Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan issue from a complete malware noob


  • This topic is locked This topic is locked
6 replies to this topic

#1 teamocil

teamocil

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:08:05 PM

Posted 21 April 2009 - 03:38 PM

Greetings,
I recently acquired a used laptop from a friend to take out of the country with me on a few trips, unfortunately it seems to be riddled with malware. Constant popups, the system resources are hogged to the max (multiple iterations of SVCHOST running (sometimes 10+) is what clued me in) etc. At any rate, I'll forget about trying to explain things I don't really understand, I'll just get to the log. Thanks in advance :D


DDS (Ver_09-03-16.01) - NTFSx86
Run by David at 16:20:03.62 on Tue 04/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.534 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\netspy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\kgzqym.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\TEMP\2472554404.exe
C:\WINDOWS\TEMP\kgzqym.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\DOCUME~1\David\LOCALS~1\Temp\3303902252.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\yaubfh983ind.dll: {a5af42a3-94f3-42bd-f634-0604832c897d} - c:\windows\system32\yaubfh983ind.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Diagnostic Manager] c:\docume~1\david\locals~1\temp\3303902252.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Diamondback] c:\program files\razer\diamondback\razerhid.exe
dRun: [Windows Resurections] c:\windows\temp\kgzqym.exe
dRun: [Diagnostic Manager] c:\windows\temp\2472554404.exe
dRun: [<NO NAME>] c:\windows\temp\kgzqym.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\yaubfh983ind.dll: {a5af42a3-94f3-42bd-f634-0604832c897d} - c:\windows\system32\yaubfh983ind.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\4hfwgs5w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?referrer=theme_ign
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\david\application data\mozilla\firefox\profiles\4hfwgs5w.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npoctoshape.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\octoshape streaming services\david\octoprogram-l03-n00-u00-c00_0711200_000\npoctoshape.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 NETSPY_SERVICE;NETSPY Service;c:\windows\system32\netspy.exe [2006-9-9 380928]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-9 24652]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2007-8-10 13225]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S3 SMC80412;SMC 10/100 PC Card (SMC8041 V.2) Driver;c:\windows\system32\drivers\SMC80412.sys [2006-8-16 20292]

