Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Mal Vundo-9


  • This topic is locked This topic is locked
18 replies to this topic

#1 elgruposam

elgruposam

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 28 May 2009 - 01:59 AM

I have trend micro and it keeps popping up telling me it found a computer virus, however it won't clean or even quarantine the files.
As I was looking into it I also discovered that the automatic updates feature won't turn on, when I click to enable it, it immediately reverts back to disabled
DDS log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Sam at 23:48:15.31 on Wed 05/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.848 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080522
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080522
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
BHO: {065dbf76-b682-4924-b063-361c078e1c97} - c:\windows\system32\yaywuVoM.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {6fec71b0-5535-b389-8ee4-b7b0d4eccbb4}: {4bbcce4d-0b7b-4ee8-983b-53550b17cef6} - c:\windows\system32\pqfxhh.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [nvd32_r] rundll32.exe "c:\documents and settings\sam\application data\unobi.dll" s
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [<NO NAME>]
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [84074daf] rundll32.exe "c:\windows\system32\wuhxgsae.dll",b
StartupFolder: c:\docume~1\sam\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227042139093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: efcCuVNe - efcCuVNe.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5048ba60-9b56-afea-55c4-31b704520acb}: {bca02540-7b13-4c55-aefa-65b906ab8405} - c:\windows\system32\pqfxhh.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yaywuVoM

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sam\applic~1\mozilla\firefox\profiles\38u2z9ml.default\

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-5-21 3456]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-8-8 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-15 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-2-15 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2008-8-8 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-8-8 648456]

