Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vondo,BHO.h,Trojan and Rootkit.Agent Infection please help


  • This topic is locked This topic is locked
13 replies to this topic

#1 t_h_arner

t_h_arner

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 19 April 2009 - 09:07 AM

Tried unsuccesfully to remove some of the infected files with no success. Removed downloader,websearch,viewpoint etc... The machine is much better but still unusable. I have hijack logs and other logs a MBAM log has a concise list. Please if could please give me some advice Thanks!
t_h_arner yahoo.com

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 AM

Posted 20 April 2009 - 03:13 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 t_h_arner

t_h_arner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 20 April 2009 - 06:44 PM

Thanks for the quick reply
================
OTListIt logfile created on: 4/20/2009 7:25:12 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\hIJACK\antivirus-spyware
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.12 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 71.42% Memory free
2.69 Gb Paging File | 2.53 Gb Available in Paging File | 94.34% Paging File free
Paging file location(s): C:\pagefile.sys 1723 2096;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 18.61 Gb Total Space | 3.23 Gb Free Space | 17.34% Space Free | Partition Type: NTFS
Drive D: | 183.62 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GOOKER1
Current User Name: mom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2002/05/08 10:51:52 | 00,212,992 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe
PRC - [2003/11/12 14:46:34 | 00,049,152 | ---- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect\retrorun.exe
PRC - [2003/12/12 10:09:34 | 00,046,592 | R--- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect\wdsvc.exe
PRC - [2009/01/07 13:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\SpywareDoc\pctsAuxs.exe
PRC - [2006/12/26 21:30:43 | 00,126,976 | ---- | M] () -- C:\WINNT\system32\UAService7.exe
PRC - [2002/03/19 12:15:46 | 00,036,864 | ---- | M] (D-Link) -- C:\Program Files\WZCBDL Service\WZCBDLS.exe
PRC - [2004/08/04 00:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wscntfy.exe
PRC - [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Explorer.EXE
PRC - [2009/04/20 19:24:56 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\hIJACK\antivirus-spyware\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2002/05/08 10:51:52 | 00,212,992 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe -- (ASFAgent [Auto | Running])
SRV - [2005/04/08 15:52:32 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [On_Demand | Stopped])
SRV - [2005/04/08 15:54:50 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2005/04/08 15:54:52 | 00,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [On_Demand | Stopped])
SRV - [2005/04/17 12:30:32 | 00,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\AntiVirus\DefWatch.exe -- (DefWatch [On_Demand | Stopped])
SRV - [2004/08/04 00:56:46 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 04:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2002/07/30 17:15:24 | 01,118,208 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\NMSSvc.exe -- (NMSSvc [On_Demand | Stopped])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2003/05/14 09:45:04 | 00,065,795 | ---- | M] (HP) -- C:\WINNT\System32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Stopped])
SRV - [2003/11/12 14:46:34 | 00,049,152 | ---- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect\retrorun.exe -- (RetroLauncher [Auto | Running])
SRV - [2003/11/12 14:46:34 | 00,110,592 | ---- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect\rthlpsvc.exe -- (Retrospect Helper [Auto | Stopped])
SRV - [2003/12/12 10:09:34 | 00,046,592 | R--- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect\wdsvc.exe -- (RetroWDSvc [Auto | Running])
SRV - [2005/04/17 12:30:42 | 00,124,608 | ---- | M] (symantec) -- C:\Program Files\AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2009/01/07 13:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\SpywareDoc\pctsAuxs.exe -- (sdAuxService [Auto | Running])
SRV - [2009/01/21 14:08:06 | 01,095,560 | ---- | M] (PC Tools) -- C:\Program Files\SpywareDoc\pctsSvc.exe -- (sdCoreService [On_Demand | Stopped])
SRV - [2005/04/05 11:17:22 | 00,206,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2005/03/30 21:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [On_Demand | Stopped])
SRV - [2005/04/17 12:31:18 | 01,726,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [On_Demand | Stopped])
SRV - [2006/12/26 21:30:43 | 00,126,976 | ---- | M] () -- C:\WINNT\system32\UAService7.exe -- (UserAccess7 [Auto | Running])
SRV - [2004/08/04 00:56:58 | 00,050,176 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\UtilMan.exe -- (UtilMan [On_Demand | Stopped])
SRV - [2002/03/19 12:15:46 | 00,036,864 | ---- | M] (D-Link) -- C:\Program Files\WZCBDL Service\WZCBDLS.exe -- (WZCBDLService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2002/04/01 14:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINNT\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [1998/05/05 11:36:04 | 00,012,128 | ---- | M] (Acard Technology Corp.) -- C:\WINNT\System32\drivers\AEC671X.SYS -- (AEC671X [System | Stopped])
DRV - [2003/03/31 13:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINNT\System32\drivers\ASC.SYS -- (asc [System | Stopped])
DRV - [2004/02/20 23:15:42 | 00,058,000 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\cdr4_2K.sys -- (Cdr4_2K [System | Running])
DRV - [2004/02/20 23:15:42 | 00,023,420 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
DRV - [1999/02/23 01:42:40 | 00,017,700 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\DMX3191.SYS -- (DMX3191 [System | Stopped])
DRV - [2002/11/12 10:58:18 | 00,099,840 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\e1000325.sys -- (E1000 [On_Demand | Running])
DRV - [2009/03/16 08:47:52 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2001/04/26 16:00:30 | 00,064,418 | ---- | M] (Promise Technology, Inc.) -- C:\WINNT\System32\DRIVERS\fasttrak.sys -- (fasttrak [Boot | Running])
DRV - [1999/09/25 12:11:42 | 00,011,280 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\fd16_700.sys -- (Fd16_700 [Boot | Running])
DRV - [2003/05/14 09:19:52 | 00,051,056 | R--- | M] (HP) -- C:\WINNT\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Running])
DRV - [2003/05/14 09:19:54 | 00,016,496 | R--- | M] (HP) -- C:\WINNT\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Running])
DRV - [2003/05/14 09:17:54 | 00,021,488 | R--- | M] (HP) -- C:\WINNT\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Running])
DRV - [2002/10/29 17:38:10 | 00,170,499 | ---- | M] (Conexant Systems) -- C:\WINNT\System32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])
DRV - [2002/10/29 17:37:36 | 01,175,536 | ---- | M] (Conexant Systems) -- C:\WINNT\System32\DRIVERS\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
DRV - [2005/10/19 08:59:12 | 00,807,998 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [1999/10/22 15:54:42 | 00,032,592 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\ichaud.sys -- (ichaud [On_Demand | Stopped])
DRV - [2000/05/19 15:24:56 | 00,011,504 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\IPFilter.sys -- (IPFilter [On_Demand | Stopped])
DRV - [2008/01/04 20:30:42 | 00,008,413 | ---- | M] (RealNetworks, Inc.) -- C:\WINNT\System32\drivers\mcstrm.sys -- (MCSTRM [Auto | Running])
DRV - [2002/10/07 10:29:48 | 00,011,027 | ---- | M] (Conexant) -- C:\WINNT\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2004/08/03 23:10:14 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\MPE.sys -- (MPE [On_Demand | Stopped])
DRV - [2001/06/08 09:25:56 | 00,017,258 | ---- | M] (American Megatrends, Inc.) -- C:\WINNT\System32\DRIVERS\mraid2k.sys -- (mraid2k [Boot | Running])
DRV - [2003/03/31 13:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINNT\System32\DRIVERS\mraid35x.sys -- (mraid35x [Boot | Running])
DRV - [2009/03/16 08:47:52 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090415.003\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/03/16 08:47:52 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090415.003\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2002/05/07 17:05:56 | 00,039,680 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\drivers\NetAlrt.sys -- (NetAlrt [Auto | Running])
DRV - [2002/09/27 18:21:26 | 00,022,912 | ---- | M] (D-Link Corporation) -- C:\WINNT\system32\NIOC.SYS -- (NIOC [Auto | Running])
DRV - [2002/07/30 17:15:40 | 00,009,868 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\drivers\NMSCFG.SYS -- (NMSCFG [On_Demand | Stopped])
DRV - [1999/10/27 16:23:38 | 00,345,040 | ---- | M] (NVIDIA Corporation) -- C:\WINNT\System32\DRIVERS\nv4.sys -- (nv4 [On_Demand | Stopped])
DRV - [2002/11/08 14:45:06 | 00,017,217 | ---- | M] (Dell Computer Corporation) -- C:\WINNT\System32\DRIVERS\omci.sys -- (omci [System | Running])
DRV - [2009/03/06 16:45:06 | 00,130,424 | ---- | M] (PC Tools) -- C:\WINNT\system32\drivers\PCTCore.sys -- (PCTCore [Boot | Running])
DRV - [2003/09/19 15:45:48 | 00,021,248 | ---- | M] (Padus, Inc.) -- C:\WINNT\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2002/05/07 17:06:36 | 00,023,744 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\drivers\PlatAlrt.sys -- (PlatAlrt [Auto | Running])
DRV - [2003/10/02 15:47:14 | 00,666,624 | ---- | M] (GlobespanVirata, Inc.) -- C:\WINNT\System32\DRIVERS\PRISMUSB.sys -- (PRISM_USB [On_Demand | Running])
DRV - [2003/03/31 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINNT\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2003/03/31 13:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Stopped])
DRV - [2005/02/04 20:14:30 | 00,324,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\AntiVirus\savrt.sys -- (SAVRT [System | Running])
DRV - [2005/02/04 20:14:32 | 00,053,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINNT\System32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2002/05/28 16:18:46 | 00,500,568 | ---- | M] (Analog Devices, Inc.) -- C:\WINNT\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2002/01/18 23:18:26 | 00,032,924 | ---- | M] (SONY) -- C:\WINNT\system32\drivers\sonypvp2.sys -- (SONYPVP2 [On_Demand | Stopped])
DRV - [2003/03/31 13:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINNT\System32\DRIVERS\sparrow.sys -- (Sparrow [Boot | Running])
DRV - [2005/03/30 21:48:20 | 00,372,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
DRV - [2006/01/26 13:21:04 | 00,034,686 | ---- | M] (Service & Quality Technology.) -- C:\WINNT\System32\Drivers\Capt905c.sys -- (SQTECH905C [On_Demand | Stopped])
DRV - [2005/04/01 20:36:04 | 00,123,200 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2005/04/05 11:17:00 | 00,017,976 | ---- | M] (Symantec Corporation) -- C:\WINNT\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Stopped])
DRV - [2005/04/05 11:17:02 | 00,267,192 | ---- | M] (Symantec Corporation) -- C:\WINNT\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2003/03/31 13:00:00 | 00,023,424 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\txgxastv.sys -- (txgxastv [Boot | Running])
DRV - [1998/09/18 09:18:02 | 00,076,260 | ---- | M] () -- C:\WINNT\System32\drivers\udnt.sys -- (UDNT [Auto | Stopped])
DRV - [2003/03/31 13:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINNT\System32\DRIVERS\ultra.sys -- (Ultra [Boot | Running])
DRV - [2003/06/19 13:05:04 | 00,049,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\usbhub20.sys -- (usbhub20 [On_Demand | Stopped])
DRV - [2002/10/29 17:31:28 | 00,604,240 | ---- | M] (Conexant Systems) -- C:\WINNT\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
DRV - [2007/12/26 19:35:12 | 00,186,592 | ---- | M] (Jungo) -- C:\WINNT\system32\drivers\windrvr6.sys -- (WinDriver6 [On_Demand | Running])
DRV - [2003/01/14 14:38:36 | 00,108,736 | ---- | M] (Intel Corporation) -- C:\WINNT\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Stopped])
DRV - [2003/01/14 14:38:30 | 00,078,272 | ---- | M] (Intel Corporation) -- C:\WINNT\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\S-1-5-21-1524916876-855397222-1498376074-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/16 23:30:40 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/15 19:06:50 | 00,000,000 | ---D | M]

