Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, but not sure by what!


  • This topic is locked This topic is locked
28 replies to this topic

#1 Jostlo

Jostlo

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 23 April 2009 - 09:24 PM

I have tried several times over the past two days to remove what is affecting my computer. Some of the things I have noticed are my visual basic opens up and wants to begin debugging, and I have used malwarebytes to attempt removal but always have 3 items it can't get rid of. and after restarting I can run malwarebytes and find a number of infected files, registry keys and so forth. I have even seen in the task manager spyfader pop in and out, moreover from what I have read on other boards this doesn't sound good. Can anyone help? below are the results of running the DDS tool.

DDS (Ver_09-03-16.01) - NTFSx86
Run by XXXX at 21:48:46.45 on Thu 04/23/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.155 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\jgxxsfa.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe
C:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe
C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\oracle\product\10.2.0\db_1\bin\oradim.exe
C:\oracle\product\10.2.0\db_1\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
C:\Documents and Settings\John\Desktop\dds.scr
C:\WINDOWS\system32\dwwin.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
mRun: [8585] C:\jgxxsfa.exe
dRun: [Windows Resurections] c:\windows\temp\vmh1wyqo.exe
dRun: [reader_s] c:\documents and settings\localservice\reader_s.exe
dRun: [Diagnostic Manager] c:\windows\temp\827296638.exe
dRun: [<NO NAME>] c:\windows\temp\vmh1wyqo.exe
StartupFolder: c:\documents and settings\john\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\backWeb-7288971.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
Trusted Zone: yahoo.com\games
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: qhenmx.dll c:\windows\system32\fiyifine.dll ,c:\progra~1\thunmail\testabd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\fiyifine.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\cb6vkanf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\john\application data\mozilla\firefox\profiles\cb6vkanf.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R2 ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2004-8-12 14336]
S1 ethlvuno;ethlvuno;c:\windows\system32\drivers\ethlvuno.sys [2009-4-23 136224]
S2 A25C41688C4360B8;A25C41688C4360B8;\??\c:\documents and settings\john\a25c41688c4360b8\a25c41688c4360b8 --> c:\documents and settings\john\a25c41688c4360b8\A25C41688C4360B8 [?]