=============== Created Last 30 ================

2009-05-27 13:45 725 a------- c:\windows\system32\bqrcbord.dll
2009-05-26 13:14 725 a------- c:\windows\system32\aaltrwut.dll
2009-05-25 13:35 569 a------- c:\windows\system32\dgdhwasu.dll
2009-05-24 17:26 5,749 a------- c:\windows\system32\hqtgwfnu.dll
2009-05-24 02:20 36,864 a------- c:\docume~1\sam\applic~1\unobi.dll
2009-05-23 15:51 725 a------- c:\windows\system32\bldecuoq.dll
2009-05-22 14:59 725 a------- c:\windows\system32\evlsxunc.dll
2009-05-21 15:26 725 a------- c:\windows\system32\qcxqyydk.dll
2009-05-20 14:04 725 a------- c:\windows\system32\uconpslk.dll
2009-05-19 15:17 5,749 a------- c:\windows\system32\emcoppco.dll
2009-05-18 14:36 5,749 a------- c:\windows\system32\kqrpwbik.dll
2009-05-18 14:34 721 a------- c:\windows\system32\hbojrlae.dll
2009-05-17 14:30 565 a------- c:\windows\system32\oqqsbcpk.dll
2009-05-17 14:28 569 a------- c:\windows\system32\chmsjjyk.dll
2009-05-15 13:46 5,593 a------- c:\windows\system32\ywxewmsf.dll
2009-05-15 13:44 565 a------- c:\windows\system32\sksjugmb.dll
2009-05-15 13:42 565 a------- c:\windows\system32\csqbrwdb.dll
2009-05-13 13:37 721 a------- c:\windows\system32\mpgdfnyp.dll
2009-05-11 15:04 5,749 a------- c:\windows\system32\sxqrbtyv.dll
2009-05-11 15:01 721 a------- c:\windows\system32\ofsmcqoj.dll
2009-05-10 23:53 5,749 a------- c:\windows\system32\qfasbnjh.dll
2009-05-09 14:27 5,749 a------- c:\windows\system32\mwrgphjn.dll
2009-05-09 14:24 5,745 a------- c:\windows\system32\asqwdwfa.dll
2009-05-09 14:22 725 a------- c:\windows\system32\ufrocfko.dll
2009-05-08 13:26 5,749 a------- c:\windows\system32\bfwujgqn.dll
2009-05-08 13:23 5,745 a------- c:\windows\system32\ooodyllu.dll
2009-05-08 01:25 5,745 a------- c:\windows\system32\skkvwaua.dll
2009-05-08 01:22 5,749 a------- c:\windows\system32\bliheltv.dll
2009-05-07 13:23 721 a------- c:\windows\system32\cojqanco.dll
2009-05-07 13:20 725 a------- c:\windows\system32\eqtlgpse.dll
2009-05-07 01:09 5,745 a------- c:\windows\system32\qrwjlbik.dll
2009-05-07 01:06 5,749 a------- c:\windows\system32\qqqyikct.dll
2009-05-06 13:08 5,749 a------- c:\windows\system32\lhcuddfb.dll
2009-05-05 13:08 725 a------- c:\windows\system32\yqcfgrwv.dll
2009-05-05 13:05 721 a------- c:\windows\system32\hobqxxcp.dll
2009-05-04 16:06 5,745 a------- c:\windows\system32\vifaxcmd.dll
2009-05-04 16:03 5,749 a------- c:\windows\system32\ghdfylqe.dll
2009-05-03 21:38 <DIR> --d----- C:\KUNG_FU_PANDA
2009-05-02 20:14 87,608 a------- c:\docume~1\sam\applic~1\inst.exe
2009-05-02 20:14 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-05-02 20:14 47,360 a------- c:\docume~1\sam\applic~1\pcouffin.sys
2009-05-01 01:40 1,433,623 a--sh--- c:\windows\system32\easgxhuw.ini
2009-05-01 01:40 80,896 a------- c:\windows\system32\wuhxgsae.dll
2009-05-01 01:39 120,832 a------- c:\windows\system32\pqfxhh.dll
2009-05-01 01:39 120,832 a------- c:\windows\system32\wgqacoty.dll
2009-04-30 09:42 5,745 a------- c:\windows\system32\mueijrsy.dll
2009-04-30 09:39 5,749 a------- c:\windows\system32\bcshwqob.dll
2009-04-29 14:01 725 a------- c:\windows\system32\ivafggkv.dll
2009-04-28 13:06 120,832 a------- c:\windows\system32\zdakzo.dll
2009-04-28 13:06 120,832 a------- c:\windows\system32\tluvgvet.dll
2009-04-28 13:06 1,433,623 a--sh--- c:\windows\system32\eqgwiglm.ini