[2008/12/12 01:20:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\mom\Application Data\mozilla\Extensions
[2008/12/12 01:20:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\mom\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/16 14:09:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\mom\Application Data\mozilla\Firefox\Profiles\default.1ax\extensions
[2008/01/29 12:41:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\mom\Application Data\mozilla\Firefox\Profiles\default.1ax\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}
[2007/11/05 16:50:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\mom\Application Data\mozilla\Firefox\Profiles\default.1ax\extensions\{b1f0be5b-b66c-41c9-bfcc-f4ec657cd17b}
[2009/03/16 14:09:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\mom\Application Data\mozilla\Firefox\Profiles\default.1ax\extensions\moveplayer@movenetworks.com
[2009/02/22 19:29:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/02/22 19:31:13 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/22 19:31:12 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/02/22 19:31:13 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/12/12 01:20:30 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/12/12 01:20:30 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/12/12 01:20:30 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/12/12 01:20:30 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/12/12 01:20:30 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/12/12 01:20:30 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/12/12 01:20:30 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (21 bytes) - C:\WINNT\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {27955B3C-D524-43FF-8FE5-B875C89617F8} - C:\WINNT\system32\atrac.dll ()
O2 - BHO: (no name) - {d5e9f43e-ece3-4728-859b-c5d612a68404} - C:\WINNT\system32\kesirogi.dll File not found
O3 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [CPM63893cd0] Rundll32.exe "c:\winnt\system32\motatuwo.dll",a ()
O4 - HKLM..\Run: [jetotikiyu] Rundll32.exe "C:\WINNT\system32\yipitumi.dll",s File not found
O4 - HKU\S-1-5-19..\Run: [jetotikiyu] Rundll32.exe "C:\WINNT\system32\yipitumi.dll",s File not found
O4 - HKU\S-1-5-20..\Run: [jetotikiyu] Rundll32.exe "C:\WINNT\system32\yipitumi.dll",s File not found
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe (UMAX)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskBar = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCloseDragDropBands = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarsOnTaskbar = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoHelp = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsMenu = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPropertiesMyComputer = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O7 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 0
O7 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 0
O7 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 0
O7 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {00000075-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/voxmsdec.CAB (Reg Error: Key error.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} https://a248.e.akamai.net/7/248/11498/v1/ww...qt/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/3/9...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} http://www.symantec.com/techsupp/asa/LSSupCtl.cab (LSSupCtl Class)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} http://www.winkflash.com/photo/loaders/SAXFile.cab (SAXFile FileUpload ActiveX Control)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} http://www.winkflash.com/photo/loaders/ImageUploader4.cab (Image Uploader Control)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (HouseCall Control)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...8115.4778935185 (Reg Error: Key error.)
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} http://www.winkflash.com/photo/loaders/ImageUploader3.cab (Aurigma Image Uploader 3.0 Control)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} http://www.symantec.com/techsupp/asa/SymAData.cab (ActiveDataInfo Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} http://www.snapfish.com/SnapfishUpload.cab (Snapfish File Upload ActiveX Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINNT\system32\danonebi.dll) - C:\WINNT\system32\danonebi.dll ()
O20 - AppInit_DLLs: (c:\winnt\system32\motatuwo.dll) - c:\winnt\system32\motatuwo.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINNT\system32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - - File not found
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\system32\wzcdlg.dll (Microsoft Corporation)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\motatuwo.dll ()
O22 - SharedTaskScheduler: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - STS - c:\winnt\system32\motatuwo.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/05/08 15:09:44 | 00,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/04/18 00:56:09 | 00,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2007/04/17 01:31:00 | 00,368,128 | R--- | M] () - D:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2007/04/17 01:31:00 | 00,000,049 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{94daa3da-d0ff-11db-962b-000d887e8262}\Shell - "" = AutoRun
O33 - MountPoints2\{94daa3da-d0ff-11db-962b-000d887e8262}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{94daa3da-d0ff-11db-962b-000d887e8262}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\Autorun.exe -- [2007/04/17 01:31:00 | 00,368,128 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINNT\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINNT\*.tmp files]
[2009/04/20 19:07:00 | 12,059,19744 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/20 13:04:01 | 00,002,713 | -HS- | C] () -- C:\WINNT\System32\ziwoguta.exe
[2009/04/19 19:03:35 | 00,002,713 | -HS- | C] () -- C:\WINNT\System32\mazomoki.exe
[2009/04/19 10:04:44 | 00,004,370 | ---- | C] () -- C:\Documents and Settings\mom\Desktop\Attach.zip
[2009/04/19 01:03:11 | 01,409,558 | -HS- | C] () -- C:\WINNT\System32\iverukah.ini
[2009/04/18 20:22:59 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/04/18 20:19:22 | 00,000,000 | ---D | C] -- C:\WINNT\temp
[2009/04/18 19:53:23 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
[2009/04/18 19:53:23 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2009/04/18 19:53:23 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
[2009/04/18 19:53:23 | 00,108,544 | ---- | C] () -- C:\WINNT\vFind.exe
[2009/04/18 19:53:23 | 00,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2009/04/18 19:53:23 | 00,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2009/04/18 19:53:23 | 00,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2009/04/18 19:53:23 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
[2009/04/18 19:53:05 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/04/18 18:35:51 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\pctgntdi.sys
[2009/04/18 18:35:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/04/18 18:35:32 | 00,130,424 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\PCTCore.sys
[2009/04/18 18:35:32 | 00,073,840 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\PCTAppEvent.sys
[2009/04/18 18:35:21 | 00,001,601 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/04/18 18:35:10 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/04/18 18:35:08 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\pctplsg.sys
[2009/04/18 18:34:36 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareDoc
[2009/04/18 18:34:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\mom\Application Data\PC Tools
[2009/04/18 18:34:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/04/18 18:00:53 | 00,000,833 | ---- | C] () -- C:\Documents and Settings\mom\Desktop\Internet Explorer (No Add-ons) (2).lnk
[2009/04/18 02:07:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\mom\Application Data\Malwarebytes
[2009/04/18 02:07:22 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2009/04/18 02:07:22 | 00,000,686 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/18 02:07:18 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2009/04/18 02:07:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/18 02:07:14 | 00,000,000 | ---D | C] -- C:\Program Files\MalwarebytesAnti-Malware
[2009/04/18 00:56:09 | 00,000,000 | RHSD | C] -- C:\autorun.inf
[2009/04/18 00:13:43 | 00,000,207 | ---- | C] () -- C:\Boot.bak
[2009/04/18 00:13:40 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/04/18 00:13:22 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/04/17 21:54:52 | 00,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2009/04/17 18:26:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\mom\Application Data\Uniblue
[2009/04/17 18:24:43 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\~0
[2009/04/16 01:11:04 | 00,000,000 | ---- | C] () -- C:\WINNT\vpc32.INI
[2009/04/15 19:19:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\mom\Local Settings\Application Data\Symantec
[2009/04/15 19:15:55 | 00,123,200 | ---- | C] (Symantec Corporation) -- C:\WINNT\System32\drivers\SYMEVENT.SYS
[2009/04/15 19:15:55 | 00,091,856 | ---- | C] (Symantec Corporation) -- C:\WINNT\System32\S32EVNT1.DLL
[2009/04/15 19:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\AntiVirus
[2009/04/15 00:10:40 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\mom\Desktop\HijackThis.lnk
[2009/04/15 00:10:38 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/15 00:09:53 | 00,000,000 | ---D | C] -- C:\hIJACK
[2009/04/13 23:54:31 | 00,097,280 | ---- | C] () -- C:\WINNT\System32\atrac.dll
[2009/03/31 21:40:54 | 00,000,107 | ---- | C] () -- C:\Documents and Settings\mom\Desktop\Kroje--A Link to Our Ethnic Past.URL
[2009/03/27 15:37:23 | 00,001,499 | ---- | C] () -- C:\Documents and Settings\mom\Desktop\Paint.lnk
[2009/01/19 01:02:41 | 00,107,520 | -HS- | C] () -- C:\WINNT\System32\motatuwo.dll
[2009/01/14 11:55:27 | 00,071,680 | -H-- | C] () -- C:\WINNT\System32\danonebi.dll
[2008/03/22 12:42:20 | 00,000,121 | ---- | C] () -- C:\WINNT\wininit.ini
[2008/01/07 20:22:33 | 00,000,000 | ---- | C] () -- C:\WINNT\Game.INI
[2007/10/03 17:57:36 | 00,000,068 | ---- | C] () -- C:\WINNT\TONKA_SR.INI
[2007/02/07 17:24:44 | 00,043,520 | ---- | C] () -- C:\WINNT\System32\CmdLineExt03.dll
[2007/01/05 16:37:04 | 00,056,832 | ---- | C] () -- C:\WINNT\System32\Iyvu9_32.dll
[2006/12/26 11:00:38 | 00,090,112 | ---- | C] () -- C:\WINNT\System32\CmdLineExt.dll
[2006/09/06 21:59:36 | 00,000,185 | ---- | C] () -- C:\WINNT\intuprof.ini
[2006/09/06 21:59:34 | 00,000,903 | ---- | C] () -- C:\WINNT\QUICKEN.INI
[2006/07/29 13:46:19 | 00,000,123 | ---- | C] () -- C:\WINNT\cdplayer.ini
[2005/12/07 20:50:03 | 00,010,240 | ---- | C] () -- C:\WINNT\System32\vidx16.dll
[2005/11/11 17:13:01 | 00,000,016 | ---- | C] () -- C:\WINNT\encore_launcher.ini
[2005/09/14 09:17:05 | 00,000,004 | ---- | C] () -- C:\WINNT\uccspecb.sys
[2005/08/25 15:57:04 | 00,000,000 | ---- | C] () -- C:\WINNT\NSREX.INI
[2005/07/02 06:37:59 | 00,210,944 | ---- | C] () -- C:\WINNT\System32\MSVCRT10.DLL
[2005/06/30 21:53:43 | 00,000,074 | ---- | C] () -- C:\WINNT\ImportClient.INI
[2005/03/02 21:03:14 | 00,363,520 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[2004/12/26 14:58:52 | 00,000,395 | ---- | C] () -- C:\WINNT\disney.ini
[2004/12/26 14:03:09 | 00,000,330 | ---- | C] () -- C:\WINNT\ka.ini
[2004/12/23 20:04:39 | 00,003,082 | ---- | C] () -- C:\WINNT\System32\affv9869p2now.sys
[2004/12/20 02:22:41 | 00,071,749 | ---- | C] () -- C:\WINNT\hcextoutput.dll
[2004/12/20 02:22:41 | 00,000,823 | ---- | C] () -- C:\WINNT\tsc.ini
[2004/12/20 02:22:15 | 00,000,170 | ---- | C] () -- C:\WINNT\GetServer.ini
[2004/10/11 10:55:23 | 00,000,091 | ---- | C] () -- C:\WINNT\TLCAPPS.INI
[2004/10/03 10:00:18 | 00,000,000 | ---- | C] () -- C:\WINNT\SETUP32.INI
[2004/09/23 17:15:00 | 00,000,000 | ---- | C] () -- C:\WINNT\Edmark.ini
[2004/09/23 17:14:58 | 00,000,519 | ---- | C] () -- C:\WINNT\pipeline.ini
[2004/09/15 20:50:02 | 00,001,065 | ---- | C] () -- C:\WINNT\hegames.ini
[2004/08/30 17:49:46 | 00,000,128 | ---- | C] () -- C:\WINNT\compedia.ini
[2004/07/28 19:15:32 | 00,000,990 | ---- | C] () -- C:\WINNT\WIN.INI
[2004/07/28 19:15:32 | 00,000,254 | ---- | C] () -- C:\WINNT\system.ini
[2004/07/28 19:15:31 | 00,000,046 | ---- | C] () -- C:\WINNT\QTW.INI
[2004/07/28 19:15:00 | 00,000,101 | ---- | C] () -- C:\WINNT\PUZZLES.INI
[2004/06/27 14:01:05 | 00,000,046 | ---- | C] () -- C:\WINNT\webica.ini
[2004/05/08 15:00:38 | 00,001,793 | ---- | C] () -- C:\WINNT\System32\fxsperf.ini
[2004/05/08 14:55:44 | 00,000,407 | ---- | C] () -- C:\WINNT\System32\OEMINFO.INI
[2003/12/15 17:22:50 | 00,000,853 | ---- | C] () -- C:\WINNT\System32\WD.ini
[2003/12/15 15:42:52 | 00,000,232 | ---- | C] () -- C:\WINNT\SwapDrvrSP3.ini
[2003/12/15 15:42:36 | 00,000,233 | ---- | C] () -- C:\WINNT\SwapDrvrSP2.ini
[2003/11/26 23:05:40 | 00,001,232 | ---- | C] () -- C:\WINNT\umaxsti.ini
[2003/11/26 22:29:59 | 00,000,172 | ---- | C] () -- C:\WINNT\ppdrv.ini
[2003/11/26 22:29:37 | 00,002,338 | ---- | C] () -- C:\WINNT\vista32d.ini
[2003/11/26 12:03:47 | 00,135,200 | ---- | C] () -- C:\WINNT\U2x00_32.dll
[2003/11/26 12:03:47 | 00,065,536 | ---- | C] () -- C:\WINNT\u2200_32.dll
[2003/11/26 10:31:19 | 00,005,098 | ---- | C] () -- C:\WINNT\vista32.ini
[2003/11/26 10:31:19 | 00,000,230 | ---- | C] () -- C:\WINNT\KPCMS.INI
[2003/11/26 10:31:19 | 00,000,145 | ---- | C] () -- C:\WINNT\umaxdrv.ini
[2003/11/26 10:31:09 | 00,047,616 | ---- | C] () -- C:\WINNT\ucmsp_32.dll
[2003/11/26 10:31:07 | 00,030,208 | ---- | C] () -- C:\WINNT\uxmail32.dll
[2003/11/26 10:31:05 | 00,068,608 | ---- | C] () -- C:\WINNT\vufile32.dll
[2003/11/26 10:31:04 | 00,076,260 | ---- | C] () -- C:\WINNT\System32\drivers\udnt.sys
[2003/10/10 16:50:57 | 00,007,202 | ---- | C] () -- C:\WINNT\System32\SWLicense.dll
[2003/08/04 17:52:44 | 00,001,060 | ---- | C] () -- C:\WINNT\ODBC.INI
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINNT\System32\OUTLPERF.INI
[2002/11/01 17:17:50 | 00,000,256 | ---- | C] () -- C:\WINNT\aucfg.ini
[2002/07/04 16:05:34 | 00,000,269 | ---- | C] () -- C:\WINNT\tmupdate.ini
[2002/06/09 13:07:30 | 00,053,315 | ---- | C] () -- C:\WINNT\System32\DevCtrl.dll
[2002/05/07 17:06:36 | 00,019,968 | ---- | C] () -- C:\WINNT\System32\drivers\platmsg.dll
[2002/05/07 17:06:16 | 00,019,968 | ---- | C] () -- C:\WINNT\System32\drivers\netamsg.dll
[2002/04/16 17:57:28 | 00,135,168 | ---- | C] () -- C:\WINNT\System32\aolninst.dll
[2002/02/06 10:04:14 | 00,065,536 | ---- | C] () -- C:\WINNT\System32\NMSInst.dll
[2002/01/21 16:17:18 | 00,065,536 | ---- | C] () -- C:\WINNT\System32\PROInst.dll
[2001/12/14 14:34:46 | 00,164,864 | ---- | C] () -- C:\WINNT\patchw32.dll
[2001/05/08 07:00:00 | 00,176,400 | ---- | C] () -- C:\WINNT\System32\QCUT.DLL
[2001/05/08 07:00:00 | 00,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\LVCAM.SYS
[2001/05/08 07:00:00 | 00,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\LVSOUND.SYS
[1999/07/23 14:46:48 | 00,000,116 | ---- | C] () -- C:\WINNT\AuHCcup1.ini
[1999/07/23 11:53:20 | 00,129,536 | ---- | C] () -- C:\WINNT\AuHCcup1.dll
[1999/01/22 22:46:58 | 00,065,536 | ---- | C] () -- C:\WINNT\System32\MSRTEDIT.DLL

