata\dizupiva
2009-04-18 17:17 . 2009-04-18 17:17 -------- d-----w c:\users\All Users\gunowini
2009-04-18 17:17 . 2009-04-18 17:17 -------- d-----w c:\programdata\gunowini
2009-04-18 17:17 . 2009-04-18 17:17 -------- d-----w c:\users\All Users\rudagitu
2009-04-18 17:17 . 2009-04-18 17:17 -------- d-----w c:\programdata\rudagitu
2009-04-18 17:17 . 2009-04-18 17:17 -------- d-----w c:\users\All Users\yefanopa
2009-04-18 17:17 . 2009-04-18 17:17 -------- d-----w c:\programdata\yefanopa
2009-04-18 03:48 . 2009-03-17 03:16 14848 ----a-w c:\windows\system32\apilogen.dll
2009-04-18 03:40 . 2009-04-18 03:40 -------- d-----w c:\users\All Users\mejimaba
2009-04-18 03:40 . 2009-04-18 03:40 -------- d-----w c:\programdata\mejimaba
2009-04-18 03:40 . 2009-04-18 04:02 -------- d-----w c:\users\All Users\muyotohe
2009-04-18 03:40 . 2009-04-18 04:02 -------- d-----w c:\programdata\muyotohe
2009-04-18 03:40 . 2009-04-18 03:40 -------- d-----w c:\users\All Users\sogibujo
2009-04-18 03:40 . 2009-04-18 03:40 -------- d-----w c:\programdata\sogibujo
2009-04-17 07:17 . 2009-04-17 07:40 -------- d-----w c:\users\All Users\piwigiki
2009-04-17 07:17 . 2009-04-17 07:40 -------- d-----w c:\programdata\piwigiki
2009-04-17 07:17 . 2009-04-17 07:17 -------- d-----w c:\users\All Users\hulayoba
2009-04-17 07:17 . 2009-04-17 07:17 -------- d-----w c:\programdata\hulayoba
2009-04-16 20:20 . 2009-04-16 20:20 -------- d-----w c:\users\Marlena Vasquez\AppData\Roaming\Malwarebytes
2009-04-16 20:20 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 20:20 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 20:20 . 2009-04-16 20:20 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-16 20:20 . 2009-04-16 20:20 -------- d-----w c:\programdata\Malwarebytes
2009-04-16 19:19 . 2009-04-24 05:46 -------- d-----w c:\users\All Users\zefebilu
2009-04-16 19:19 . 2009-04-24 05:46 -------- d-----w c:\programdata\zefebilu
2009-04-16 19:19 . 2009-04-16 19:19 -------- d-----w c:\users\All Users\supamadi
2009-04-16 19:19 . 2009-04-16 19:19 -------- d-----w c:\users\All Users\bolijida
2009-04-16 19:19 . 2009-04-16 19:19 -------- d-----w c:\programdata\supamadi
2009-04-16 19:19 . 2009-04-16 19:19 -------- d-----w c:\programdata\bolijida
2009-04-16 19:18 . 2009-04-16 20:30 -------- d-----w c:\users\All Users\papulihe
2009-04-16 19:18 . 2009-04-16 20:30 -------- d-----w c:\programdata\papulihe
2009-04-16 19:18 . 2009-04-16 19:18 -------- d-----w c:\users\All Users\suliweya
2009-04-16 19:18 . 2009-04-16 19:18 -------- d-----w c:\users\All Users\lazusoju
2009-04-16 19:18 . 2009-04-16 19:18 -------- d-----w c:\programdata\suliweya
2009-04-16 19:18 . 2009-04-16 19:18 -------- d-----w c:\programdata\lazusoju
2009-04-16 07:34 . 2009-04-16 19:53 -------- d-----w c:\users\All Users\Lavasoft
2009-04-16 07:34 . 2009-04-16 19:53 -------- d-----w c:\programdata\Lavasoft
2009-04-16 07:09 . 2009-04-16 20:56 -------- d-----w c:\users\All Users\yijazowi
2009-04-16 07:09 . 2009-04-16 20:56 -------- d-----w c:\programdata\yijazowi
2009-04-16 07:09 . 2009-04-16 08:35 -------- d-----w c:\users\All Users\napokoku