=============== Created Last 30 ================

2009-04-23 21:48 44,544 a------- C:\lsass.exe
2009-04-23 20:54 61,440 a------- c:\windows\system32\5B.tmp
2009-04-23 20:54 152,064 a------- c:\windows\system32\59.tmp
2009-04-23 20:54 124 a------- c:\windows\system32\58.tmp
2009-04-23 20:54 0 a------- C:\57.tmp
2009-04-23 20:54 0 a------- C:\56.tmp
2009-04-23 20:54 0 a------- C:\55.tmp
2009-04-23 20:54 0 a------- C:\53.tmp
2009-04-23 20:54 0 a------- C:\52.tmp
2009-04-23 20:54 0 a------- C:\4F.tmp
2009-04-23 20:52 38 a------- C:\4C.tmp
2009-04-23 20:52 0 a------- C:\49.tmp
2009-04-23 20:52 0 a------- C:\48.tmp
2009-04-23 20:52 38 a------- C:\47.tmp
2009-04-23 20:52 54,784 a------- C:\46.tmp
2009-04-23 19:58 61,440 a------- c:\windows\system32\AA.tmp
2009-04-23 19:58 136,224 a------- c:\windows\system32\drivers\ethlvuno.sys
2009-04-23 19:58 153,088 a------- c:\windows\system32\A8.tmp
2009-04-23 19:58 124 a------- c:\windows\system32\A7.tmp
2009-04-23 16:11 0 a------- C:\51.tmp
2009-04-23 16:11 0 a------- C:\50.tmp
2009-04-23 16:11 0 a------- C:\4E.tmp
2009-04-23 16:11 0 a------- C:\4D.tmp
2009-04-23 16:11 0 a------- C:\4B.tmp
2009-04-23 16:11 0 a------- C:\4A.tmp
2009-04-23 15:50 38 a------- C:\45.tmp
2009-04-23 15:50 0 a------- C:\44.tmp
2009-04-23 15:50 0 a------- C:\43.tmp
2009-04-23 15:50 38 a------- C:\42.tmp
2009-04-23 15:50 54,784 a------- C:\41.tmp
2009-04-23 15:50 21,504 a------- C:\40.tmp
2009-04-23 15:39 14,674 a------- c:\windows\system32\nmesrvc_core_2009_4_23_15_39_15.dmp
2009-04-23 04:42 0 a------- C:\3F.tmp
2009-04-23 04:42 0 a------- C:\3E.tmp
2009-04-23 04:42 0 a------- C:\3D.tmp
2009-04-23 04:42 0 a------- C:\3C.tmp
2009-04-23 04:42 0 a------- C:\3B.tmp
2009-04-23 04:42 0 a------- C:\3A.tmp
2009-04-22 22:21 0 a------- C:\39.tmp
2009-04-22 22:21 0 a------- C:\38.tmp
2009-04-22 22:21 0 a------- C:\37.tmp
2009-04-22 22:21 0 a------- C:\30.tmp
2009-04-22 22:21 0 a------- C:\2F.tmp
2009-04-22 22:21 0 a------- C:\2E.tmp
2009-04-22 22:17 38 a------- C:\2D.tmp
2009-04-22 22:17 0 a------- C:\2B.tmp
2009-04-22 22:17 0 a------- C:\2A.tmp
2009-04-22 22:17 38 a------- C:\28.tmp
2009-04-22 22:17 52,736 a------- C:\27.tmp
2009-04-22 22:17 21,504 a------- C:\2.tmp
2009-04-22 21:47 44 a------- c:\windows\system32\38.tmp
2009-04-22 21:47 0 a------- C:\36.tmp
2009-04-22 21:47 0 a------- C:\35.tmp
2009-04-22 21:47 0 a------- C:\34.tmp
2009-04-22 21:47 0 a------- C:\33.tmp
2009-04-22 21:47 0 a------- C:\32.tmp
2009-04-22 21:44 38 a------- C:\2C.tmp
2009-04-22 21:44 0 a------- C:\29.tmp
2009-04-22 21:44 0 a------- C:\26.tmp
2009-04-22 21:43 38 a------- C:\25.tmp
2009-04-22 21:43 52,736 a------- C:\10.tmp
2009-04-22 20:32 24,576 a------- c:\windows\TEMPIadHide3.dll
2009-04-22 20:30 0 a------- C:\24.tmp
2009-04-22 20:30 0 a------- C:\23.tmp
2009-04-22 20:30 0 a------- C:\22.tmp
2009-04-22 20:30 0 a------- C:\21.tmp
2009-04-22 20:30 0 a------- C:\20.tmp
2009-04-22 20:30 0 a------- C:\1F.tmp
2009-04-22 20:29 38 a------- C:\1E.tmp
2009-04-22 20:28 0 a------- C:\1D.tmp
2009-04-22 20:28 0 a------- C:\F.tmp
2009-04-22 20:28 38 a------- C:\C.tmp
2009-04-22 20:28 52,736 a------- C:\B.tmp
2009-04-22 18:13 44 a------- c:\windows\system32\1E.tmp
2009-04-22 18:13 0 a------- C:\1C.tmp
2009-04-22 18:13 0 a------- C:\1B.tmp
2009-04-22 18:13 0 a------- C:\19.tmp
2009-04-22 18:13 0 a------- C:\18.tmp
2009-04-22 18:13 0 a------- C:\17.tmp
2009-04-22 18:13 0 a------- C:\16.tmp
2009-04-22 18:10 38 a------- C:\E.tmp
2009-04-22 18:10 0 a------- C:\D.tmp
2009-04-22 18:10 0 a------- C:\A.tmp
2009-04-22 18:10 38 a------- C:\8.tmp
2009-04-22 18:10 52,736 a------- C:\7.tmp
2009-04-22 18:01 0 a------- C:\1A.tmp
2009-04-22 18:01 0 a------- C:\15.tmp
2009-04-22 18:01 0 a------- C:\14.tmp
2009-04-22 18:01 15,000 a------- c:\windows\system32\hsfiun3487dll
2009-04-22 18:00 0 a------- C:\13.tmp
2009-04-22 18:00 0 a------- C:\12.tmp
2009-04-22 18:00 0 a------- C:\11.tmp
2009-04-22 17:56 38 a------- C:\9.tmp
2009-04-22 17:56 0 a------- C:\6.tmp
2009-04-22 17:56 0 a------- C:\5.tmp
2009-04-22 17:56 38 a------- C:\4.tmp
2009-04-22 17:56 52,736 a------- C:\3.tmp
2009-04-22 16:36 <DIR> --d----- c:\windows\system32\3361
2009-04-22 16:35 <DIR> --d----- c:\windows\dhcp
2009-04-22 16:35 0 a------- c:\windows\system32\296.tmp
2009-04-22 16:35 <DIR> --dshr-- c:\program files\ThunMail
2009-04-22 16:35 44 a------- c:\windows\system32\291.tmp
2009-04-22 16:35 103,036 a------- c:\windows\system32\drivers\df878553.sys
2009-04-22 16:34 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-22 16:34 43,520 a------- C:\ptrf.exe
2009-04-22 16:33 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-22 16:33 2 a------- C:\-2071803896
2009-04-22 16:33 30,720 a------- C:\cpjopaid.exe
2009-04-22 16:33 44,544 a------- C:\jgxxsfa.exe
2009-04-22 16:33 <DIR> --dsh--- c:\documents and settings\john\A25C41688C4360B8
2009-04-22 16:33 290,304 a------- C:\wcfgayg.exe
2009-04-22 16:33 15,000 a------- c:\windows\system32\hf873uwndf.dll
2009-04-22 16:33 69,632 a------- C:\tqpxlyy.exe
2009-04-22 03:00 <DIR> --d----- c:\windows\system32\KB905474
2009-04-19 22:37 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-19 22:37 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-19 22:37 131,072 -c------ c:\windows\system32\dllcache\services.exe