==================== Find3M ====================

2009-05-27 23:48 1,605 a--sh--- c:\windows\system32\MoVuwyay.ini2
2009-04-26 03:47 5,745 a------- c:\windows\system32\kmflbhuu.dll
2009-04-26 03:44 5,749 a------- c:\windows\system32\iwtjswni.dll
2009-04-25 15:46 5,749 a------- c:\windows\system32\ihtrlpgl.dll
2009-04-25 15:43 5,745 a------- c:\windows\system32\almgwpic.dll
2009-04-25 03:45 5,745 a------- c:\windows\system32\fokkypdr.dll
2009-04-25 03:42 5,749 a------- c:\windows\system32\vbbatiki.dll
2009-04-22 00:03 5,749 a------- c:\windows\system32\ksqlwyhp.dll
2009-04-22 00:00 5,745 a------- c:\windows\system32\jewetshi.dll
2009-04-21 12:02 5,749 a------- c:\windows\system32\ddxdrogg.dll
2009-04-21 11:59 5,745 a------- c:\windows\system32\jegifapv.dll
2009-04-20 12:02 5,745 a------- c:\windows\system32\anyicbop.dll
2009-04-20 11:59 5,749 a------- c:\windows\system32\pffioisv.dll
2009-04-19 23:59 5,749 a------- c:\windows\system32\lbcmtihs.dll
2009-04-19 23:57 5,745 a------- c:\windows\system32\jpebedyq.dll
2009-04-18 13:26 5,593 a------- c:\windows\system32\miwjbueh.dll
2009-04-18 13:23 5,589 a------- c:\windows\system32\rwuusnja.dll
2009-04-18 01:26 5,745 a------- c:\windows\system32\cwtjpwvt.dll
2009-04-18 01:23 5,749 a------- c:\windows\system32\cwxvysjj.dll
2009-04-17 13:26 5,749 a------- c:\windows\system32\ppgjgmdp.dll
2009-04-17 00:12 5,745 a------- c:\windows\system32\adhweyql.dll
2009-04-17 00:08 5,749 a------- c:\windows\system32\kbnnjyso.dll
2009-04-15 13:21 5,745 a------- c:\windows\system32\cggfskkt.dll
2009-04-14 15:34 5,745 a------- c:\windows\system32\xpxxxefp.dll
2009-04-14 15:34 5,749 a------- c:\windows\system32\revdywcr.dll
2009-04-13 18:07 5,745 a------- c:\windows\system32\klqcgtlk.dll
2009-04-13 15:36 5,749 a------- c:\windows\system32\notcnofl.dll
2009-04-13 15:33 5,735 a------- c:\windows\system32\qdbvoyqg.exe
2009-04-12 12:51 5,735 a------- c:\windows\system32\enlmfgpf.exe
2009-04-12 12:48 5,745 a------- c:\windows\system32\ucsbsipk.dll
2009-04-12 12:46 5,749 a------- c:\windows\system32\fjaytyda.dll
2009-04-11 21:24 5,745 a------- c:\windows\system32\htkeowmd.dll
2009-04-11 09:28 5,749 a------- c:\windows\system32\qwkyhhli.dll
2009-04-11 09:25 5,745 a------- c:\windows\system32\quslbuvt.dll
2009-04-09 02:13 5,749 a------- c:\windows\system32\jqodywsg.dll
2009-04-09 02:10 5,745 a------- c:\windows\system32\ijpiongk.dll
2009-04-08 01:05 5,749 a------- c:\windows\system32\hxpfnawa.dll
2009-04-07 13:05 5,749 a------- c:\windows\system32\vkscqftu.dll
2009-04-07 13:03 5,745 a------- c:\windows\system32\uliejeyi.dll
2009-04-03 23:38 5,749 a------- c:\windows\system32\mqqtaggo.dll
2009-04-03 23:35 5,745 a------- c:\windows\system32\qdyfgpkl.dll
2009-04-02 23:36 5,749 a------- c:\windows\system32\bhutmsgr.dll
2009-04-02 16:00 52,752 a------- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 16:00 52,624 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 16:00 142,864 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-02 11:37 5,745 a------- c:\windows\system32\btslvcfa.dll
2009-03-31 11:48 5,745 a------- c:\windows\system32\igbvjvoj.dll
2009-03-31 11:45 5,749 a------- c:\windows\system32\unckfepq.dll