2009-04-16 07:09 . 2009-04-16 08:35 -------- d-----w c:\programdata\napokoku
2009-04-16 07:03 . 2009-04-16 21:20 -------- d-----w c:\users\All Users\mihisolo
2009-04-16 07:03 . 2009-04-16 21:20 -------- d-----w c:\users\All Users\kerebodi
2009-04-16 07:03 . 2009-04-16 21:20 -------- d-----w c:\programdata\mihisolo
2009-04-16 07:03 . 2009-04-16 21:20 -------- d-----w c:\programdata\kerebodi
2009-04-16 07:03 . 2009-04-16 21:20 -------- d-----w c:\users\All Users\bokatini
2009-04-16 07:03 . 2009-04-16 21:20 -------- d-----w c:\programdata\bokatini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 02:55 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-23 07:57 . 2008-05-28 03:08 -------- d-----w c:\programdata\Google Updater
2009-04-19 06:23 . 2008-01-31 14:24 7808 ----a-w c:\users\Marlena Vasquez\AppData\Local\d3d9caps.dat
2009-04-16 20:42 . 2006-12-13 00:22 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 20:40 . 2006-12-13 00:22 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-04-16 20:20 . 2009-04-16 20:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 19:51 . 2009-03-24 23:38 -------- d-----w c:\users\Marlena Vasquez\AppData\Roaming\LimeWire
2009-03-25 03:37 . 2009-03-25 02:23 -------- d-----w c:\users\Marlena Vasquez\AppData\Roaming\IObit
2009-03-25 03:37 . 2009-03-25 02:23 -------- d-----w c:\program files\IObit
2009-03-25 03:34 . 2006-11-17 06:41 -------- d-----w c:\program files\EA GAMES
2009-03-25 03:14 . 2009-03-24 23:35 -------- d-----w c:\program files\LimeWire
2009-03-25 02:45 . 2009-03-25 02:47 410984 ----a-w c:\windows\System32\deploytk.dll
2009-03-25 02:44 . 2006-11-13 00:45 -------- d-----w c:\program files\Java
2009-03-25 02:09 . 2009-03-25 02:09 -------- d-----w c:\program files\Alwil Software
2009-03-25 01:57 . 2009-03-25 01:57 -------- d-----w c:\programdata\Avg7
2009-03-25 01:27 . 2007-06-11 18:11 -------- d-----w c:\program files\DivX
2009-03-25 01:27 . 2006-11-13 00:58 -------- d-----w c:\programdata\Viewpoint
2009-03-25 01:25 . 2006-12-22 01:15 -------- d-----w c:\programdata\WildTangent
2009-03-25 01:25 . 2006-11-13 00:59 -------- d-----w c:\program files\WildTangent
2009-03-25 00:55 . 2008-11-17 04:51 -------- d-----w c:\program files\Citrix
2009-03-25 00:54 . 2005-08-17 02:54 -------- d-----w c:\program files\GemMaster
2009-03-25 00:24 . 2006-11-13 00:57 -------- d-----w c:\program files\Common Files\AOL
2009-03-25 00:24 . 2006-11-13 00:57 -------- d-----w c:\programdata\AOL
2009-03-25 00:23 . 2006-11-13 00:58 -------- d-----w c:\program files\Common Files\Nullsoft
2009-03-17 03:16 . 2009-04-18 03:48 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:16 . 2009-04-18 03:48 25600 ----a-w c:\windows\System32\amxread.dll
2009-03-07 22:55 . 2009-03-07 22:55 -------- d-----w c:\programdata\MSScanAppDataDir
2009-03-04 01:50 . 2006-11-13 01:03 -------- d-----w c:\program files\Google
2009-03-03 04:24 . 2009-04-18 03:49 3469280 ----a-w c:\windows\System32\ntoskrnl.exe