========== Files - Modified Within 30 Days ==========

[3 C:\WINNT\System32\*.tmp files]
[1 C:\WINNT\*.tmp files]
[2009/04/20 19:33:03 | 00,011,168 | -H-- | M] () -- C:\WINNT\System32\gabafuze
[2009/04/20 19:16:32 | 00,013,646 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2009/04/20 19:07:29 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/04/20 19:07:11 | 00,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2009/04/20 19:07:04 | 12,059,19744 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/20 13:04:01 | 00,002,713 | -HS- | M] () -- C:\WINNT\System32\ziwoguta.exe
[2009/04/19 19:03:35 | 00,002,713 | -HS- | M] () -- C:\WINNT\System32\mazomoki.exe
[2009/04/19 10:27:39 | 00,000,021 | ---- | M] () -- C:\WINNT\System32\drivers\ETC\hosts
[2009/04/19 10:04:44 | 00,004,370 | ---- | M] () -- C:\Documents and Settings\mom\Desktop\Attach.zip
[2009/04/19 01:24:36 | 01,409,558 | -HS- | M] () -- C:\WINNT\System32\iverukah.ini
[2009/04/19 01:02:45 | 00,063,488 | -HS- | M] (eMPIA Technology, Inc.) -- C:\WINNT\System32\wafiguvu.exe
[2009/04/19 01:02:43 | 00,107,520 | -HS- | M] () -- C:\WINNT\System32\motatuwo.dll
[2009/04/19 01:02:43 | 00,099,328 | -HS- | M] (eMPIA Technology, Inc.) -- C:\WINNT\System32\hakurevi.dll
[2009/04/18 20:09:55 | 00,000,254 | ---- | M] () -- C:\WINNT\system.ini
[2009/04/18 18:35:21 | 00,001,601 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/04/18 18:00:53 | 00,000,833 | ---- | M] () -- C:\Documents and Settings\mom\Desktop\Internet Explorer (No Add-ons) (2).lnk
[2009/04/18 02:07:22 | 00,000,686 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/18 00:13:44 | 00,000,277 | RHS- | M] () -- C:\boot.ini
[2009/04/17 22:49:26 | 00,370,094 | ---- | M] () -- C:\WINNT\System32\PerfStringBackup.INI
[2009/04/17 22:49:26 | 00,321,338 | ---- | M] () -- C:\WINNT\System32\PERFH009.DAT
[2009/04/17 22:49:26 | 00,043,602 | ---- | M] () -- C:\WINNT\System32\PERFC009.DAT
[2009/04/17 18:55:54 | 00,000,990 | ---- | M] () -- C:\WINNT\WIN.INI
[2009/04/17 18:55:54 | 00,000,207 | ---- | M] () -- C:\Boot.bak
[2009/04/16 01:11:04 | 00,000,000 | ---- | M] () -- C:\WINNT\vpc32.INI
[2009/04/15 19:15:47 | 00,000,366 | ---- | M] () -- C:\WINNT\tasks\Symantec NetDetect.job
[2009/04/15 00:10:40 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\mom\Desktop\HijackThis.lnk
[2009/04/14 13:08:38 | 03,173,380 | -H-- | M] () -- C:\Documents and Settings\mom\Local Settings\Application Data\IconCache.db
[2009/04/14 12:57:42 | 00,000,512 | ---- | M] () -- C:\WINNT\randseed.rnd
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2009/03/31 21:40:54 | 00,000,107 | ---- | M] () -- C:\Documents and Settings\mom\Desktop\Kroje--A Link to Our Ethnic Past.URL
[2009/03/23 16:35:43 | 00,000,170 | ---- | M] () -- C:\Documents and Settings\mom\Desktop\Webkinz.URL

========== Alternate Data Streams ==========

@Alternate Data Stream - 2550 bytes -> C:\Documents and Settings\mom\Desktop\Webkinz.URL:favicon
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\mom\Desktop\WEATHER.URL:favicon
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

#4 t_h_arner

t_h_arner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 20 April 2009 - 06:52 PM