=============== Created Last 30 ================

2009-04-21 16:09 <DIR> --d----- c:\program files\Trend Micro
2009-04-14 20:35 38 a------- C:\1D.tmp
2009-04-14 20:35 0 a------- C:\1C.tmp
2009-04-14 20:35 0 a------- C:\1B.tmp
2009-04-14 20:35 0 a------- C:\1A.tmp
2009-04-14 20:35 0 a------- C:\19.tmp
2009-04-14 20:35 0 a------- C:\18.tmp
2009-04-14 20:35 0 a------- C:\17.tmp
2009-04-14 20:35 0 a------- C:\16.tmp
2009-04-14 20:35 0 a------- C:\15.tmp
2009-04-14 20:35 38 a------- C:\14.tmp
2009-04-14 20:35 <DIR> --dsh--- c:\windows\system32\wsnpoem
2009-04-14 20:35 63,488 a------- C:\13.tmp
2009-04-14 20:35 15,000 a------- c:\windows\system32\yaubfh983ind.dll
2009-04-14 19:57 <DIR> --d----- c:\docume~1\david\applic~1\Malwarebytes
2009-04-14 19:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-14 19:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 19:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-14 19:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-14 19:49 0 a------- C:\10.tmp
2009-04-14 19:49 38 a------- C:\F.tmp
2009-04-14 19:49 0 a------- C:\E.tmp
2009-04-14 19:49 0 a------- C:\D.tmp
2009-04-14 19:49 0 a------- C:\C.tmp
2009-04-14 19:49 0 a------- C:\B.tmp
2009-04-14 19:49 0 a------- C:\A.tmp
2009-04-14 19:49 0 a------- C:\9.tmp
2009-04-14 19:49 0 a------- C:\8.tmp
2009-04-14 19:49 38 a------- C:\7.tmp
2009-04-14 19:49 63,488 a------- C:\6.tmp
2009-04-14 19:45 <DIR> a-dshr-- C:\cmdcons
2009-04-14 19:41 161,792 a------- c:\windows\SWREG.exe
2009-04-14 19:41 98,816 a------- c:\windows\sed.exe
2009-04-14 19:41 <DIR> --d----- C:\ComboFix
2009-04-14 18:05 22,930 a------- c:\windows\system32\AAWService_2009_04_14_18_05_28.dmp
2009-04-14 05:48 45,056 a------- c:\windows\system32\NETSPYHKS.DLL
2009-04-12 03:13 0 a------- c:\windows\system32\AAWService_2009_04_12_03_13_45.dmp
2009-04-11 17:06 20,247 a------- c:\windows\system32\AAWService_2009_04_11_17_06_43.dmp
2009-04-11 16:53 19,982 a------- c:\windows\system32\AAWService_2009_04_11_16_53_51.dmp
2009-04-11 16:44 20,035 a------- c:\windows\system32\AAWService_2009_04_11_16_44_43.dmp
2009-04-11 16:41 19,558 a------- c:\windows\system32\AAWService_2009_04_11_16_41_56.dmp
2009-04-11 16:38 19,558 a------- c:\windows\system32\AAWService_2009_04_11_16_38_56.dmp
2009-04-10 23:15 24,225 a------- c:\windows\system32\AAWService_2009_04_10_23_15_15.dmp
2009-04-10 23:11 16 a------- c:\windows\Jceqakezakobox.bin
2009-04-10 23:10 1,420 a------- c:\windows\Rnecameteq.dat
2009-04-10 22:06 32,137,216 a------- c:\windows\system32\TRSOCR.dat
2009-04-10 21:38 44 a------- c:\windows\system32\64.tmp
2009-04-10 18:45 0 a------- c:\windows\system32\1C.tmp
2009-04-10 18:45 44 a------- c:\windows\system32\1A.tmp
2009-04-10 18:27 <DIR> --d----- c:\windows\system32\3361
2009-04-10 18:22 2 a------- C:\1547013687
2009-04-09 03:39 20,110 a------- c:\windows\system32\AAWService_2009_04_09_03_39_51.dmp
2009-04-08 19:03 22,739 a------- c:\windows\system32\AAWService_2009_04_08_19_03_32.dmp
2009-04-08 15:29 22,932 a------- c:\windows\system32\AAWService_2009_04_08_15_29_48.dmp
2009-04-07 18:15 22,723 a------- c:\windows\system32\AAWService_2009_04_07_18_15_21.dmp
2009-04-07 18:00 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\~0

==================== Find3M ====================

2009-04-14 05:49 65,024 a--sh--- c:\windows\system32\gojidisi.exe
2009-04-14 05:48 109,568 a--sh--- c:\windows\system32\yuhituka.dll
2009-04-12 14:48 71,168 a--sh--- c:\windows\system32\venijija.dll
2009-04-12 14:48 64,000 a--sh--- c:\windows\system32\karozeza.exe
2009-04-11 16:53 14,336 a------- c:\windows\system32\svchost.exe
2009-04-10 18:23 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-02-03 02:27 107,888 a------- c:\windows\system32\CmdLineExt.dll
2006-10-25 09:53 18,224 a------- c:\docume~1\david\applic~1\GDIPFONTCACHEV1.DAT
2003-01-20 06:44 20,292 a----r-- c:\windows\inf\SMC80412.SYS

============= FINISH: 16:20:19.50 ===============

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:05 PM

Posted 21 April 2009 - 03:47 PM

Hello teamocil,

Posted Image

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

If ComboFix will not run the first time, then rename ComboFix.exe to teamocil.exe and try it again. :)

Thanks,
tea

Edited by teacup61, 21 April 2009 - 03:47 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teamocil

teamocil
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:08:05 PM

Posted 21 April 2009 - 06:42 PM

Thanks for the response! Okay, I ran them in the order you said, so here are my new logs, ComboFix first, followed by HJT.
Not sure if this is relevant, but combofix stopped, rebooted and restarted before it completed because it said it found a file I should write down, then deleted it. If it is important, it was c:\WINDOWS\system32\ntos.exe . at any rate, here are the logs:

ComboFix:
ComboFix 09-04-22.02 - David 04/21/2009 19:30.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.770 [GMT -4:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ntos.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\audio.dll.cla
c:\windows\system32\wsnpoem\video.dll
c:\windows\temp\1549789148.exe
.
---- Previous Run -------
.
c:\windows\temp\2435472286.exe
c:\windows\temp\704970832.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-15 00:35 . 2009-04-15 00:35 38 ----a-w C:\1D.tmp
2009-04-15 00:35 . 2009-04-15 00:35 0 ----a-w C:\1C.tmp
2009-04-15 00:35 . 2009-04-15 00:35 0 ----a-w C:\1B.tmp
2009-04-15 00:35 . 2009-04-15 00:35 0 ----a-w C:\1A.tmp
2009-04-15 00:35 . 2009-04-15 00:35 0 ----a-w C:\19.tmp
2009-04-15 00:35 . 2009-04-15 00:35 0 ----a-w C:\18.tmp
2009-04-15 00:35 . 2009-04-15 00:35 0 ----a-w C:\17.tmp
2009-04-15 00:35 . 2009-04-15 00:35 0 ----a-w C:\16.tmp
2009-04-15 00:35 . 2009-04-15 00:35 0 ----a-w C:\15.tmp
2009-04-15 00:35 . 2009-04-15 00:35 38 ----a-w C:\14.tmp
2009-04-15 00:35 . 2009-04-15 00:35 63488 ----a-w C:\13.tmp
2009-04-15 00:35 . 2009-04-15 00:35 15000 ----a-w c:\windows\system32\yaubfh983ind.dll
2009-04-14 23:58 . 2009-04-14 23:58 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2009-04-14 23:58 . 2009-04-14 23:58 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-04-14 23:57 . 2009-04-14 23:57 -------- d-----w c:\documents and settings\David\Application Data\Malwarebytes
2009-04-14 23:57 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 23:57 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 23:57 . 2009-04-14 23:57 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 22:05 . 2009-04-14 22:05 22930 ----a-w c:\windows\system32\AAWService_2009_04_14_18_05_28.dmp
2009-04-14 09:48 . 2009-04-14 09:48 45056 ----a-w c:\windows\system32\NETSPYHKS.DLL
2009-04-12 07:13 . 2009-04-12 07:13 0 ----a-w c:\windows\system32\AAWService_2009_04_12_03_13_45.dmp
2009-04-11 21:06 . 2009-04-11 21:06 20247 ----a-w c:\windows\system32\AAWService_2009_04_11_17_06_43.dmp
2009-04-11 20:53 . 2009-04-11 20:53 19982 ----a-w c:\windows\system32\AAWService_2009_04_11_16_53_51.dmp
2009-04-11 20:44 . 2009-04-11 20:44 20035 ----a-w c:\windows\system32\AAWService_2009_04_11_16_44_43.dmp
2009-04-11 20:41 . 2009-04-11 20:41 19558 ----a-w c:\windows\system32\AAWService_2009_04_11_16_41_56.dmp
2009-04-11 20:38 . 2009-04-11 20:38 19558 ----a-w c:\windows\system32\AAWService_2009_04_11_16_38_56.dmp
2009-04-11 03:15 . 2009-04-11 03:15 24225 ----a-w c:\windows\system32\AAWService_2009_04_10_23_15_15.dmp
2009-04-11 03:11 . 2009-04-11 21:07 -------- d-----w c:\documents and settings\David\Local Settings\Application Data\{F54222B0-CE3C-4F6B-81E1-ABE564002EC0}
2009-04-11 03:11 . 2009-04-11 20:54 16 ----a-w c:\windows\Jceqakezakobox.bin
2009-04-11 03:10 . 2009-04-11 21:07 -------- d-----w c:\documents and settings\David\Local Settings\Application Data\{22AC74EB-D6FF-44D4-B35E-35B68C04A35D}(2)
2009-04-11 03:10 . 2009-04-11 03:11 1420 ----a-w c:\windows\Rnecameteq.dat
2009-04-11 02:06 . 2009-04-11 02:10 32137216 ----a-w c:\windows\system32\TRSOCR.dat
2009-04-11 01:38 . 2009-04-11 01:38 44 ----a-w c:\windows\system32\64.tmp
2009-04-10 22:45 . 2009-04-10 22:45 0 ----a-w c:\windows\system32\1C.tmp
2009-04-10 22:45 . 2009-04-10 22:45 44 ----a-w c:\windows\system32\1A.tmp
2009-04-10 22:27 . 2009-04-11 21:07 -------- d-----w c:\windows\system32\3361
2009-04-10 22:22 . 2009-04-11 20:54 2 ----a-w C:\1547013687
2009-04-09 07:39 . 2009-04-09 07:39 20110 ----a-w c:\windows\system32\AAWService_2009_04_09_03_39_51.dmp
2009-04-08 23:03 . 2009-04-08 23:03 22739 ----a-w c:\windows\system32\AAWService_2009_04_08_19_03_32.dmp
2009-04-08 19:29 . 2009-04-08 19:29 22932 ----a-w c:\windows\system32\AAWService_2009_04_08_15_29_48.dmp
2009-04-07 22:15 . 2009-04-07 22:15 22723 ----a-w c:\windows\system32\AAWService_2009_04_07_18_15_21.dmp
2009-04-07 22:00 . 2009-04-14 23:40 -------- dc-h--w c:\documents and settings\All Users\Application Data\~0