2009-04-19 22:37 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-19 22:37 248,320 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 22:37 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 22:37 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 22:37 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-19 22:37 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-19 22:36 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-19 22:36 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 22:36 236,032 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-22 16:34 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-22 16:33 578,560 a------- c:\windows\system32\user32.DLL
2009-04-22 16:32 74,752 a--sh--- c:\windows\system32\wifowigu.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 55,808 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2007-12-04 15:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007120420071205\index.dat
2007-12-05 17:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007120520071206\index.dat
2007-12-06 21:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007120620071207\index.dat
2007-12-07 19:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007120720071208\index.dat
2007-12-10 19:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121020071211\index.dat
2007-12-11 17:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121120071212\index.dat
2007-12-12 19:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121220071213\index.dat
2007-12-13 18:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121320071214\index.dat
2007-12-14 19:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121420071215\index.dat
2007-12-17 16:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121720071218\index.dat
2007-12-18 19:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121820071219\index.dat
2007-12-19 17:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121920071220\index.dat
2008-01-04 17:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008010420080105\index.dat
2008-01-06 23:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008010620080107\index.dat
2008-01-07 17:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008010720080108\index.dat
2008-01-11 22:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011120080112\index.dat
2008-01-14 16:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011420080115\index.dat
2008-01-16 22:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011620080117\index.dat
2008-01-17 16:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011720080118\index.dat
2008-01-21 20:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012120080122\index.dat
2008-01-22 18:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012220080123\index.dat
2008-01-23 16:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012320080124\index.dat
2008-01-24 20:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012420080125\index.dat
2008-01-25 18:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012520080126\index.dat
2008-01-28 15:34 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012820080129\index.dat
2008-01-29 18:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012920080130\index.dat
2008-01-30 20:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008013020080131\index.dat
2008-01-31 18:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008013120080201\index.dat
2008-02-02 00:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008020120080202\index.dat
2008-02-04 19:18 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008020420080205\index.dat
2008-02-05 17:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008020520080206\index.dat
2008-02-08 19:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008020820080209\index.dat
2008-02-19 21:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008021920080220\index.dat
2008-02-20 19:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022020080221\index.dat
2008-02-21 18:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022120080222\index.dat
2008-02-22 17:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022220080223\index.dat
2008-02-25 17:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022520080226\index.dat
2008-02-27 19:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022720080228\index.dat
2008-03-03 17:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008030320080304\index.dat
2008-03-04 19:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008030420080305\index.dat
2008-03-06 17:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008030620080307\index.dat
2008-03-17 09:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008031720080318\index.dat
2008-03-18 17:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008031820080319\index.dat
2008-03-19 16:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008031920080320\index.dat
2008-04-04 19:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008040420080405\index.dat
2008-04-11 17:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008041120080412\index.dat
2008-03-05 06:04 32,768 a--sh--- c:\windows\temp\history\history.ie5\mshist012008030520080306\index.dat