2009-03-03 04:24 . 2009-04-18 03:49 3503584 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-03-03 04:20 . 2009-04-18 03:48 826368 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:19 . 2009-04-18 03:49 158720 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:19 . 2009-04-18 03:49 549888 ----a-w c:\windows\System32\rpcss.dll
2009-03-03 04:19 . 2009-04-18 03:49 24576 ----a-w c:\windows\System32\printfilterpipelineprxy.dll
2009-03-03 04:16 . 2009-04-18 03:48 56320 ----a-w c:\windows\System32\iesetup.dll
2009-03-03 04:16 . 2009-04-18 03:49 97280 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:16 . 2009-04-18 03:49 53248 ----a-w c:\windows\System32\iasads.dll
2009-03-03 04:16 . 2009-04-18 03:49 37888 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 04:16 . 2009-04-18 03:48 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:16 . 2009-04-18 03:48 52736 ----a-w c:\windows\AppPatch\iebrshim.dll
2009-03-03 04:15 . 2009-04-18 03:48 72704 ----a-w c:\windows\System32\admparse.dll
2009-03-03 02:40 . 2009-04-18 03:49 654336 ----a-w c:\windows\System32\printfilterpipelinesvc.exe
2009-03-03 02:08 . 2009-04-18 03:48 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-03-03 00:44 . 2009-04-18 03:48 48128 ----a-w c:\windows\System32\mshtmler.dll
2009-02-13 07:26 . 2009-04-18 03:49 72704 ----a-w c:\windows\System32\secur32.dll
2009-02-13 07:26 . 2009-04-18 03:49 1233408 ----a-w c:\windows\System32\lsasrv.dll
2009-02-13 07:26 . 2009-04-18 03:49 7680 ----a-w c:\windows\System32\lsass.exe
2009-02-09 01:59 . 2009-03-10 22:17 2028032 ----a-w c:\windows\System32\win32k.sys
2008-12-20 01:51 . 2008-10-04 19:37 7808 ----a-w c:\users\Guest\AppData\Local\d3d9caps.dat
2008-12-12 01:15 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-07-22 20:26 . 2008-07-22 20:26 107344 ----a-w c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2008-02-21 23:56 . 2008-02-21 23:55 126 ----a-w c:\users\Marlena Vasquez\AppData\Roaming\wklnhst.dat
2008-01-24 00:25 . 2008-01-24 00:25 107344 ----a-w c:\users\Marlena Vasquez\AppData\Local\GDIPFONTCACHEV1.DAT
2008-01-24 00:00 . 2008-01-03 05:49 107344 ----a-w c:\users\Music\AppData\Local\GDIPFONTCACHEV1.DAT
2008-01-04 03:35 . 2008-01-04 03:35 7592 ----a-w c:\users\Music\AppData\Local\d3d9caps.dat
2005-08-17 02:52 . 2008-07-22 20:25 136 ----a-w c:\users\Guest\AppData\Local\fusioncache.dat
2005-08-17 02:52 . 2008-01-24 00:24 136 ----a-w c:\users\Marlena Vasquez\AppData\Local\fusioncache.dat
2005-08-17 02:52 . 2008-01-03 05:48 136 ----a-w c:\users\Music\AppData\Local\fusioncache.dat
2007-01-05 20:20 . 2007-01-05 20:20 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-11 289576]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"MSKDetectorExe"=c:\program files\McAfee\SpamKiller\MSKDetct.exe /uninstall
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\Program Files\\America Online 9.0\\waol.exe"= c:\program files\America Online 9.0\waol.exe:*:Enabled:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= c:\program files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= c:\program files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:*:Enabled:@xpsp2res.dll,-22005