2009-04-07 22:00 . 2009-04-14 23:40 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-05 20:13 . 2009-04-05 20:01 10027 ----a-w c:\documents and settings\David\Local Settings\Application Data\~tempinfo.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 23:06 . 2009-04-21 23:06 38 ----a-w C:\2F.tmp
2009-04-21 23:06 . 2009-04-21 23:06 0 ----a-w C:\2E.tmp
2009-04-21 23:06 . 2009-04-21 23:06 0 ----a-w C:\2D.tmp
2009-04-21 23:06 . 2009-04-21 23:06 0 ----a-w C:\2C.tmp
2009-04-21 23:06 . 2009-04-21 23:06 0 ----a-w C:\2B.tmp
2009-04-21 23:06 . 2009-04-21 23:06 0 ----a-w C:\2A.tmp
2009-04-21 23:06 . 2009-04-21 23:06 0 ----a-w C:\29.tmp
2009-04-21 23:06 . 2009-04-21 23:06 0 ----a-w C:\28.tmp
2009-04-21 23:06 . 2009-04-21 23:06 0 ----a-w C:\27.tmp
2009-04-21 23:06 . 2009-04-21 23:06 38 ----a-w C:\26.tmp
2009-04-21 23:06 . 2009-04-21 23:06 52736 ----a-w C:\25.tmp
2009-04-21 23:06 . 2009-04-21 23:06 21504 ----a-w C:\3.tmp
2009-04-21 20:09 . 2009-04-21 20:09 -------- d-----w c:\program files\Trend Micro
2009-04-21 19:44 . 2009-04-21 19:44 0 ----a-w C:\24.tmp
2009-04-21 19:44 . 2009-04-21 19:44 0 ----a-w C:\23.tmp
2009-04-21 19:44 . 2009-04-21 19:44 0 ----a-w C:\22.tmp
2009-04-21 19:44 . 2009-04-21 19:44 0 ----a-w C:\21.tmp
2009-04-21 19:44 . 2009-04-21 19:44 38 ----a-w C:\20.tmp
2009-04-21 19:44 . 2009-04-21 19:44 0 ----a-w C:\1F.tmp
2009-04-21 19:44 . 2009-04-21 19:44 0 ----a-w C:\1E.tmp
2009-04-21 19:44 . 2009-04-21 19:44 0 ----a-w C:\12.tmp
2009-04-21 19:44 . 2009-04-21 19:44 0 ----a-w C:\11.tmp
2009-04-21 19:44 . 2009-04-21 19:44 38 ----a-w C:\5.tmp
2009-04-21 19:44 . 2009-04-21 19:44 52736 ----a-w C:\4.tmp
2009-04-21 19:44 . 2009-04-21 19:44 0 ----a-w C:\2.tmp
2009-04-18 05:53 . 2006-07-12 01:19 -------- d-----w c:\program files\Trillian
2009-04-14 23:57 . 2009-04-14 23:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-14 23:49 . 2009-04-14 23:49 38 ----a-w C:\F.tmp
2009-04-14 23:49 . 2009-04-14 23:49 0 ----a-w C:\10.tmp
2009-04-14 23:49 . 2009-04-14 23:49 0 ----a-w C:\E.tmp
2009-04-14 23:49 . 2009-04-14 23:49 0 ----a-w C:\D.tmp
2009-04-14 23:49 . 2009-04-14 23:49 0 ----a-w C:\C.tmp
2009-04-14 23:49 . 2009-04-14 23:49 0 ----a-w C:\B.tmp
2009-04-14 23:49 . 2009-04-14 23:49 0 ----a-w C:\A.tmp
2009-04-14 23:49 . 2009-04-14 23:49 0 ----a-w C:\9.tmp
2009-04-14 23:49 . 2009-04-14 23:49 0 ----a-w C:\8.tmp
2009-04-14 23:49 . 2009-04-14 23:49 38 ----a-w C:\7.tmp
2009-04-14 23:49 . 2009-04-14 23:49 63488 ----a-w C:\6.tmp
2009-04-14 23:40 . 2008-02-06 04:55 -------- d-----w c:\program files\Lavasoft
2009-04-14 09:49 . 2009-01-14 09:48 65024 --sha-w c:\windows\system32\gojidisi.exe
2009-04-14 09:48 . 2009-01-14 09:48 109568 --sha-w c:\windows\system32\yuhituka.dll
2009-04-14 09:48 . 2009-04-07 22:16 6363 ----a-w C:\aaw7boot.log
2009-04-12 18:48 . 2009-01-12 18:48 71168 --sha-w c:\windows\system32\venijija.dll
2009-04-12 18:48 . 2009-01-12 18:48 64000 --sha-w c:\windows\system32\karozeza.exe
2009-04-11 20:53 . 2004-08-04 01:07 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-10 22:23 . 2004-08-04 01:07 213376 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-13 01:10 . 2009-03-13 00:41 -------- d-----w c:\documents and settings\David\Application Data\Red Alert 3
2009-03-03 01:50 . 2006-07-16 20:31 -------- d-----w c:\program files\World of Warcraft
2009-02-03 06:27 . 2009-02-03 06:27 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-08 20:49 . 2006-07-10 06:47 18808 ----a-w c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-10-25 13:53 . 2006-10-25 13:53 18224 ----a-w c:\documents and settings\David\Application Data\GDIPFONTCACHEV1.DAT
2009-01-12 18:48 . 2009-01-12 18:48 71168 --sha-w c:\windows\system32\duhavevo.dll.tmp
2009-01-12 18:48 . 2009-01-12 18:48 71168 --sha-w c:\windows\system32\kejefuru.dll.tmp
2009-01-12 18:48 . 2009-01-12 18:48 71168 --sha-w c:\windows\system32\revulazo.dll.tmp
2009-01-07 17:25 . 2009-01-07 17:25 68608 --sha-w c:\windows\system32\vumehijo.dll.tmp
.