============= FINISH: 21:50:55.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:10 PM

Posted 24 April 2009 - 11:05 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb and a new DDS log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Jostlo

Jostlo
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 24 April 2009 - 06:44 PM

Sam,

I have been unable to gain access to the website/ftp site you provided. In fact the Malwarebytes I was running is a year old so I tried to update it and it always fails. Whatever has infected me is nasty. any other suggestions. Thanks in advance.

Jostlo

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:10 PM

Posted 25 April 2009 - 08:22 AM

Ok, let's see if we can ship away at it enough to get the right tools for the job.

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
    explorer.exe
    
    :Files
    c:\windows\system32\*.tmp
    C:\*.tmp
    C:\lsass.exe
    c:\windows\system32\drivers\ethlvuno.sys
    c:\windows\system32\hsfiun3487dll
    c:\program files\ThunMail
    C:\ptrf.exe
    C:\cpjopaid.exe
    C:\jgxxsfa.exe
    c:\documents and settings\john\A25C41688C4360B8
    C:\wcfgayg.exe
    c:\windows\system32\hf873uwndf.dll
    C:\tqpxlyy.exe
    
    :services
    ethlvuno
    A25C41688C4360B8
    
    :Commands
    [EmptyTemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


=================




Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Jostlo

Jostlo
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 25 April 2009 - 09:49 AM

Sam,

This thing is a battle thanks for the help and sticking with me. Here is what I have; while running OT MoveIt3.exe a pop up came open with this text, Bad Image the application or DLL c:\windows\system32\hf873uwndf.dll is not valid Windows Image please check this against your installation diskette it then asked me to reboot so I did I then down loaded from link 1 the combofix and ran it but received this message Alert It is not safe to continue The contents of the combofix package has been compromised Please download a fresh copy from http://www.bleepingcomputer.com/combofix/how-to-use-combofi
Note: You may be infected with a file patching virus (Virut)
Below is the log from old timer