Extra Log
===============
OTListIt Extras logfile created on: 4/20/2009 7:25:12 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\hIJACK\antivirus-spyware
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.12 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 71.42% Memory free
2.69 Gb Paging File | 2.53 Gb Available in Paging File | 94.34% Paging File free
Paging file location(s): C:\pagefile.sys 1723 2096;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 18.61 Gb Total Space | 3.23 Gb Free Space | 17.34% Space Free | Partition Type: NTFS
Drive D: | 183.62 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GOOKER1
Current User Name: mom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-1524916876-855397222-1498376074-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2006/10/10 08:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2006/10/10 08:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{01A4AEDE-F219-49A2-B855-16A016EAF9A4}" = Intel® PROSet II
"{0684EECC-380C-4B97-8C51-5BDB9E4D679C}" = ArcSoft Software Suite
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{26595B84-25F5-43E2-9696-B1720E813850}" = WZCBDL Service
"{2CA94ED4-F38D-44B4-A79D-E5835E276EFC}" = Air USB Utility
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3DD2E9EA-0544-4162-B8BE-E21E994E9F3B}" = LEGO Racers 2
"{45B6180B-DCAB-4093-8EE8-6164457517F0}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{4C701994-43D2-4B7B-A548-C6E6C224D9A9}" = Intel® PRO Network Adapters WMI Provider (2.0)
"{517B8FB2-26EE-43B0-AE1B-07408860AA69}" = DigitImg
"{5A633ED0-E5D7-4D65-AB8D-53ED43510284}" = Symantec AntiVirus
"{60758250-C8CF-47EB-8CB6-E0C3B84D8207}" = PSShortcuts
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6797B492-3814-4129-AD07-C727D23FB5BF}" = Intel® Pro Alerting Agent, Version 3.0.0
"{73B69C5C-87D6-471E-B695-0BD736C4B644}" = Retrospect 6.5
"{74715EE0-D979-4690-ACF9-9C3693AD36FE}" = Island Xtreme Stunts
"{797E03F8-C8A0-47ED-AA9F-D7076276E491}" = Ford Racing 2
"{83d96ed0-98aa-4515-8ddc-816f3efdd104}" = DB CIF Cam
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{A2C21F60-523D-4FC7-90AF-AE2707E45AFE}" = Shark Tale
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{ABEA93FA-8D65-11D2-98AB-00C04F79C5D1}" = Microsoft IntelliPoint
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{BC7E9D03-F7B1-4179-AAEC-941D14DF5EF3}" = Ben 10 Alien Force Bounty Hunters
"{BCF4E5BE-C249-4ED3-BA3B-C4257C743995}" = NIOC Service
"{CFA9C1EE-8D76-477E-9E26-D24C26F11F47}" = WD Media Center Driver
"{D2023740-9AAC-11D4-B54D-006008571948}" = Pac-Man Adventures in Time
"{D38C1D2A-BF9E-40EA-8CF7-7EA3E6BC192B}" = PIXELA PTP Manager
"{DE4997B5-55AD-4878-97A7-C9FA84FE23C7}" = PSUsage
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{F37305F8-98CF-4684-A3EF-5D2F3E44FAD6}" = Zapper
"{F8282D32-0924-47CB-B6E8-001B3C5716A0}" = PS7200
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 5.5" = Adobe Photoshop 5.5
"AxCrypt" = AxCrypt (Remove Only)
"CD-DA X-Tractor_is1" = CD-DA X-Tractor v0.24
"Centipede" = Centipede
"CleanUp!" = CleanUp!
"CNXT_MODEM_PCI_VEN_14F1&DEV_2013&SUBSYS_021213E0" = Conexant HSF V92 56K Data Fax PCI Modem
"CodInstl" = Intel A/V Codecs V2.0
"Crystal Wizard" = Crystal Wizard
"Danger Zone!" = Danger Zone!
"Dino Island" = Dino Island
"eGames GameButler" = eGames GameButler
"Flipster" = Flipster
"Flipster Twin Pack" = Flipster Twin Pack
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{26595B84-25F5-43E2-9696-B1720E813850}" = WZCBDL Service
"InstallShield_{2CA94ED4-F38D-44B4-A79D-E5835E276EFC}" = Air USB Utility
"InstallShield_{74715EE0-D979-4690-ACF9-9C3693AD36FE}" = Island Xtreme Stunts
"InstallShield_{BCF4E5BE-C249-4ED3-BA3B-C4257C743995}" = NIOC Service
"Jimmy Neutron Boy Genius" = Jimmy Neutron Boy Genius
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.0.5)" = Mozilla Firefox (3.0.5)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhoTagsExpress" = PhoTags Express
"PROSet" = Intel® PRO Ethernet Adapter and Software
"QuickTime" = QuickTime
"RealArcade 1.2" = RealArcade
"RealPlayer 6.0" = RealPlayer
"Spyware Doctor" = Spyware Doctor 6.0
"Stacker Blocks 3D" = Stacker Blocks 3D
"Star Defender 2 (CD version)" = Star Defender 2 (CD version)
"Switch" = Switch Sound File Converter
"U.B. Funkeys" = U.B. Funkeys
"upromise.xml" = Upromise remindU
"VIVAGplayer" = VIVA MEDIA GAME CENTER
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinPatrol" = WinPatrol 2008
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/15/2009 7:49:11 PM | Computer Name = GOOKER1 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: c:\winnt\system32\golorojo.dll
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
Quarantine was partially successful.

Error - 4/15/2009 8:41:31 PM | Computer Name = GOOKER1 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\WINNT\SYSTEM32\suju___meso.dll
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 4/15/2009 8:41:45 PM | Computer Name = GOOKER1 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\WINNT\SYSTEM32\suju___meso.dll
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
Quarantine was partially successful.

Error - 4/15/2009 8:42:17 PM | Computer Name = GOOKER1 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\WINNT\SYSTEM32\vijus____ewu.dll
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 4/15/2009 8:42:27 PM | Computer Name = GOOKER1 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\WINNT\SYSTEM32\vijus____ewu.dll
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
Quarantine was partially successful.

Error - 4/15/2009 9:12:09 PM | Computer Name = GOOKER1 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan.Vundo in File: c:\WINNT\SYSTEM32\golorojo.dll
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: Trojan.Vundo in File: c:\WINNT\SYSTEM32\weyonoru.dll
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: Trojan.Vundo in File: c:\WINNT\SYSTEM32\suju___meso.dll
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: Trojan.Vundo in File: c:\WINNT\SYSTEM32\vijus____ewu.dll
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully.

Error - 4/16/2009 12:22:17 AM | Computer Name = GOOKER1 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan.Vundo in File: by: Auto-Protect scan.
Action: Clean succeeded : Access allowed. Action Description: The file was repaired
successfully.

Error - 4/16/2009 12:23:29 AM | Computer Name = GOOKER1 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\winnt\system32\golorojo.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was deleted successfully.

Error - 4/16/2009 12:23:29 AM | Computer Name = GOOKER1 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan.Vundo in File: C:\WINNT\SYSTEM32\golorojo.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded
: Access denied. Action Description: The file was deleted successfully.

Error - 4/16/2009 12:24:01 AM | Computer Name = GOOKER1 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\winnt\system32\golorojo.dll
by: Auto-Protect scan. Action: Reboot Required. Action Description: The file
was deleted successfully.

[ System Events ]
Error - 4/18/2009 1:29:25 AM | Computer Name = GOOKER1 | Source = Service Control Manager | ID = 7034
Description = The WZCBDL Service service terminated unexpectedly. It has done this
1 time(s).

Error - 4/18/2009 1:29:25 AM | Computer Name = GOOKER1 | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/18/2009 1:40:37 AM | Computer Name = GOOKER1 | Source = Service Control Manager | ID = 7000
Description = The UDNT service failed to start due to the following error: %%20

Error - 4/18/2009 1:40:37 AM | Computer Name = GOOKER1 | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 4/18/2009 2:04:28 AM | Computer Name = GOOKER1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 4/18/2009 2:15:50 AM | Computer Name = GOOKER1 | Source = Service Control Manager | ID = 7000
Description = The UDNT service failed to start due to the following error: %%20

Error - 4/18/2009 7:53:41 AM | Computer Name = GOOKER1 | Source = Service Control Manager | ID = 7000
Description = The UDNT service failed to start due to the following error: %%20

Error - 4/18/2009 7:53:41 AM | Computer Name = GOOKER1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
adpu160m agp440 Aha154x aic78u2 aic78xx fasttrak Fd16_700 IntelIde mraid2k mraid35x Sparrow
Ultra

Error - 4/18/2009 10:54:51 AM | Computer Name = GOOKER1 | Source = Service Control Manager | ID = 7000
Description = The UDNT service failed to start due to the following error: %%20

Error - 4/18/2009 10:54:51 AM | Computer Name = GOOKER1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
adpu160m agp440 Aha154x aic78u2 aic78xx fasttrak Fd16_700 IntelIde mraid2k mraid35x Sparrow
Ultra


< End of report >

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 AM

Posted 21 April 2009 - 03:07 PM

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O2 - BHO: (no name) - {27955B3C-D524-43FF-8FE5-B875C89617F8} - C:\WINNT\system32\atrac.dll ()
    O2 - BHO: (no name) - {d5e9f43e-ece3-4728-859b-c5d612a68404} - C:\WINNT\system32\kesirogi.dll File not found
    O3 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-21-1524916876-855397222-1498376074-1001\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    O4 - HKLM..\Run: [CPM63893cd0] Rundll32.exe "c:\winnt\system32\motatuwo.dll",a ()
    O4 - HKLM..\Run: [jetotikiyu] Rundll32.exe "C:\WINNT\system32\yipitumi.dll",s File not found
    O4 - HKU\S-1-5-19..\Run: [jetotikiyu] Rundll32.exe "C:\WINNT\system32\yipitumi.dll",s File not found
    O4 - HKU\S-1-5-20..\Run: [jetotikiyu] Rundll32.exe "C:\WINNT\system32\yipitumi.dll",s File not found
    O20 - AppInit_DLLs: (C:\WINNT\system32\danonebi.dll) - C:\WINNT\system32\danonebi.dll ()
    O20 - AppInit_DLLs: (c:\winnt\system32\motatuwo.dll) - c:\winnt\system32\motatuwo.dll ()
    O20 - Winlogon\Notify\NavLogon: DllName - - File not found
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\motatuwo.dll ()
    O22 - SharedTaskScheduler: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - STS - c:\winnt\system32\motatuwo.dll ()
    
    :Files
    C:\WINNT\System32\ziwoguta.exe
    C:\WINNT\System32\mazomoki.exe
    C:\WINNT\System32\iverukah.ini
    C:\WINNT\System32\motatuwo.dll
    C:\WINNT\System32\danonebi.dll
    C:\WINNT\System32\wafiguvu.exe
    C:\WINNT\System32\hakurevi.dll
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

==============


Next let's run a full scan with Malwarebytes.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 t_h_arner

t_h_arner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 22 April 2009 - 07:39 AM

I ran OTListIt2.exe and it popped a window: the application \system32\atrac.dll (bho)is not a valid windows image check against the install diskette. OTlistit2 prompted to run on reboot. And rundll tried to load the virus files motatuwo.dll and yipitumi.dll on startup. Before this is was only trying to load one of these. OTlistit2 'seemed' to have a problem. ??