------- Sigcheck -------

[-] 2009-04-10 22:23 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-10 22:23 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-04-21_20.27.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 01:07 . 2009-04-21 19:47 40394 c:\windows\system32\perfc009.dat
+ 2004-08-04 01:07 . 2009-04-21 23:10 40394 c:\windows\system32\perfc009.dat
- 2009-04-21 19:04 . 2009-04-21 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009042120090422\index.dat
+ 2009-04-21 19:04 . 2009-04-21 21:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009042120090422\index.dat
+ 2006-07-10 06:45 . 2009-04-21 23:28 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-07-10 06:45 . 2009-04-21 20:23 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-07-10 06:45 . 2009-04-21 23:28 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-07-10 06:45 . 2009-04-21 20:23 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 01:07 . 2009-04-21 23:10 312172 c:\windows\system32\perfh009.dat
- 2004-08-04 01:07 . 2009-04-21 19:47 312172 c:\windows\system32\perfh009.dat
- 2006-07-10 06:45 . 2009-04-21 20:23 344064 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-07-10 06:45 . 2009-04-21 23:28 344064 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5AF42A3-94F3-42BD-F634-0604832C897D}]
2009-04-15 00:35 15000 ----a-w c:\windows\system32\yaubfh983ind.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"Diamondback"="c:\program files\Razer\Diamondback\razerhid.exe" [2007-02-14 147456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Manager"="c:\windows\TEMP\2435472286.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{A5AF42A3-94F3-42BD-F634-0604832C897D}"= "c:\windows\system32\yaubfh983ind.dll" [2009-04-15 15000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\David\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Electronic Arts\\Red Alert 3\\RA3.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Razer\\Diamondback\\razerofa.exe"=