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe-UDP-Domain"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe-TCP-Domain"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe-UDP-Domain"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe-TCP-Domain"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"c:\\Program Files\\America Online 9.0\\waol.exe-UDP-Domain"= TCP:c:\program files\America Online 9.0\waol.exe:AOL
"c:\\Program Files\\America Online 9.0\\waol.exe-TCP-Domain"= UDP:c:\program files\America Online 9.0\waol.exe:AOL
"%windir%\\Network Diagnostic\\xpnetdiag.exe-UDP-Domain"= TCP:%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"%windir%\\Network Diagnostic\\xpnetdiag.exe-TCP-Domain"= UDP:%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"c:\\Program Files\\Messenger\\msmsgs.exe-UDP-Standard"= TCP:Profile=Public|c:\program files\Messenger\msmsgs.exe:Windows Messenger
"c:\\Program Files\\Messenger\\msmsgs.exe-TCP-Standard"= UDP:Profile=Public|c:\program files\Messenger\msmsgs.exe:Windows Messenger
"c:\\Program Files\\LimeWire\\LimeWire.exe-UDP-Standard"= TCP:Profile=Public|c:\program files\LimeWire\LimeWire.exe:LimeWire
"c:\\Program Files\\LimeWire\\LimeWire.exe-TCP-Standard"= UDP:Profile=Public|c:\program files\LimeWire\LimeWire.exe:LimeWire
"c:\\Program Files\\iTunes\\iTunes.exe-UDP-Standard"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"c:\\Program Files\\iTunes\\iTunes.exe-TCP-Standard"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe-UDP-Standard"= TCP:Profile=Public|c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe-TCP-Standard"= UDP:Profile=Public|c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe-UDP-Standard"= TCP:Profile=Public|c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe-TCP-Standard"= UDP:Profile=Public|c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe-UDP-Standard"= TCP:Profile=Public|c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe-TCP-Standard"= UDP:Profile=Public|c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe-UDP-Standard"= TCP:Profile=Public|c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe-TCP-Standard"= UDP:Profile=Public|c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe-UDP-Standard"= TCP:Profile=Public|c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe-TCP-Standard"= UDP:Profile=Public|c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe-UDP-Standard"= TCP:Profile=Public|c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe-TCP-Standard"= UDP:Profile=Public|c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe-UDP-Standard"= TCP:Profile=Public|c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe-TCP-Standard"= UDP:Profile=Public|c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"c:\\Program Files\\America Online 9.0\\waol.exe-UDP-Standard"= TCP:Profile=Public|c:\program files\America Online 9.0\waol.exe:AOL
"c:\\Program Files\\America Online 9.0\\waol.exe-TCP-Standard"= UDP:Profile=Public|c:\program files\America Online 9.0\waol.exe:AOL
"%windir%\\Network Diagnostic\\xpnetdiag.exe-UDP-Standard"= TCP:Profile=Public|%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"%windir%\\Network Diagnostic\\xpnetdiag.exe-TCP-Standard"= UDP:Profile=Public|%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"TCP Query User{3071A036-5484-4FD4-9781-37066BFFCFAD}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1CBD224F-F161-4F0A-BC1D-94C8D293B3E0}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{BAFCE3D1-5BFC-4E9F-B045-627AFFEAEBA0}c:\\program files\\last.fm\\lastfm.exe"= UDP:c:\program files\last.fm\lastfm.exe:LastFM
"UDP Query User{124B8E85-D456-4E7C-9D41-63793765F94B}c:\\program files\\last.fm\\lastfm.exe"= TCP:c:\program files\last.fm\lastfm.exe:LastFM
"TCP Query User{CBAEC784-F6FC-4542-98C8-B0DFC7C1562C}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{16C95AB0-43C9-4BED-AF16-28105AFFBF14}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{8CCB59ED-83A4-46A4-8A3E-0E9EE401CEAF}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{1536D9FE-C9BC-4A20-92EF-345EB712499F}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{FEE1A96C-7F2F-40DC-B7E9-A1001BD49586}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1CCC711F-E128-4E2C-B3E2-E11D346F35C2}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9F700328-F0E1-45C7-8CA5-3C3151EC39F0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DEAAB568-FDF6-497E-B179-9C1F3EA78871}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\Program Files\\America Online 9.0\\waol.exe"= c:\program files\America Online 9.0\waol.exe:*:Enabled:AOL
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= c:\program files\Dell\MediaDirect\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program
"c:\\Program Files\\iTunes\\iTunes.exe"= c:\program files\iTunes\iTunes.exe:*:Enabled:iTunes
"c:\\Program Files\\LimeWire\\LimeWire.exe"= c:\program files\LimeWire\LimeWire.exe:*:Enabled:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"1900:UDP"= 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"445:TCP"= 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