2009-03-30 23:48 5,745 a------- c:\windows\system32\qhtjqfea.dll
2009-03-30 23:45 5,749 a------- c:\windows\system32\nluckdkd.dll
2009-03-30 21:08 5,745 a------- c:\windows\system32\cchuhttf.dll
2009-03-30 21:05 5,749 a------- c:\windows\system32\rruetwhg.dll
2009-03-28 15:47 5,745 a------- c:\windows\system32\gbhcanvp.dll
2009-03-28 15:45 5,749 a------- c:\windows\system32\wruvuosk.dll
2009-03-28 00:29 5,745 a------- c:\windows\system32\uvfvmell.dll
2009-03-28 00:26 5,749 a------- c:\windows\system32\duwiremu.dll
2009-03-27 12:27 5,745 a------- c:\windows\system32\justktxa.dll
2009-03-26 20:27 5,749 a------- c:\windows\system32\ewbosxwq.dll
2009-03-26 20:24 5,745 a------- c:\windows\system32\bseummam.dll
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-26 13:40 55,298 a------- c:\windows\Sysvxd.exe
2009-03-26 08:27 5,745 a------- c:\windows\system32\hhjyypug.dll
2009-03-26 08:24 5,749 a------- c:\windows\system32\xvdspmds.dll
2009-03-25 21:36 127,034 -----r-- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-03-25 20:28 5,749 a------- c:\windows\system32\qrfehyro.dll
2009-03-25 20:25 5,745 a------- c:\windows\system32\oljrxxrn.dll
2009-03-18 15:56 5,745 a------- c:\windows\system32\othtfyur.dll
2009-03-18 15:53 5,749 a------- c:\windows\system32\omoqqjrr.dll
2009-03-18 01:01 5,749 a------- c:\windows\system32\gsvumxat.dll
2009-03-18 00:58 5,745 a------- c:\windows\system32\soscrtij.dll
2009-03-14 01:30 5,745 a------- c:\windows\system32\iqtaloxs.dll
2009-03-14 01:27 5,749 a------- c:\windows\system32\dngdinvk.dll
2009-03-13 13:28 5,749 a------- c:\windows\system32\cpdewhya.dll
2009-03-12 13:40 5,745 a------- c:\windows\system32\ioibqohf.dll
2009-03-11 12:26 5,749 a------- c:\windows\system32\mdsetnfk.dll
2009-03-10 11:14 5,745 a------- c:\windows\system32\rpkdcdbm.dll
2009-03-09 17:17 308,752 a------- c:\windows\sysguard.exe
2009-03-09 14:14 5,749 a------- c:\windows\system32\ppwyercy.dll
2009-03-08 13:29 5,749 a------- c:\windows\system32\lrjfxhbk.dll
2009-03-08 13:26 5,745 a------- c:\windows\system32\lixcieho.dll
2009-03-07 01:44 5,749 a------- c:\windows\system32\eynlihwo.dll
2009-03-07 01:44 5,745 a------- c:\windows\system32\trflxkyk.dll
2009-03-06 13:48 5,745 a------- c:\windows\system32\edtmircw.dll
2009-03-04 13:19 5,745 a------- c:\windows\system32\bluhscjq.dll
2009-03-04 13:16 5,749 a------- c:\windows\system32\jvptiwdl.dll
2009-03-03 14:38 5,745 a------- c:\windows\system32\nmqkuoit.dll
2009-03-02 14:48 5,749 a------- c:\windows\system32\yamskspa.dll
2009-03-01 16:11 5,749 a------- c:\windows\system32\slanucgc.dll
2009-03-01 01:51 5,745 a------- c:\windows\system32\aqddpgwj.dll
2009-03-01 01:48 5,749 a------- c:\windows\system32\umpnpqpx.dll
2009-02-28 01:48 5,749 a------- c:\windows\system32\ktlydlfx.dll
2009-02-27 13:52 5,745 a------- c:\windows\system32\lfbjqlba.dll
2009-02-27 13:49 5,749 a------- c:\windows\system32\scjfamoa.dll
2008-05-31 20:02 0 a------- c:\docume~1\sam\applic~1\wklnhst.dat
2008-09-29 13:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080929\index.dat
2008-09-29 13:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat

============= FINISH: 23:51:35.65 ===============

Thank you for any help

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 31 May 2009 - 11:38 AM

Hello elgruposam,



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 6 Update 11
    Java 6 Update 5
    Java 6 Update 7
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.



Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited by SifuMike, 31 May 2009 - 11:52 AM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 elgruposam

elgruposam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 01 June 2009 - 08:18 PM

Here is the checkup log:

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
WindowsLiveOneCaresafetyscanner
TrendMicroInternetSecurity
TrendMicroInternetSecurity
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

HijackThis 2.0.2
Java™ 6 Update 14
Out of date Java installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 124 seconds.
`````````End of Log```````````


The malware log:

Malwarebytes' Anti-Malware 1.37
Database version: 2209
Windows 5.1.2600 Service Pack 3

6/1/2009 6:05:30 PM
mbam-log-2009-06-01 (18-05-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160066
Time elapsed: 1 hour(s), 23 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 20
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yaywuVoM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wuhxgsae.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pqfxhh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Sam\Application Data\unobi.dll (Trojan.Winwebsec) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4bbcce4d-0b7b-4ee8-983b-53550b17cef6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4bbcce4d-0b7b-4ee8-983b-53550b17cef6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6bd47c4c-5872-4003-b2d5-f65081300619} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6bd47c4c-5872-4003-b2d5-f65081300619} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4bbcce4d-0b7b-4ee8-983b-53550b17cef6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bca02540-7b13-4c55-aefa-65b906ab8405} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6bd47c4c-5872-4003-b2d5-f65081300619} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{955b9190-e95b-4b83-b45c-59af64099eb6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\84074daf (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{bca02540-7b13-4c55-aefa-65b906ab8405} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bca02540-7b13-4c55-aefa-65b906ab8405} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvd32_r (Trojan.Winwebsec) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diskchk help (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yaywuvom -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yaywuvom -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pqfxhh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yaywuVoM.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\MoVuwyay.ini (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\MoVuwyay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wuhxgsae.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\easgxhuw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Application Data\unobi.dll (Trojan.Winwebsec) -> Delete on reboot.
c:\documents and settings\Sam\local settings\Temp\upd_IE09.upd (Trojan.Winwebsec) -> Quarantined and deleted successfully.