R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\Drivers\Razerlow.sys [2005-04-25 13225]
R3 SMC80412;SMC 10/100 PC Card (SMC8041 V.2) Driver;c:\windows\system32\DRIVERS\SMC80412.sys [2003-01-20 20292]
S2 NETSPY_SERVICE;NETSPY Service;c:\windows\system32\netspy.exe [2006-09-09 380928]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65394e42-0fa0-11db-80c8-806d6172696f}]
\Shell\AutoRun\command - D:\mri.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\4hfwgs5w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?referrer=theme_ign
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\4hfwgs5w.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Octoshape Streaming Services\David\octoprogram-L03-N00-U00-C00_0711200_000\npoctoshape.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 19:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-1284227242-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ca,25,c6,f6,b5,49,fa,04,28,12,34,57,4c,7b,0e,c7,26,de,06,88,80,73,fe,
db,3a,8b,96,30,b5,63,77,86,66,3d,20,5c,68,8e,0c,49,98,ed,bf,1c,4b,60,50,cd,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-861567501-1284227242-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:e9,3a,82,b7,ae,ea,e6,51,6a,ee,8b,66,e1,69,1e,4a,54,c2,2b,67,c3,
25,6b,ea,51,4a,af,c4,c3,16,c7,b0,70,88,ed,6f,1d,b5,5c,08,51,ba,d6,db,a0,a7,\
"rkeysecu"=hex:f6,11,18,aa,f3,4c,10,08,43,5b,24,49,4b,21,7e,7d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3748)
c:\windows\system32\yaubfh983ind.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\WLTRAY.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
c:\program files\Razer\Diamondback\razerofa.exe
.
**************************************************************************
.
Completion time: 2009-04-21 19:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-21 23:35
ComboFix2.txt 2009-04-21 20:29
ComboFix3.txt 2009-04-14 23:54

Pre-Run: 23,687,520,256 bytes free
Post-Run: 23,677,255,680 bytes free

284 --- E O F --- 2007-12-06 00:04





And now the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:02 PM, on 4/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
c:\windows\system32\netspy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\yaubfh983ind.dll - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2435472286.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2435472286.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O22 - SharedTaskScheduler: as3iur98wajkef3wgf3 - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NETSPY Service (NETSPY_SERVICE) - Unknown owner - c:\windows\system32\netspy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3875 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:05 PM

Posted 21 April 2009 - 07:40 PM

Hello,

To be perfectly blunt......this is a real mess. :thumbup2: Your computer is compromised, which means all your passwords are known. You have more than one infection present, and it would be safer and more secure if you would just reformat the computer. If you decide to go on and clean it, I cannot in any way promise it will ever be secure again. :)

Please let me know what you want to do.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teamocil

teamocil
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:08:05 PM

Posted 21 April 2009 - 07:50 PM

I bought the computer as-is from a friend, so I don't have a windows disc, I'm not even sure it's a legit windows install (I didn't pay much for it so I don't know what to expect), if you think it's possible to clean that'd be great, but if you think it's an exercise in futility I'll yield to your expertise.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:05 PM

Posted 21 April 2009 - 08:13 PM

Well, as I said, we can clean it all we like, but it will never be secure. If you aren't sure about the legitimacy of the install, then it may be best to purchase one that you know is legal.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:05 PM

Posted 08 May 2009 - 01:28 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users