R3 JL2005;JL2005A Toy Camera;c:\windows\system32\Drivers\toywdm.sys [2005-05-10 71336]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]


--- Other Services/Drivers In Memory ---

*Deregistered* - srescan
*Deregistered* - vsdatant

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WudfServiceGroup REG_MULTI_SZ WUDFSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94baeb27-edc5-11dd-9168-0015c5c59857}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dfdde67-2802-11dc-ba1c-0015c5c59857}]
\shell\AutoRun\command - e:\system\viewer\Viewer.exe
\shell\View your videos\command - e:\system\viewer\Viewer.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-03-25 21:45]

2009-04-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-28 07:18]

2009-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2007-05-19 22:17]

2009-04-16 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-03-25 01:15]

2008-08-15 c:\windows\Tasks\User_Feed_Synchronization-{1AE82F61-2E07-45E6-9BFF-97B72B5B886E}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2009-04-24 c:\windows\Tasks\User_Feed_Synchronization-{1C8271B5-30F9-4AE7-8DCE-34FD818AF014}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2009-04-24 c:\windows\Tasks\User_Feed_Synchronization-{84A1BA51-4883-4BA3-A323-63AD8FEA1F97}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2009-04-24 c:\windows\Tasks\User_Feed_Synchronization-{CC158875-7AF2-45A4-9CB7-E46957C2E18D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2009-04-24 c:\windows\Tasks\User_Feed_Synchronization-{F110F1D0-2F09-416C-A765-3F6519F4ED5D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-hakimopube - c:\programdata\zefebilu\zefebilu.dll
HKCU-Run-90abb579 - c:\programdata\duwedeba\duwedeba.dll
HKCU-Run-CPM939886e5 - c:\programdata\papevili\papevili.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Marlena Vasquez\AppData\Roaming\Mozilla\Firefox\Profiles\b05rmcjt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Marlena Vasquez\AppData\Roaming\Mozilla\Firefox\Profiles\b05rmcjt.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 23:46
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-24 23:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-24 06:49

Pre-Run: 15,351,574,528 bytes free
Post-Run: 15,358,148,608 bytes free

326 --- E O F --- 2009-04-23 22:35

#4 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 24 April 2009 - 05:07 AM

Hi mrvsqz

1 - Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe.
  • Copy the lines in the codebox below.
:files
c:\users\All Users\papevili
c:\programdata\papevili
c:\users\All Users\miwunado
c:\users\All Users\jajeluno
c:\programdata\miwunado
c:\programdata\jajeluno
c:\users\All Users\tawekole
c:\programdata\tawekole
c:\users\All Users\duwedeba
c:\programdata\duwedeba
c:\users\All Users\neniweja
c:\programdata\neniweja
c:\users\All Users\dunumeda
c:\programdata\dunumeda
c:\users\All Users\vajutuhi
c:\programdata\vajutuhi
c:\users\All Users\gisujewo
c:\programdata\gisujewo
c:\users\All Users\zomesasu
c:\programdata\zomesasu
c:\users\All Users\yawususi
c:\users\All Users\dizupiva
c:\programdata\yawususi
c:\programdata\dizupiva
c:\users\All Users\gunowini
c:\programdata\gunowini
c:\users\All Users\rudagitu
c:\programdata\rudagitu
c:\users\All Users\yefanopa
c:\programdata\yefanopa
c:\users\All Users\mejimaba
c:\programdata\mejimaba
c:\users\All Users\muyotohe
c:\programdata\muyotohe
c:\users\All Users\sogibujo
c:\programdata\sogibujo
c:\users\All Users\piwigiki
c:\programdata\piwigiki
c:\users\All Users\hulayoba
c:\programdata\hulayoba
c:\users\All Users\zefebilu
c:\programdata\zefebilu
c:\users\All Users\supamadi
c:\users\All Users\bolijida
c:\programdata\supamadi
c:\programdata\bolijida
c:\users\All Users\papulihe
c:\programdata\papulihe
c:\users\All Users\suliweya
c:\users\All Users\lazusoju
c:\programdata\suliweya
c:\programdata\lazusoju
c:\users\All Users\yijazowi
c:\programdata\yijazowi
c:\users\All Users\napokoku
c:\programdata\napokoku
c:\users\All Users\mihisolo
c:\users\All Users\kerebodi
c:\programdata\mihisolo
c:\programdata\kerebodi
c:\users\All Users\bokatini
c:\programdata\bokatini
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3
2 -Run Malwarebytes' Anti-Malware
  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.

    Posted Image
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
3 - Status Check
Please reply with

the OTMoveIt3 log
the Malwarebytes' Anti-Malware Log
a fresh dds.txt

Thanks peku006
Posted Image
Posted Image

#5 mrvsqz

mrvsqz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 24 April 2009 - 06:56 PM

Hello peku006,
Thanks again for all your help. Here are the logs you requested:

OTMoveIt3:

========== FILES ==========
c:\users\All Users\papevili moved successfully.
File/Folder c:\programdata\papevili not found.
c:\users\All Users\miwunado moved successfully.
c:\users\All Users\jajeluno moved successfully.
File/Folder c:\programdata\miwunado not found.
File/Folder c:\programdata\jajeluno not found.
c:\users\All Users\tawekole moved successfully.
File/Folder c:\programdata\tawekole not found.
c:\users\All Users\duwedeba moved successfully.
File/Folder c:\programdata\duwedeba not found.
c:\users\All Users\neniweja moved successfully.
File/Folder c:\programdata\neniweja not found.
c:\users\All Users\dunumeda moved successfully.
File/Folder c:\programdata\dunumeda not found.
c:\users\All Users\vajutuhi moved successfully.
File/Folder c:\programdata\vajutuhi not found.
c:\users\All Users\gisujewo moved successfully.
File/Folder c:\programdata\gisujewo not found.
c:\users\All Users\zomesasu moved successfully.
File/Folder c:\programdata\zomesasu not found.
c:\users\All Users\yawususi moved successfully.
c:\users\All Users\dizupiva moved successfully.
File/Folder c:\programdata\yawususi not found.
File/Folder c:\programdata\dizupiva not found.
c:\users\All Users\gunowini moved successfully.
File/Folder c:\programdata\gunowini not found.
c:\users\All Users\rudagitu moved successfully.
File/Folder c:\programdata\rudagitu not found.
c:\users\All Users\yefanopa moved successfully.
File/Folder c:\programdata\yefanopa not found.
c:\users\All Users\mejimaba moved successfully.
File/Folder c:\programdata\mejimaba not found.
c:\users\All Users\muyotohe moved successfully.
File/Folder c:\programdata\muyotohe not found.
c:\users\All Users\sogibujo moved successfully.
File/Folder c:\programdata\sogibujo not found.
c:\users\All Users\piwigiki moved successfully.
File/Folder c:\programdata\piwigiki not found.
c:\users\All Users\hulayoba moved successfully.
File/Folder c:\programdata\hulayoba not found.
c:\users\All Users\zefebilu moved successfully.
File/Folder c:\programdata\zefebilu not found.
c:\users\All Users\supamadi moved successfully.
c:\users\All Users\bolijida moved successfully.
File/Folder c:\programdata\supamadi not found.
File/Folder c:\programdata\bolijida not found.
c:\users\All Users\papulihe moved successfully.
File/Folder c:\programdata\papulihe not found.
c:\users\All Users\suliweya moved successfully.
c:\users\All Users\lazusoju moved successfully.
File/Folder c:\programdata\suliweya not found.
File/Folder c:\programdata\lazusoju not found.
c:\users\All Users\yijazowi moved successfully.
File/Folder c:\programdata\yijazowi not found.
c:\users\All Users\napokoku moved successfully.
File/Folder c:\programdata\napokoku not found.
c:\users\All Users\mihisolo moved successfully.
c:\users\All Users\kerebodi moved successfully.
File/Folder c:\programdata\mihisolo not found.
File/Folder c:\programdata\kerebodi not found.
c:\users\All Users\bokatini moved successfully.
File/Folder c:\programdata\bokatini not found.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04242009_111205

Malwarebytes Anti-Malware:

Malwarebytes' Anti-Malware 1.36
Database version: 2036
Windows 6.0.6000

4/24/2009 4:40:05 PM
mbam-log-2009-04-24 (16-40-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 201541
Time elapsed: 1 hour(s), 39 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\jajeluno\jajeluno.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\lazusoju\lazusoju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

DDS.txt:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Marlena Vasquez at 16:49:56.29 on Fri 04/24/2009
Internet Explorer: 7.0.6000.16830 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.388 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090424-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Marlena Vasquez\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\marlen~1\appdata\roaming\mozilla\firefox\profiles\b05rmcjt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\users\marlena vasquez\appdata\roaming\mozilla\firefox\profiles\b05rmcjt.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-24 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-24 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-24 51792]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2005-5-9 71336]

=============== Created Last 30 ================

2009-04-24 11:12 <DIR> --d----- C:\_OTMoveIt
2009-04-23 22:41 320,000 a------- c:\windows\system32\CF11958.exe
2009-04-23 22:41 <DIR> --d----- C:\ComboFix
2009-04-23 16:36 161,792 a------- c:\windows\SWREG.exe
2009-04-23 16:36 98,816 a------- c:\windows\sed.exe
2009-04-17 20:48 25,600 a------- c:\windows\system32\amxread.dll
2009-04-16 13:20 <DIR> --d----- c:\users\marlen~1\appdata\roaming\Malwarebytes
2009-04-16 13:20 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-16 13:20 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 13:20 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-16 13:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-16 13:20 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-16 00:34 <DIR> --d----- c:\programdata\Lavasoft