Ran MBAM it tried to remove the viruses (as it tried before) and prompted that it was unable to remove a list of files. I suspect it was not succesful.

I am Sorry did you want me to run gmer?

================
========== OTLISTIT ==========
Process explorer.exe killed successfully!
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27955B3C-D524-43FF-8FE5-B875C89617F8}\ scheduled to be deleted on reboot.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27955B3C-D524-43FF-8FE5-B875C89617F8}\ .
LoadLibrary failed for C:\WINNT\system32\atrac.dll
C:\WINNT\system32\atrac.dll NOT unregistered.
File move failed. C:\WINNT\system32\atrac.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5e9f43e-ece3-4728-859b-c5d612a68404}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d5e9f43e-ece3-4728-859b-c5d612a68404}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1524916876-855397222-1498376074-1001\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1524916876-855397222-1498376074-1001\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-1524916876-855397222-1498376074-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931}\ not found.
Registry value HKEY_USERS\S-1-5-21-1524916876-855397222-1498376074-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CPM63893cd0 deleted successfully.
DllUnregisterServer procedure not found in c:\winnt\system32\motatuwo.DLL
c:\winnt\system32\motatuwo.DLL NOT unregistered.
c:\winnt\system32\motatuwo.DLL moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\jetotikiyu deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\\jetotikiyu deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\\jetotikiyu deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINNT\system32\danonebi.dll deleted successfully.
DllUnregisterServer procedure not found in C:\WINNT\system32\danonebi.dll
C:\WINNT\system32\danonebi.dll NOT unregistered.
C:\WINNT\system32\danonebi.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\winnt\system32\motatuwo.dll deleted successfully.
File c:\winnt\system32\motatuwo.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SSODL deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\ deleted successfully.
File c:\winnt\system32\motatuwo.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\ deleted successfully.
File c:\winnt\system32\motatuwo.dll not found.
========== FILES ==========
C:\WINNT\System32\ziwoguta.exe moved successfully.
C:\WINNT\System32\mazomoki.exe moved successfully.
C:\WINNT\System32\iverukah.ini moved successfully.
File/Folder C:\WINNT\System32\motatuwo.dll not found.
File/Folder C:\WINNT\System32\danonebi.dll not found.
C:\WINNT\System32\wafiguvu.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINNT\System32\hakurevi.dll
C:\WINNT\System32\hakurevi.dll NOT unregistered.
C:\WINNT\System32\hakurevi.dll moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\mom\Local Settings\Temp\ktlyawsd.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\P89QQ9A1\forums[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\P89QQ9A1\iframe3[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\P89QQ9A1\iframe3[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\P89QQ9A1\i[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\P89QQ9A1\st[1] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\NMHPZWZX\showMessage[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\K0I3ANBQ\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\K0I3ANBQ\topic220608[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\4EE62WD6\01[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\4EE62WD6\6364304603912961024[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\4EE62WD6\st[1] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.14.0 log created on 04212009_224453
===============================
Malwarebytes' Anti-Malware 1.36
Database version: 2024
Windows 5.1.2600 Service Pack 2

4/22/2009 8:12:29 AM
mbam-log-2009-04-22 (08-12-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 157138
Time elapsed: 2 hour(s), 12 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 8
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5e9f43e-ece3-4728-859b-c5d612a68404} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5e9f43e-ece3-4728-859b-c5d612a68404} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27955b3c-d524-43ff-8fe5-b875c89617f8} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{27955b3c-d524-43ff-8fe5-b875c89617f8} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\txgxastv (Rootkit.Sentinel) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm63893cd0 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jetotikiyu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\SYSTEM32\atrac.dll (Trojan.BHO.H) -> Delete on reboot.
C:\_OTListIt\MovedFiles\04212009_224453\WINNT\system32\hakurevi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTListIt\MovedFiles\04212009_224453\WINNT\system32\wafiguvu.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\Documents and Settings\mom\Local Settings\Temp\ktlyawsd.dat (Rootkit.Agent) -> Delete on reboot.
C:\WINNT\SYSTEM32\DRIVERS\txgxastv.sys (Rootkit.Sentinel) -> Delete on reboot.

===================================================
Malwarebytes' Anti-Malware 1.36
Database version: 2024
Windows 5.1.2600 Service Pack 2

4/22/2009 8:12:29 AM
mbam-log-2009-04-22 (08-12-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 157138
Time elapsed: 2 hour(s), 12 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 8
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5e9f43e-ece3-4728-859b-c5d612a68404} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5e9f43e-ece3-4728-859b-c5d612a68404} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27955b3c-d524-43ff-8fe5-b875c89617f8} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{27955b3c-d524-43ff-8fe5-b875c89617f8} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\txgxastv (Rootkit.Sentinel) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm63893cd0 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jetotikiyu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\SYSTEM32\atrac.dll (Trojan.BHO.H) -> Delete on reboot.
C:\_OTListIt\MovedFiles\04212009_224453\WINNT\system32\hakurevi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTListIt\MovedFiles\04212009_224453\WINNT\system32\wafiguvu.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\Documents and Settings\mom\Local Settings\Temp\ktlyawsd.dat (Rootkit.Agent) -> Delete on reboot.
C:\WINNT\SYSTEM32\DRIVERS\txgxastv.sys (Rootkit.Sentinel) -> Delete on reboot.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 AM

Posted 22 April 2009 - 12:23 PM

We need to run Combofix.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 t_h_arner

t_h_arner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 22 April 2009 - 06:51 PM

Some of the instances of BHO and Vondo seemed to be gone. I have run Combofix many times just for the record. ??
=================================
ComboFix 09-04-19.01 - mom 04/22/2009 19:16.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1150.815 [GMT -4:00]
Running from: c:\hijack\antivirus-spyware\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-22 02:44 . 2009-04-22 02:44 -------- d-----w C:\_OTListIt
2009-04-21 11:04 . 2009-04-21 11:04 2713 --sh--w c:\winnt\system32\witukezo.exe
2009-04-18 22:35 . 2008-12-11 12:38 159600 ----a-w c:\winnt\system32\drivers\pctgntdi.sys
2009-04-18 22:35 . 2009-04-18 23:44 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-18 22:35 . 2009-03-06 20:45 130424 ----a-w c:\winnt\system32\drivers\PCTCore.sys
2009-04-18 22:35 . 2008-12-18 16:16 73840 ----a-w c:\winnt\system32\drivers\PCTAppEvent.sys
2009-04-18 22:35 . 2009-04-18 22:37 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-18 22:35 . 2008-12-10 16:36 64392 ----a-w c:\winnt\system32\drivers\pctplsg.sys
2009-04-18 22:34 . 2009-04-18 22:38 -------- d-----w c:\program files\SpywareDoc
2009-04-18 22:34 . 2009-04-18 22:34 -------- d-----w c:\documents and settings\mom\Application Data\PC Tools
2009-04-18 22:34 . 2009-04-18 22:34 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-18 06:07 . 2009-04-18 06:07 -------- d-----w c:\documents and settings\mom\Application Data\Malwarebytes
2009-04-18 06:07 . 2009-04-06 19:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys
2009-04-18 06:07 . 2009-04-06 19:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-18 06:07 . 2009-04-18 06:07 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-18 06:07 . 2009-04-18 06:07 -------- d-----w c:\program files\MalwarebytesAnti-Malware
2009-04-18 04:56 . 2009-04-18 04:56 -------- d-sha-r C:\autorun.inf
2009-04-17 22:26 . 2009-04-17 22:26 -------- d-----w c:\documents and settings\mom\Application Data\Uniblue
2009-04-17 22:24 . 2009-04-18 00:01 -------- dc-h--w c:\documents and settings\All Users\Application Data\~0
2009-04-17 04:05 . 2009-04-17 04:05 -------- d-----w c:\documents and settings\arnerth\Local Settings\Application Data\Symantec
2009-04-17 03:30 . 2009-04-17 03:30 -------- d-----w c:\documents and settings\arnerth\Local Settings\Application Data\Mozilla
2009-04-16 05:11 . 2009-04-16 05:11 0 ----a-w c:\winnt\vpc32.INI
2009-04-15 23:19 . 2009-04-15 23:19 -------- d-----w c:\documents and settings\mom\Local Settings\Application Data\Symantec
2009-04-15 23:15 . 2005-04-02 00:36 91856 ----a-w c:\winnt\system32\S32EVNT1.DLL
2009-04-15 23:15 . 2005-04-02 00:36 123200 ----a-w c:\winnt\system32\drivers\SYMEVENT.SYS
2009-04-15 23:14 . 2009-04-18 01:53 -------- d-----w c:\program files\AntiVirus
2009-04-15 12:12 . 2009-04-15 12:12 -------- d-----w c:\documents and settings\mom\.housecall6.6
2009-04-15 04:10 . 2009-04-15 04:10 -------- d-----w c:\program files\Trend Micro
2009-04-15 04:09 . 2009-04-19 04:07 -------- d-----w C:\hIJACK
2009-03-27 04:20 . 2009-03-27 04:20 -------- d-----w c:\documents and settings\arnerth\Application Data\WinPatrol