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\system32\1E.tmp moved successfully.
c:\windows\system32\291.tmp moved successfully.
c:\windows\system32\296.tmp moved successfully.
c:\windows\system32\38.tmp moved successfully.
c:\windows\system32\5.tmp moved successfully.
c:\windows\system32\58.tmp moved successfully.
c:\windows\system32\59.tmp moved successfully.
c:\windows\system32\5B.tmp moved successfully.
c:\windows\system32\6.tmp moved successfully.
c:\windows\system32\8.tmp moved successfully.
c:\windows\system32\A7.tmp moved successfully.
c:\windows\system32\A8.tmp moved successfully.
c:\windows\system32\AA.tmp moved successfully.
c:\windows\system32\CONFIG.TMP moved successfully.
c:\windows\system32\SET1187.tmp moved successfully.
c:\windows\system32\SET118C.tmp moved successfully.
c:\windows\system32\SET1193.tmp moved successfully.
c:\windows\system32\SET11A0.tmp moved successfully.
c:\windows\system32\SETB12.tmp moved successfully.
C:\10.tmp moved successfully.
C:\11.tmp moved successfully.
C:\12.tmp moved successfully.
C:\13.tmp moved successfully.
C:\14.tmp moved successfully.
C:\15.tmp moved successfully.
C:\16.tmp moved successfully.
C:\17.tmp moved successfully.
C:\18.tmp moved successfully.
C:\19.tmp moved successfully.
C:\1A.tmp moved successfully.
C:\1B.tmp moved successfully.
C:\1C.tmp moved successfully.
C:\1D.tmp moved successfully.
C:\1E.tmp moved successfully.
C:\1F.tmp moved successfully.
C:\2.tmp moved successfully.
C:\20.tmp moved successfully.
C:\21.tmp moved successfully.
C:\22.tmp moved successfully.
C:\23.tmp moved successfully.
C:\24.tmp moved successfully.
C:\25.tmp moved successfully.
C:\26.tmp moved successfully.
C:\27.tmp moved successfully.
C:\28.tmp moved successfully.
C:\29.tmp moved successfully.
C:\2A.tmp moved successfully.
C:\2B.tmp moved successfully.
C:\2C.tmp moved successfully.
C:\2D.tmp moved successfully.
C:\2E.tmp moved successfully.
C:\2F.tmp moved successfully.
C:\3.tmp moved successfully.
C:\30.tmp moved successfully.
C:\31.tmp moved successfully.
C:\32.tmp moved successfully.
C:\33.tmp moved successfully.
C:\34.tmp moved successfully.
C:\35.tmp moved successfully.
C:\36.tmp moved successfully.
C:\37.tmp moved successfully.
C:\38.tmp moved successfully.
C:\39.tmp moved successfully.
C:\3A.tmp moved successfully.
C:\3B.tmp moved successfully.
C:\3C.tmp moved successfully.
C:\3D.tmp moved successfully.
C:\3E.tmp moved successfully.
C:\3F.tmp moved successfully.
C:\4.tmp moved successfully.
C:\40.tmp moved successfully.
C:\41.tmp moved successfully.
C:\42.tmp moved successfully.
C:\43.tmp moved successfully.
C:\44.tmp moved successfully.
C:\45.tmp moved successfully.
C:\46.tmp moved successfully.
C:\47.tmp moved successfully.
C:\48.tmp moved successfully.
C:\49.tmp moved successfully.
C:\4A.tmp moved successfully.
C:\4B.tmp moved successfully.
C:\4C.tmp moved successfully.
C:\4D.tmp moved successfully.
C:\4E.tmp moved successfully.
C:\4F.tmp moved successfully.
C:\5.tmp moved successfully.
C:\50.tmp moved successfully.
C:\51.tmp moved successfully.
C:\52.tmp moved successfully.
C:\53.tmp moved successfully.
C:\54.tmp moved successfully.
C:\55.tmp moved successfully.
C:\56.tmp moved successfully.
C:\57.tmp moved successfully.
C:\58.tmp moved successfully.
C:\59.tmp moved successfully.
C:\5A.tmp moved successfully.
C:\5B.tmp moved successfully.
C:\6.tmp moved successfully.
C:\60.tmp moved successfully.
C:\61.tmp moved successfully.
C:\62.tmp moved successfully.
C:\63.tmp moved successfully.
C:\64.tmp moved successfully.
C:\65.tmp moved successfully.
C:\66.tmp moved successfully.
C:\67.tmp moved successfully.
C:\68.tmp moved successfully.
C:\69.tmp moved successfully.
C:\6A.tmp moved successfully.
C:\6B.tmp moved successfully.
C:\6C.tmp moved successfully.
C:\6D.tmp moved successfully.
C:\6E.tmp moved successfully.
C:\6F.tmp moved successfully.
C:\7.tmp moved successfully.
C:\70.tmp moved successfully.
C:\71.tmp moved successfully.
C:\8.tmp moved successfully.
C:\9.tmp moved successfully.
C:\A.tmp moved successfully.
C:\B.tmp moved successfully.
C:\C.tmp moved successfully.
C:\D.tmp moved successfully.
C:\E.tmp moved successfully.
C:\F.tmp moved successfully.
C:\lsass.exe moved successfully.
c:\windows\system32\drivers\ethlvuno.sys moved successfully.
c:\windows\system32\hsfiun3487dll moved successfully.
c:\program files\ThunMail moved successfully.
C:\ptrf.exe moved successfully.
C:\cpjopaid.exe moved successfully.
C:\jgxxsfa.exe moved successfully.
c:\documents and settings\john\A25C41688C4360B8 moved successfully.
C:\wcfgayg.exe moved successfully.
LoadLibrary failed for c:\windows\system32\hf873uwndf.dll
c:\windows\system32\hf873uwndf.dll NOT unregistered.
c:\windows\system32\hf873uwndf.dll moved successfully.
C:\tqpxlyy.exe moved successfully.
========== SERVICES/DRIVERS ==========