c:\documents and settings\Sam\local settings\Temp\e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Sam\local settings\temporary internet files\Content.IE5\VUTT02W8\file[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wgqacoty.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\cggfskkt.dll (Trojan.vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Sysvxd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\phc3g7j0ee13.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\proto.dll (Trojan.Downloader) -> Delete on reboot.

And the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:40 PM, on 6/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Sam\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080522
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080522
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080522
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227042139093
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: efcCuVNe - efcCuVNe.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11547 bytes



Thanks again

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 01 June 2009 - 09:25 PM

Hi elgruposam,

Since you are heavily infected, we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Trend Micro Internet Security before running ComboFix, as it will prevent it from running.

Disable Trend Micro PC-cillin Internet Security.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 01 June 2009 - 09:27 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 elgruposam

elgruposam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 02 June 2009 - 04:28 PM

Here is the combofix log:

ComboFix 09-05-31.06 - Sam 06/02/2009 14:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1390 [GMT -7:00]
Running from: c:\documents and settings\Sam\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sam\Application Data\inst.exe
c:\windows\system32\almgwpic.dll
c:\windows\system32\anyicbop.dll
c:\windows\system32\asqwdwfa.dll
c:\windows\system32\bcshwqob.dll
c:\windows\system32\bfwujgqn.dll
c:\windows\system32\bliheltv.dll
c:\windows\system32\chmsjjyk.dll
c:\windows\system32\csqbrwdb.dll
c:\windows\system32\ddxdrogg.dll
c:\windows\system32\dgdhwasu.dll
c:\windows\system32\emcoppco.dll
c:\windows\system32\enmfamyx.exe
c:\windows\system32\eqgwiglm.ini
c:\windows\system32\fokkypdr.dll
c:\windows\system32\ghdfylqe.dll
c:\windows\system32\hqtgwfnu.dll
c:\windows\system32\ihtrlpgl.dll
c:\windows\system32\iwtjswni.dll
c:\windows\system32\jegifapv.dll
c:\windows\system32\jewetshi.dll
c:\windows\system32\jpebedyq.dll
c:\windows\system32\jtvnqdoj.dll
c:\windows\system32\kmflbhuu.dll
c:\windows\system32\kofkegia.dll
c:\windows\system32\kqrpwbik.dll
c:\windows\system32\ksqlwyhp.dll
c:\windows\system32\lbcmtihs.dll
c:\windows\system32\lhcuddfb.dll
c:\windows\system32\mueijrsy.dll
c:\windows\system32\mwrgphjn.dll
c:\windows\system32\ooodyllu.dll
c:\windows\system32\oqqsbcpk.dll
c:\windows\system32\pffioisv.dll
c:\windows\system32\pxhtkorc.dll
c:\windows\system32\qfasbnjh.dll
c:\windows\system32\qqqyikct.dll
c:\windows\system32\qrwjlbik.dll
c:\windows\system32\skkvwaua.dll
c:\windows\system32\sksjugmb.dll
c:\windows\system32\sxqrbtyv.dll
c:\windows\system32\tluvgvet.dll
c:\windows\system32\vbbatiki.dll
c:\windows\system32\vifaxcmd.dll
c:\windows\system32\ywxewmsf.dll
c:\windows\system32\zdakzo.dll
c:\windows\Tasks\uqmuioqi.job
c:\windows\TEMP\logishrd\LVPrcInj02.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-06-01 23:13 . 2009-06-01 23:13 -------- d-----w- c:\documents and settings\Sam\Application Data\Malwarebytes
2009-06-01 23:13 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-01 23:13 . 2009-06-01 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 23:13 . 2009-06-01 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-01 23:13 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 21:02 . 2009-05-30 21:02 725 ----a-w- c:\windows\system32\ehiqxnjl.dll