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 05:13 . 2008-12-25 04:03 -------- d-----w c:\documents and settings\mom\Application Data\SanDisk
2009-04-18 06:05 . 2008-12-07 16:24 -------- d-----w c:\program files\Unity
2009-04-18 04:54 . 2004-08-25 15:56 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-18 00:39 . 2005-01-06 04:51 -------- d-----w c:\program files\CleanUp!
2009-04-15 23:33 . 2003-07-30 06:25 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-15 23:16 . 2003-07-30 06:25 -------- d-----w c:\program files\Symantec
2009-04-15 23:14 . 2003-07-30 06:25 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-15 03:46 . 2009-04-15 03:46 24662 ----a-w C:\HijackPatrol.log
2009-03-27 04:18 . 2005-07-01 01:49 -------- d-----w c:\program files\Web Publish
2009-03-27 04:15 . 2004-02-22 18:41 -------- d-----w c:\program files\Google
2009-03-16 18:13 . 2009-03-16 18:12 -------- d-----w c:\documents and settings\mom\Application Data\Move Networks
2009-03-01 19:11 . 2009-02-15 16:59 -------- d-----w c:\program files\Funkeys
2009-02-25 04:30 . 2009-02-25 04:30 -------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-02-25 04:30 . 2009-02-25 04:30 -------- d-----w c:\documents and settings\mom\Application Data\NCH Swift Sound
2009-02-09 10:19 . 2003-03-31 17:00 1846272 ----a-w c:\winnt\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 10:19 . 2003-03-31 17:00 1846272 ------w c:\winnt\SYSTEM32\win32k.sys
2009-02-03 18:15 . 2004-07-15 03:39 71064 ----a-w c:\documents and settings\mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2003-10-26 23:55 . 2003-10-26 23:55 11952 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2002-03-12 15:53 . 2002-03-12 15:53 271 --sh--w c:\program files\DESKTOP.INI
2002-03-12 15:53 . 2002-03-12 15:53 21952 ---h--w c:\program files\FOLDER.HTT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-19_00.09.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-05-08 19:11 . 2009-04-18 16:15 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-05-08 19:11 . 2009-04-19 17:03 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-05-08 19:11 . 2009-04-19 17:03 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-05-08 19:11 . 2009-04-18 16:15 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-19 04:07 . 2009-04-19 04:07 16384 c:\winnt\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2004-05-08 19:11 . 2009-04-19 17:03 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2004-05-08 19:11 . 2009-04-18 16:15 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
UMAX VistaAccess.lnk - c:\vstascan\vsaccess.exe [2003-11-26 159232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoHelp"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\winnt\System32\hkcmd.exe
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
"HPDJ Taskbar Utility"=c:\winnt\System32\spool\drivers\w32x86\3\hpztsb09.exe
"SetIcon"=\Program Files\WDC\CR\SetIcon.exe
"WD Button Manager"=WDBtnMgr.exe
"Synchronization Manager"=mobsync.exe /logon
"HPHUPD05"=c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
"HPHmon05"=c:\winnt\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

2;2 WZCBDLService; [x]
R1 AEC671X;AEC671X;c:\winnt\System32\drivers\AEC671X.SYS [1998-05-05 12128]
R1 DMX3191;DMX3191;c:\winnt\System32\drivers\DMX3191.SYS [1999-02-23 17700]
R2 UDNT;UDNT; [x]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver; [x]
R3 ncvcp;Network Connect Virtual Com Port; [x]
R3 oflpydin;oflpydin; [x]
R3 PRISM_USB;D-Link Air Wireless USB Adapter Driver;c:\winnt\system32\DRIVERS\PRISMUSB.sys [2003-10-02 666624]
R3 SavRoam;SavRoam;c:\program files\AntiVirus\SavRoam.exe [2005-04-17 124608]
R3 SONYPVP2;SONYPVP2;c:\winnt\system32\drivers\sonypvp2.sys [2002-01-19 32924]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S0 fasttrak;fasttrak;c:\winnt\System32\DRIVERS\fasttrak.sys [2001-04-26 64418]
S0 mraid2k;mraid2k;c:\winnt\System32\DRIVERS\mraid2k.sys [2001-06-08 17258]
S0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [2009-03-06 130424]
S2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2002-05-08 212992]
S2 NetAlrt;NetAlrt;c:\winnt\System32\drivers\NetAlrt.sys [2002-05-07 39680]
S2 NIOC;NIOC Service;c:\winnt\system32\NIOC.SYS [2002-09-27 22912]
S2 PlatAlrt;PlatAlrt;c:\winnt\System32\drivers\PlatAlrt.sys [2002-05-07 23744]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\SpywareDoc\pctsAuxs.exe [2009-01-07 348752]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94daa3da-d0ff-11db-962b-000d887e8262}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-07-30 21:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} - hxxp://www.snapfish.com/SnapfishUpload.cab
FF - ProfilePath - c:\documents and settings\mom\Application Data\Mozilla\Firefox\Profiles\default.1ax\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\mom\Application Data\Mozilla\Firefox\Profiles\default.1ax\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Real\Real1\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\Real1\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\Real1\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 19:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1572)
c:\winnt\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\winnt\SYSTEM32\UAService7.exe
c:\program files\WZCBDL Service\WZCBDLS.exe
c:\winnt\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-22 19:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 23:42
ComboFix2.txt 2009-04-19 00:19

Pre-Run: 3,445,576,704 bytes free
Post-Run: 3,448,438,784 bytes free

194 --- E O F --- 2009-03-14 07:03

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 AM

Posted 22 April 2009 - 07:28 PM

:thumbup2:
It's not recommended to run Combofix for personal use.
Did you download it again, or is the from the version that you used before?


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\winnt\system32\witukezo.exe
C:\WINNT\SYSTEM32\atrac.dll 
C:\Documents and Settings\mom\Local Settings\Temp\ktlyawsd.dat 
C:\WINNT\SYSTEM32\DRIVERS\txgxastv.sys

Driver::
oflpydin
txgxastv
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


==================


Please run a new scan with Malwarebytes and post the resulting log along with your combofix log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 t_h_arner

t_h_arner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 23 April 2009 - 07:20 AM

Yes I understand, I won't add any more. :thumbup2:
=========================
ComboFix 09-04-23.02 - mom 04/22/2009 22:58.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1150.788 [GMT -4:00]
Running from: c:\hijack\antivirus-spyware\ComboFix.exe
Command switches used :: c:\documents and settings\mom\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\mom\Local Settings\Temp\ktlyawsd.dat
c:\winnt\SYSTEM32\atrac.dll
c:\winnt\SYSTEM32\DRIVERS\txgxastv.sys
c:\winnt\system32\witukezo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\witukezo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OFLPYDIN
-------\Legacy_TXGXASTV
-------\Service_oflpydin


((((((((((((((((((((((((( Files Created from 2009-03-23 to 2009-04-23 )))))))))))))))))))))))))))))))
.