Service\Driver ethlvuno deleted successfully.

Service\Driver A25C41688C4360B8 deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\John\LOCALS~1\Temp\etilqs_pSJxsut7UCzrxvbfHbhV scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\John\LOCALS~1\Temp\me_8CD7QRuURITmUfa scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\John\LOCALS~1\Temp\me_h7oSDZ2OSXLPsqk scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\John\LOCALS~1\Temp\me_mUNTnz scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\John\LOCALS~1\Temp\me_OVgtNcmcd3vhhdK scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\hsperfdata_SYSTEM\2716 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\hsperfdata_SYSTEM\3076 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\AcrCD6D.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mpj87567.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta73639.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1614.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\SPLB2.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\SPLB3.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\cb6vkanf.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\cb6vkanf.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\cb6vkanf.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\cb6vkanf.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\cb6vkanf.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04252009_094619

Files moved on Reboot...
File C:\DOCUME~1\John\LOCALS~1\Temp\etilqs_pSJxsut7UCzrxvbfHbhV not found!
File C:\DOCUME~1\John\LOCALS~1\Temp\me_8CD7QRuURITmUfa not found!
File C:\DOCUME~1\John\LOCALS~1\Temp\me_h7oSDZ2OSXLPsqk not found!
File C:\DOCUME~1\John\LOCALS~1\Temp\me_mUNTnz not found!
File C:\DOCUME~1\John\LOCALS~1\Temp\me_OVgtNcmcd3vhhdK not found!
File C:\WINDOWS\temp\hsperfdata_SYSTEM\2716 not found!
File C:\WINDOWS\temp\hsperfdata_SYSTEM\3076 not found!
C:\WINDOWS\temp\AcrCD6D.tmp moved successfully.
C:\WINDOWS\temp\mpj87567.dll unregistered successfully.
C:\WINDOWS\temp\mpj87567.dll moved successfully.
C:\WINDOWS\temp\mta73639.dll unregistered successfully.
C:\WINDOWS\temp\mta73639.dll moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_1614.dat moved successfully.
File C:\WINDOWS\temp\SPLB2.tmp not found!
File C:\WINDOWS\temp\SPLB3.tmp not found!
C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\cb6vkanf.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\cb6vkanf.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\cb6vkanf.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\cb6vkanf.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\cb6vkanf.default\urlclassifier3.sqlite moved successfully.



Should I try another one of the combofix links from your last reply?

Again Thanks So Much Sam


John

#6 Jostlo

Jostlo
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 25 April 2009 - 12:16 PM

Sam,

Well I did try to download from the other links and it will not allow me to do so. The response I get is that it is not a valid win32 application.

John

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:10 PM

Posted 25 April 2009 - 04:08 PM

Let's try it a different way to sneak past the malware that's blocking it.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Jostlo

Jostlo
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 25 April 2009 - 09:26 PM

Sam,

I've tried all 3 links with various names they still are being blocked for downloading. This is a nasty one.


John

#9 Jostlo

Jostlo
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 25 April 2009 - 09:43 PM

Sam,

One more thing I tried opening the file under a different program. I realize I should not have done that. I chose Firefox which of course didn't
work. What do I use application?

John

Edited by Jostlo, 25 April 2009 - 09:47 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:10 PM

Posted 26 April 2009 - 10:29 AM

Sam,

One more thing I tried opening the file under a different program. I realize I should not have done that. I chose Firefox which of course didn't
work. What do I use application?