==================== Find3M ====================

2009-03-24 19:45 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-16 20:16 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 20:16 14,848 a------- c:\windows\system32\apilogen.dll
2009-03-02 21:24 3,503,584 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 21:24 3,469,280 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 21:20 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 21:19 158,720 a------- c:\windows\system32\sdohlp.dll
2009-03-02 21:19 549,888 a------- c:\windows\system32\rpcss.dll
2009-03-02 21:19 24,576 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 21:16 56,320 a------- c:\windows\system32\iesetup.dll
2009-03-02 21:16 97,280 a------- c:\windows\system32\iasrecst.dll
2009-03-02 21:16 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-02 21:16 53,248 a------- c:\windows\system32\iasads.dll
2009-03-02 21:16 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-03-02 21:16 37,888 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 21:15 72,704 a------- c:\windows\system32\admparse.dll
2009-03-02 19:40 654,336 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 19:08 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-03-02 17:44 48,128 a------- c:\windows\system32\mshtmler.dll
2009-02-13 00:26 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 00:26 1,233,408 a------- c:\windows\system32\lsasrv.dll
2009-02-13 00:26 7,680 a------- c:\windows\system32\lsass.exe
2009-02-08 18:59 2,028,032 a------- c:\windows\system32\win32k.sys
2008-12-11 18:15 174 a--sh--- c:\program files\desktop.ini
2008-09-01 20:23 86,016 a------- c:\windows\inf\infstrng.dat
2008-09-01 20:23 86,016 a------- c:\windows\inf\infstor.dat
2008-09-01 20:23 51,200 a------- c:\windows\inf\infpub.dat
2008-06-16 03:06 665,600 a------- c:\windows\inf\drvindex.dat
2008-02-21 16:56 126 a------- c:\users\marlen~1\appdata\roaming\wklnhst.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-01-05 13:20 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 16:52:37.92 ===============

#6 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 25 April 2009 - 04:07 AM

Hi mrvsqz

Looking good :thumbup2:
Let's make sure we got everything

1 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose: Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox: Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera: Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
[/list]2 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
3 - Status Check
Please reply with

1. the Kaspersky online scanner report

How's the computer running now? Any problems?

Thanks peku006
Posted Image
Posted Image

#7 mrvsqz

mrvsqz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 26 April 2009 - 10:11 PM

Hi peku006,
The computer seems to be running fine - no more strange pop ups and the browser speed is back to normal. Here are the results of the Kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 26, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 26, 2009 22:34:08
Records in database: 2081808
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 124394
Threat name: 2
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 02:47:39


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\ProgramData\papevili\papevili.dll.vir Infected: Trojan.Win32.Monder.bzdz 1
C:\Qoobox\Quarantine\C\ProgramData\zefebilu\zefebilu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\bolijida\bolijida.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\dunumeda\dunumeda.dll Infected: Trojan.Win32.Monder.bzdz 1
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\gunowini\gunowini.dll Infected: Trojan.Win32.Monder.bzdz 1
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\hulayoba\hulayoba.dll Infected: Trojan.Win32.Monder.bzdz 1
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\mejimaba\mejimaba.dll Infected: Trojan.Win32.Monder.bzdz 1
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\suliweya\suliweya.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\supamadi\supamadi.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\tawekole\tawekole.dll Infected: Trojan.Win32.Monder.bzdz 1
C:\_OTMoveIt\MovedFiles\04242009_111205\users\All Users\yawususi\yawususi.dll Infected: Trojan.Win32.Monder.bzdz 1

The selected area was scanned.

#8 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 27 April 2009 - 06:06 AM

Hi mrvsqz

Congratulations, your log looks clean! :thumbup2:

To remove all of the tools we used and the files and folders they created do the following:

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:

    Please referring this thread to configure Internet Explorer 8 properly.
  • Update your Your Adobe Acrobat Reader

    Old versions may render vulnerabilities that malware can use to infect your system. Please download Adobe Reader 9 to your desktop.
    Uninstall the old Adobe Reader from Start > Control Panel > Add/Remove Programs. Install the new one.
  • Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.

Glad to be of help. Safe surfing!!
Posted Image
Posted Image

#9 mrvsqz

mrvsqz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 29 April 2009 - 10:49 PM

Ah, thank you so much! What a relief. I really appreciate your volunteering to help computer users in need! :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users