2009-05-28 20:08 . 2009-05-28 20:08 725 ----a-w- c:\windows\system32\hhgaacml.dll
2009-05-27 20:45 . 2009-05-27 20:45 725 ----a-w- c:\windows\system32\bqrcbord.dll
2009-05-26 20:14 . 2009-05-26 20:14 725 ----a-w- c:\windows\system32\aaltrwut.dll
2009-05-23 22:51 . 2009-05-23 22:51 725 ----a-w- c:\windows\system32\bldecuoq.dll
2009-05-22 21:59 . 2009-05-22 21:59 725 ----a-w- c:\windows\system32\evlsxunc.dll
2009-05-21 22:26 . 2009-05-21 22:26 725 ----a-w- c:\windows\system32\qcxqyydk.dll
2009-05-20 21:04 . 2009-05-20 21:04 725 ----a-w- c:\windows\system32\uconpslk.dll
2009-05-18 21:34 . 2009-05-18 21:34 721 ----a-w- c:\windows\system32\hbojrlae.dll
2009-05-13 20:37 . 2009-05-13 20:37 721 ----a-w- c:\windows\system32\mpgdfnyp.dll
2009-05-11 22:01 . 2009-05-11 22:01 721 ----a-w- c:\windows\system32\ofsmcqoj.dll
2009-05-09 21:22 . 2009-05-09 21:22 725 ----a-w- c:\windows\system32\ufrocfko.dll
2009-05-07 20:23 . 2009-05-07 20:23 721 ----a-w- c:\windows\system32\cojqanco.dll
2009-05-07 20:20 . 2009-05-07 20:20 725 ----a-w- c:\windows\system32\eqtlgpse.dll
2009-05-05 20:08 . 2009-05-05 20:08 725 ----a-w- c:\windows\system32\yqcfgrwv.dll
2009-05-05 20:05 . 2009-05-05 20:05 721 ----a-w- c:\windows\system32\hobqxxcp.dll
2009-05-04 04:38 . 2009-05-04 04:38 -------- d-----w- C:\KUNG_FU_PANDA
2009-05-03 21:38 . 2009-05-03 21:38 -------- d-----w- c:\documents and settings\Sam\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 21:19 . 2008-05-22 04:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-02 20:44 . 2009-03-26 02:44 -------- d-----w- c:\documents and settings\Sam\Application Data\Skype
2009-06-02 20:41 . 2009-03-26 02:47 -------- d-----w- c:\documents and settings\Sam\Application Data\skypePM
2009-06-01 22:56 . 2008-12-05 01:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-01 22:45 . 2008-05-22 04:16 -------- d-----w- c:\program files\Java
2009-05-29 00:39 . 2008-05-22 04:23 -------- d-----w- c:\program files\Google
2009-05-03 21:30 . 2009-05-03 03:14 -------- d-----w- c:\documents and settings\Sam\Application Data\Vso
2009-05-03 21:30 . 2009-05-03 03:14 47360 ----a-w- c:\documents and settings\Sam\Application Data\pcouffin.sys
2009-05-03 21:30 . 2009-05-03 03:14 47360 ----a-w- c:\documents and settings\Sam\Application Data\pcouffin.sys
2009-05-03 03:14 . 2009-05-03 03:14 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-05-03 00:49 . 2008-05-22 04:23 -------- d-----w- c:\program files\CyberLink
2009-05-03 00:49 . 2008-05-22 04:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-29 21:01 . 2009-04-29 21:01 725 ----a-w- c:\windows\system32\ivafggkv.dll
2009-04-27 21:10 . 2009-04-27 21:10 725 ----a-w- c:\windows\system32\dnphtprk.dll
2009-04-27 21:09 . 2009-04-27 21:09 721 ----a-w- c:\windows\system32\upiceopu.dll
2009-04-27 04:12 . 2009-04-27 04:12 -------- d-----w- c:\program files\7-Zip
2009-04-24 21:44 . 2009-04-24 21:44 721 ----a-w- c:\windows\system32\jgptkvov.dll
2009-04-24 21:41 . 2009-04-24 21:41 725 ----a-w- c:\windows\system32\julpalwr.dll
2009-04-22 20:44 . 2009-04-22 20:44 721 ----a-w- c:\windows\system32\uhxdqmxr.dll
2009-04-22 20:41 . 2009-04-22 20:41 725 ----a-w- c:\windows\system32\ssruwjjr.dll
2009-04-21 07:01 . 2009-04-21 07:01 721 ----a-w- c:\windows\system32\wohjhyia.dll
2009-04-21 06:58 . 2009-04-21 06:58 725 ----a-w- c:\windows\system32\pqmvxvbt.dll
2009-04-18 20:26 . 2009-04-18 20:26 5593 ----a-w- c:\windows\system32\miwjbueh.dll
2009-04-18 20:23 . 2009-04-18 20:23 5589 ----a-w- c:\windows\system32\rwuusnja.dll