John


You don't want to open with any application. It's a stand alone tool that will run when you double click on it, but only once it's been saved to your desktop. If you can't get to that point, then we'll have to work around it for now.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Jostlo

Jostlo
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 26 April 2009 - 11:52 AM

Sam,

Thanks for having patience with me, I down loaded the SDFix to my desk top but it will not allow me to open it up; it states that it is not a valid win32
application. When I rebooted in Safe Mode and tried this I also got the following message; A drive attached to the system is not functioning. Since I tried opening the one file in firefox all the icons I down load the icons look like an explorer window and not like the application icon as the OT MoveIt3 have I done something to not allow the downloads to function properly or is this probably due to my infection? I wish I had more to offer in determining my problem, again thanks for your assistance it is greatly appreciated.

John

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:10 PM

Posted 27 April 2009 - 03:26 PM

Let's stick with what we know to be working right now. Please post a new log from DDS.

And then let's see if we can get a look at another log. Not going to hold my breath that this one will work either, but let's find out.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Jostlo

Jostlo
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 27 April 2009 - 04:33 PM

Sam,

Here are the current files, thanks for the help.


DDS (Ver_09-03-16.01) - NTFSx86
Run by John at 17:13:11.06 on Mon 04/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.29 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\dhcp\svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe
C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\oracle\product\10.2.0\db_1\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
C:\oracle\product\10.2.0\db_1\bin\emagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\3361\SVCHOST.exe -sysrun
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\jgxxsfa.exe
C:\Documents and Settings\John\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============


As for downloading GMER it will not load to my desktop. Nor can I download the
randomly named EXE. files. I have entertained thoughts of re-formatting my hard
drive but I do not possess recovery disks so if I cannot resolve this I do not know
what I will do. Perhaps go off line for good!


John

Attached Files



#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:10 PM

Posted 27 April 2009 - 05:45 PM

It was a long shot that Gmer would work. This thing has you got you locked up tight.

The DDS log is incomplete. Can you post the entire log?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Jostlo

Jostlo
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 27 April 2009 - 06:38 PM

Sorry about that Sam, here it is;



DDS (Ver_09-03-16.01) - NTFSx86
Run by John at 17:13:11.06 on Mon 04/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.29 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\dhcp\svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe
C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\oracle\product\10.2.0\db_1\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
C:\oracle\product\10.2.0\db_1\bin\emagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\3361\SVCHOST.exe -sysrun
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\jgxxsfa.exe
C:\Documents and Settings\John\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\kjsdiowq8oikf.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll
mRun: [6973] C:\jgxxsfa.exe
mRunOnce: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
dRun: [Windows Resurections] c:\windows\temp\ta24go77gw.exe
dRun: [reader_s] c:\documents and settings\localservice\reader_s.exe
dRun: [Diagnostic Manager] c:\windows\temp\2379873336.exe
dRun: [<NO NAME>] c:\windows\temp\ta24go77gw.exe
dRun: [svc] c:\program files\thunmail\testabd.exe
StartupFolder: c:\documents and settings\john\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\backWeb-7288971.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
Trusted Zone: yahoo.com\games
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\kjsdiowq8oikf.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll
LSA: Notification Packages = scecli c:\windows\system32\fiyifine.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\cb6vkanf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\john\application data\mozilla\firefox\profiles\cb6vkanf.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R?2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2004-8-12 34816]
R2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-22 256512]
R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.2.0\db_1\bin\tnslsnr --> c:\oracle\product\10.2.0\db_1\bin\TNSLSNR [?]
R2 OracleServiceORCL;OracleServiceORCL;c:\oracle\product\10.2.0\db_1\bin\oracle.exe orcl --> c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE ORCL [?]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-12 195584]
S2 A25C41688C4360B8;A25C41688C4360B8;\??\c:\documents and settings\john\a25c41688c4360b8\a25c41688c4360b8 --> c:\documents and settings\john\a25c41688c4360b8\A25C41688C4360B8 [?]
S3 protect;protect;c:\windows\system32\drivers\protect.sys [2009-4-25 18944]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\oracle\product\10.2.0\db_1\bin\extjob.exe orcl --> c:\oracle\product\10.2.0\db_1\bin\extjob.exe ORCL [?]