2009-04-22 02:44 . 2009-04-22 02:44 -------- d-----w C:\_OTListIt
2009-04-18 22:35 . 2008-12-11 12:38 159600 ----a-w c:\winnt\system32\drivers\pctgntdi.sys
2009-04-18 22:35 . 2009-04-18 23:44 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-18 22:35 . 2009-03-06 20:45 130424 ----a-w c:\winnt\system32\drivers\PCTCore.sys
2009-04-18 22:35 . 2008-12-18 16:16 73840 ----a-w c:\winnt\system32\drivers\PCTAppEvent.sys
2009-04-18 22:35 . 2009-04-18 22:37 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-18 22:35 . 2008-12-10 16:36 64392 ----a-w c:\winnt\system32\drivers\pctplsg.sys
2009-04-18 22:34 . 2009-04-18 22:38 -------- d-----w c:\program files\SpywareDoc
2009-04-18 22:34 . 2009-04-18 22:34 -------- d-----w c:\documents and settings\mom\Application Data\PC Tools
2009-04-18 22:34 . 2009-04-18 22:34 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-18 06:07 . 2009-04-18 06:07 -------- d-----w c:\documents and settings\mom\Application Data\Malwarebytes
2009-04-18 06:07 . 2009-04-06 19:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys
2009-04-18 06:07 . 2009-04-06 19:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-18 06:07 . 2009-04-18 06:07 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-18 06:07 . 2009-04-18 06:07 -------- d-----w c:\program files\MalwarebytesAnti-Malware
2009-04-18 04:56 . 2009-04-18 04:56 -------- d-sha-r C:\autorun.inf
2009-04-17 22:26 . 2009-04-17 22:26 -------- d-----w c:\documents and settings\mom\Application Data\Uniblue
2009-04-17 22:24 . 2009-04-18 00:01 -------- dc-h--w c:\documents and settings\All Users\Application Data\~0
2009-04-17 04:05 . 2009-04-17 04:05 -------- d-----w c:\documents and settings\arnerth\Local Settings\Application Data\Symantec
2009-04-17 03:30 . 2009-04-17 03:30 -------- d-----w c:\documents and settings\arnerth\Local Settings\Application Data\Mozilla
2009-04-17 00:28 . 2009-04-17 00:28 -------- d-----w c:\documents and settings\LocalService\Application Data\WinPatrol
2009-04-16 05:11 . 2009-04-16 05:11 0 ----a-w c:\winnt\vpc32.INI
2009-04-15 23:19 . 2009-04-15 23:19 -------- d-----w c:\documents and settings\mom\Local Settings\Application Data\Symantec
2009-04-15 23:15 . 2005-04-02 00:36 91856 ----a-w c:\winnt\system32\S32EVNT1.DLL
2009-04-15 23:15 . 2005-04-02 00:36 123200 ----a-w c:\winnt\system32\drivers\SYMEVENT.SYS
2009-04-15 23:14 . 2009-04-18 01:53 -------- d-----w c:\program files\AntiVirus
2009-04-15 12:12 . 2009-04-15 12:12 -------- d-----w c:\documents and settings\mom\.housecall6.6
2009-04-15 04:10 . 2009-04-15 04:10 -------- d-----w c:\program files\Trend Micro
2009-04-15 04:09 . 2009-04-19 04:07 -------- d-----w C:\hIJACK
2009-03-27 04:20 . 2009-03-27 04:20 -------- d-----w c:\documents and settings\arnerth\Application Data\WinPatrol

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 05:13 . 2008-12-25 04:03 -------- d-----w c:\documents and settings\mom\Application Data\SanDisk
2009-04-18 06:05 . 2008-12-07 16:24 -------- d-----w c:\program files\Unity
2009-04-18 04:54 . 2004-08-25 15:56 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-18 00:39 . 2005-01-06 04:51 -------- d-----w c:\program files\CleanUp!
2009-04-15 23:33 . 2003-07-30 06:25 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-15 23:16 . 2003-07-30 06:25 -------- d-----w c:\program files\Symantec
2009-04-15 23:14 . 2003-07-30 06:25 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-15 03:46 . 2009-04-15 03:46 24662 ----a-w C:\HijackPatrol.log
2009-03-27 04:18 . 2005-07-01 01:49 -------- d-----w c:\program files\Web Publish
2009-03-27 04:15 . 2004-02-22 18:41 -------- d-----w c:\program files\Google
2009-03-16 18:13 . 2009-03-16 18:12 -------- d-----w c:\documents and settings\mom\Application Data\Move Networks
2009-03-01 19:11 . 2009-02-15 16:59 -------- d-----w c:\program files\Funkeys
2009-02-25 04:30 . 2009-02-25 04:30 -------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-02-25 04:30 . 2009-02-25 04:30 -------- d-----w c:\documents and settings\mom\Application Data\NCH Swift Sound
2009-02-09 10:19 . 2003-03-31 17:00 1846272 ----a-w c:\winnt\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 10:19 . 2003-03-31 17:00 1846272 ------w c:\winnt\SYSTEM32\win32k.sys
2009-02-03 18:15 . 2004-07-15 03:39 71064 ----a-w c:\documents and settings\mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2003-10-26 23:55 . 2003-10-26 23:55 11952 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2002-03-12 15:53 . 2002-03-12 15:53 271 --sh--w c:\program files\DESKTOP.INI
2002-03-12 15:53 . 2002-03-12 15:53 21952 ---h--w c:\program files\FOLDER.HTT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-19_00.09.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-05-08 19:11 . 2009-04-18 16:15 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-05-08 19:11 . 2009-04-19 17:03 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-05-08 19:11 . 2009-04-19 17:03 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-05-08 19:11 . 2009-04-18 16:15 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-19 04:07 . 2009-04-19 04:07 16384 c:\winnt\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2004-05-08 19:11 . 2009-04-19 17:03 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2004-05-08 19:11 . 2009-04-18 16:15 32768 c:\winnt\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
UMAX VistaAccess.lnk - c:\vstascan\vsaccess.exe [2003-11-26 159232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoHelp"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\winnt\System32\hkcmd.exe
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
"HPDJ Taskbar Utility"=c:\winnt\System32\spool\drivers\w32x86\3\hpztsb09.exe
"SetIcon"=\Program Files\WDC\CR\SetIcon.exe
"WD Button Manager"=WDBtnMgr.exe
"Synchronization Manager"=mobsync.exe /logon
"HPHUPD05"=c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
"HPHmon05"=c:\winnt\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

2;2 WZCBDLService; [x]
R1 AEC671X;AEC671X;c:\winnt\System32\drivers\AEC671X.SYS [1998-05-05 12128]
R1 DMX3191;DMX3191;c:\winnt\System32\drivers\DMX3191.SYS [1999-02-23 17700]
R2 UDNT;UDNT; [x]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver; [x]
R3 ncvcp;Network Connect Virtual Com Port; [x]
R3 SavRoam;SavRoam;c:\program files\AntiVirus\SavRoam.exe [2005-04-17 124608]
R3 SONYPVP2;SONYPVP2;c:\winnt\system32\drivers\sonypvp2.sys [2002-01-19 32924]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S0 fasttrak;fasttrak;c:\winnt\System32\DRIVERS\fasttrak.sys [2001-04-26 64418]
S0 mraid2k;mraid2k;c:\winnt\System32\DRIVERS\mraid2k.sys [2001-06-08 17258]
S0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [2009-03-06 130424]
S2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2002-05-08 212992]
S2 NetAlrt;NetAlrt;c:\winnt\System32\drivers\NetAlrt.sys [2002-05-07 39680]
S2 NIOC;NIOC Service;c:\winnt\system32\NIOC.SYS [2002-09-27 22912]
S2 PlatAlrt;PlatAlrt;c:\winnt\System32\drivers\PlatAlrt.sys [2002-05-07 23744]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\SpywareDoc\pctsAuxs.exe [2009-01-07 348752]
S3 PRISM_USB;D-Link Air Wireless USB Adapter Driver;c:\winnt\system32\DRIVERS\PRISMUSB.sys [2003-10-02 666624]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94daa3da-d0ff-11db-962b-000d887e8262}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-07-30 21:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} - hxxp://www.snapfish.com/SnapfishUpload.cab
FF - ProfilePath - c:\documents and settings\mom\Application Data\Mozilla\Firefox\Profiles\default.1ax\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\mom\Application Data\Mozilla\Firefox\Profiles\default.1ax\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Real\Real1\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\Real1\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\Real1\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 23:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(896)
c:\winnt\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\winnt\SYSTEM32\UAService7.exe
c:\program files\WZCBDL Service\WZCBDLS.exe
c:\winnt\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-23 23:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-23 03:30
ComboFix2.txt 2009-04-22 23:42
ComboFix3.txt 2009-04-19 00:19

Pre-Run: 3,402,332,672 bytes free
Post-Run: 3,389,371,904 bytes free

201 --- E O F --- 2009-03-14 07:03
=======================
Malwarebytes' Anti-Malware 1.36
Database version: 2024
Windows 5.1.2600 Service Pack 2

4/23/2009 8:16:55 AM
mbam-log-2009-04-23 (08-16-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 157262
Time elapsed: 2 hour(s), 7 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 AM

Posted 23 April 2009 - 05:48 PM

Looking much better.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 t_h_arner

t_h_arner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 24 April 2009 - 07:50 AM

Yes, thank those were nasty little guys. I guess more of this is to be expected in 09. Thanks again. Sam.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 AM

Posted 24 April 2009 - 10:45 AM

Nasty indeed! And they're getting more and more difficult to remove unfortunately.


Let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 AM

Posted 14 May 2009 - 11:18 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users