=============== Created Last 30 ================

2009-04-27 15:55 0 a------- C:\4C.tmp
2009-04-27 15:55 0 a------- C:\4B.tmp
2009-04-27 15:55 0 a------- C:\3D.tmp
2009-04-27 15:55 0 a------- C:\3A.tmp
2009-04-27 15:55 0 a------- C:\39.tmp
2009-04-27 15:55 0 a------- C:\38.tmp
2009-04-27 15:55 0 a------- C:\37.tmp
2009-04-27 15:55 0 a------- C:\36.tmp
2009-04-27 15:55 0 a------- C:\35.tmp
2009-04-27 15:53 38 a------- C:\34.tmp
2009-04-27 15:52 0 a------- C:\33.tmp
2009-04-27 15:52 0 a------- C:\32.tmp
2009-04-27 15:52 0 a------- C:\31.tmp
2009-04-27 15:52 54,784 a------- C:\30.tmp
2009-04-27 15:51 31,232 a------- C:\syxm.exe
2009-04-27 15:51 289,792 a------- c:\windows\system32\azton.mt
2009-04-27 15:51 289,792 a------- C:\budcxy.exe
2009-04-27 15:51 15,000 a------- c:\windows\system32\sjg9s8guigjs.dll
2009-04-27 15:51 60,928 a------- C:\cuhel.exe
2009-04-27 15:51 0 a------- C:\4A.tmp
2009-04-27 15:51 0 a------- C:\49.tmp
2009-04-27 15:51 0 a------- C:\48.tmp
2009-04-27 15:51 0 a------- C:\47.tmp
2009-04-27 15:51 0 a------- C:\40.tmp
2009-04-27 15:51 0 a------- C:\3F.tmp
2009-04-27 15:51 0 a------- C:\3E.tmp
2009-04-27 15:50 0 a------- C:\3C.tmp
2009-04-27 15:50 0 a------- C:\3B.tmp
2009-04-27 15:30 38 a------- C:\2E.tmp
2009-04-27 15:30 0 a------- C:\2D.tmp
2009-04-27 15:30 0 a------- C:\2C.tmp
2009-04-27 15:30 0 a------- C:\2B.tmp
2009-04-27 15:30 54,784 a------- C:\24.tmp
2009-04-27 15:30 22,016 a------- C:\13.tmp
2009-04-27 11:18 61,440 a------- c:\windows\system32\10.tmp
2009-04-27 11:17 0 a------- c:\windows\system32\E.tmp
2009-04-27 11:15 52,736 a------- c:\windows\system32\D.tmp
2009-04-27 11:15 164 a------- c:\windows\system32\C.tmp
2009-04-27 11:14 0 a------- c:\windows\system32\nmesrvc_core_2009_4_27_11_14_8.dmp
2009-04-26 18:57 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-04-26 18:56 <DIR> --dshr-- c:\program files\ThunMail
2009-04-26 18:51 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-26 18:51 1,409 a------- c:\windows\QTFont.for
2009-04-26 12:39 <DIR> --d-h--- c:\windows\PIF
2009-04-26 09:19 0 a------- C:\46.tmp
2009-04-26 09:19 0 a------- C:\45.tmp
2009-04-26 09:19 0 a------- C:\44.tmp
2009-04-26 09:19 0 a------- C:\43.tmp
2009-04-26 09:19 0 a------- C:\42.tmp
2009-04-26 09:19 0 a------- C:\41.tmp
2009-04-26 09:19 0 a------- c:\windows\system32\nmesrvc_core_2009_4_26_9_19_9.dmp
2009-04-26 09:01 38 a------- C:\23.tmp
2009-04-26 09:01 0 a------- C:\22.tmp
2009-04-26 09:01 0 a------- C:\21.tmp
2009-04-26 09:01 38 a------- C:\20.tmp
2009-04-26 09:01 54,784 a------- C:\1F.tmp
2009-04-25 22:15 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-04-25 22:15 61,440 a------- c:\windows\system32\2F.tmp
2009-04-25 22:15 152,064 a------- c:\windows\system32\2D.tmp
2009-04-25 22:15 124 a------- c:\windows\system32\2C.tmp
2009-04-25 22:15 0 a------- C:\2A.tmp
2009-04-25 22:15 0 a------- C:\29.tmp
2009-04-25 22:15 0 a------- C:\28.tmp
2009-04-25 22:15 15,000 a------- c:\windows\system32\kjsdiowq8oikf.dll
2009-04-25 22:15 0 a------- C:\27.tmp
2009-04-25 22:15 0 a------- C:\26.tmp
2009-04-25 22:15 0 a------- C:\25.tmp
2009-04-25 21:59 38 a------- C:\1E.tmp
2009-04-25 21:59 0 a------- C:\1D.tmp
2009-04-25 21:59 0 a------- C:\1C.tmp
2009-04-25 21:59 38 a------- C:\1B.tmp
2009-04-25 21:59 54,784 a------- C:\1A.tmp
2009-04-25 10:36 0 a------- C:\19.tmp
2009-04-25 10:36 0 a------- C:\18.tmp
2009-04-25 10:36 0 a------- C:\17.tmp
2009-04-25 10:36 0 a------- C:\16.tmp
2009-04-25 10:36 0 a------- C:\15.tmp
2009-04-25 10:36 0 a------- C:\14.tmp
2009-04-25 10:33 38 a------- C:\12.tmp
2009-04-25 10:33 0 a------- C:\11.tmp
2009-04-25 10:33 0 a------- C:\10.tmp
2009-04-25 10:33 38 a------- C:\F.tmp
2009-04-25 10:33 54,784 a------- C:\8.tmp
2009-04-25 10:33 21,504 a------- C:\2.tmp
2009-04-25 10:10 132,608 -------- c:\windows\system32\VT100.EXE
2009-04-25 10:09 0 a------- C:\E.tmp
2009-04-25 10:09 0 a------- C:\D.tmp
2009-04-25 10:09 15,000 a------- c:\windows\system32\hsfiun3487dll
2009-04-25 10:09 0 a------- C:\C.tmp
2009-04-25 10:09 0 a------- C:\B.tmp
2009-04-25 10:09 0 a------- C:\A.tmp
2009-04-25 10:09 0 a------- C:\9.tmp
2009-04-25 10:08 38 a------- C:\7.tmp
2009-04-25 10:08 0 a------- C:\6.tmp
2009-04-25 10:08 0 a------- C:\5.tmp
2009-04-25 10:08 38 a------- C:\4.tmp
2009-04-25 10:08 54,784 a------- C:\3.tmp
2009-04-25 09:46 <DIR> --d----- C:\_OTMoveIt
2009-04-24 03:36 36,352 a------- c:\windows\system32\reader_s.exe
2009-04-24 03:36 36,352 a------- c:\documents and settings\john\reader_s.exe
2009-04-23 21:48 44,544 a------- C:\lsass.exe
2009-04-23 15:39 14,674 a------- c:\windows\system32\nmesrvc_core_2009_4_23_15_39_15.dmp
2009-04-22 20:32 24,576 a------- c:\windows\TEMPIadHide3.dll
2009-04-22 16:36 <DIR> --d----- c:\windows\system32\3361
2009-04-22 16:35 <DIR> --d----- c:\windows\dhcp
2009-04-22 16:35 103,036 a------- c:\windows\system32\drivers\df878553.sys
2009-04-22 16:34 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-22 16:33 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-22 16:33 2 a------- C:\-2071803896
2009-04-22 16:33 44,544 a------- C:\jgxxsfa.exe
2009-04-22 03:00 <DIR> --d----- c:\windows\system32\KB905474
2009-04-19 22:37 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-19 22:37 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-19 22:37 131,072 -c------ c:\windows\system32\dllcache\services.exe
2009-04-19 22:37 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-19 22:37 248,320 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 22:37 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 22:37 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 22:37 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-19 22:37 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-19 22:36 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-19 22:36 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 22:36 236,032 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-22 16:34 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-22 16:33 578,560 a------- c:\windows\system32\user32.DLL
2009-04-22 16:32 74,752 a--sh--- c:\windows\system32\wifowigu.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 10:06 57,856 a------- c:\windows\system32\ipcmd.dll
2009-03-21 10:06 13,312 a------- c:\windows\system32\sysdiag.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 55,808 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2007-12-04 15:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007120420071205\index.dat
2007-12-05 17:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007120520071206\index.dat
2007-12-06 21:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007120620071207\index.dat
2007-12-07 19:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007120720071208\index.dat
2007-12-10 19:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121020071211\index.dat
2007-12-11 17:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121120071212\index.dat
2007-12-12 19:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121220071213\index.dat
2007-12-13 18:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121320071214\index.dat
2007-12-14 19:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121420071215\index.dat
2007-12-17 16:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121720071218\index.dat
2007-12-18 19:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121820071219\index.dat
2007-12-19 17:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007121920071220\index.dat
2008-01-04 17:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008010420080105\index.dat
2008-01-06 23:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008010620080107\index.dat
2008-01-07 17:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008010720080108\index.dat
2008-01-11 22:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011120080112\index.dat
2008-01-14 16:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011420080115\index.dat
2008-01-16 22:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011620080117\index.dat
2008-01-17 16:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011720080118\index.dat
2008-01-21 20:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012120080122\index.dat
2008-01-22 18:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012220080123\index.dat
2008-01-23 16:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012320080124\index.dat
2008-01-24 20:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012420080125\index.dat
2008-01-25 18:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012520080126\index.dat
2008-01-28 15:34 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012820080129\index.dat
2008-01-29 18:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008012920080130\index.dat
2008-01-30 20:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008013020080131\index.dat
2008-01-31 18:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008013120080201\index.dat
2008-02-02 00:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008020120080202\index.dat
2008-02-04 19:18 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008020420080205\index.dat
2008-02-05 17:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008020520080206\index.dat
2008-02-08 19:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008020820080209\index.dat
2008-02-19 21:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008021920080220\index.dat
2008-02-20 19:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022020080221\index.dat
2008-02-21 18:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022120080222\index.dat
2008-02-22 17:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022220080223\index.dat
2008-02-25 17:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022520080226\index.dat
2008-02-27 19:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022720080228\index.dat
2008-03-03 17:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008030320080304\index.dat
2008-03-04 19:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008030420080305\index.dat
2008-03-06 17:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008030620080307\index.dat
2008-03-17 09:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008031720080318\index.dat
2008-03-18 17:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008031820080319\index.dat
2008-03-19 16:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008031920080320\index.dat
2008-04-04 19:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008040420080405\index.dat
2008-04-11 17:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008041120080412\index.dat

============= FINISH: 17:14:38.25 ===============


Hope you are able to recognize something.

John




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users