2009-04-18 08:26 . 2009-04-18 08:26 5745 ----a-w- c:\windows\system32\cwtjpwvt.dll
2009-04-18 08:23 . 2009-04-18 08:23 5749 ----a-w- c:\windows\system32\cwxvysjj.dll
2009-04-18 00:04 . 2009-03-10 21:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-17 20:26 . 2009-04-17 20:26 5749 ----a-w- c:\windows\system32\ppgjgmdp.dll
2009-04-17 20:23 . 2009-04-17 20:23 721 ----a-w- c:\windows\system32\eboeyqpn.dll
2009-04-17 07:12 . 2009-04-17 07:12 5745 ----a-w- c:\windows\system32\adhweyql.dll
2009-04-17 07:08 . 2009-04-17 07:08 5749 ----a-w- c:\windows\system32\kbnnjyso.dll
2009-04-16 19:08 . 2009-04-16 19:08 721 ----a-w- c:\windows\system32\cahdlfyh.dll
2009-04-16 19:07 . 2009-04-16 19:07 725 ----a-w- c:\windows\system32\srwnvecd.dll
2009-04-15 20:18 . 2009-04-15 20:18 725 ----a-w- c:\windows\system32\uxeasvac.dll
2009-04-14 22:34 . 2009-04-14 22:34 5745 ----a-w- c:\windows\system32\xpxxxefp.dll
2009-04-14 22:34 . 2009-04-14 22:34 5749 ----a-w- c:\windows\system32\revdywcr.dll
2009-04-14 20:17 . 2009-04-14 20:17 725 ----a-w- c:\windows\system32\itmxgvxs.dll
2009-04-14 20:16 . 2009-04-14 20:16 707 ----a-w- c:\windows\system32\vxglowhe.exe
2009-04-14 10:31 . 2009-04-14 10:31 721 ----a-w- c:\windows\system32\wdjfsded.dll
2009-04-14 01:07 . 2009-04-14 01:07 5745 ----a-w- c:\windows\system32\klqcgtlk.dll
2009-04-13 22:36 . 2009-04-13 22:36 5749 ----a-w- c:\windows\system32\notcnofl.dll
2009-04-13 22:33 . 2009-04-13 22:33 5735 ----a-w- c:\windows\system32\qdbvoyqg.exe
2009-04-13 20:06 . 2009-04-13 20:06 707 ----a-w- c:\windows\system32\tyhkfbdb.exe
2009-04-13 20:04 . 2009-04-13 20:04 725 ----a-w- c:\windows\system32\vdwaoevh.dll
2009-04-13 10:34 . 2009-04-13 10:34 721 ----a-w- c:\windows\system32\snrsahtg.dll
2009-04-12 22:14 . 2009-04-12 22:13 -------- d-----w- c:\program files\iTunes
2009-04-12 22:14 . 2009-04-12 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-12 22:13 . 2009-04-12 22:13 -------- d-----w- c:\program files\iPod
2009-04-12 22:13 . 2008-08-09 00:15 -------- d-----w- c:\program files\Common Files\Apple
2009-04-12 22:04 . 2009-04-12 22:01 -------- d-----w- c:\program files\QuickTime
2009-04-12 21:45 . 2009-04-12 21:45 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-12 21:43 . 2009-04-12 21:43 -------- d-----w- c:\program files\Bonjour
2009-04-12 19:51 . 2009-04-12 19:51 5735 ----a-w- c:\windows\system32\enlmfgpf.exe
2009-04-12 19:48 . 2009-04-12 19:48 5745 ----a-w- c:\windows\system32\ucsbsipk.dll
2009-04-12 19:46 . 2009-04-12 19:46 5749 ----a-w- c:\windows\system32\fjaytyda.dll
2009-04-12 04:30 . 2009-04-12 04:30 725 ----a-w- c:\windows\system32\tyxhpqwu.dll
2009-04-12 04:24 . 2009-04-12 04:24 5745 ----a-w- c:\windows\system32\htkeowmd.dll
2009-04-11 16:28 . 2009-04-11 16:28 5749 ----a-w- c:\windows\system32\qwkyhhli.dll
2009-04-11 16:25 . 2009-04-11 16:25 5745 ----a-w- c:\windows\system32\quslbuvt.dll
2009-04-11 16:22 . 2009-04-11 16:22 707 ----a-w- c:\windows\system32\qqygyngj.exe
2009-04-09 20:38 . 2008-10-20 22:49 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-09 09:13 . 2009-04-09 09:13 5749 ----a-w- c:\windows\system32\jqodywsg.dll
2009-04-09 09:10 . 2009-04-09 09:10 5745 ----a-w- c:\windows\system32\ijpiongk.dll
2009-04-08 21:11 . 2009-04-08 21:11 725 ----a-w- c:\windows\system32\flgrppyi.dll
2009-04-08 21:09 . 2009-04-08 21:09 721 ----a-w- c:\windows\system32\kocdcuam.dll
2009-04-08 08:05 . 2009-04-08 08:05 5749 ----a-w- c:\windows\system32\hxpfnawa.dll
2009-04-07 20:05 . 2009-04-07 20:05 5749 ----a-w- c:\windows\system32\vkscqftu.dll
2009-04-07 20:03 . 2009-04-07 20:03 5745 ----a-w- c:\windows\system32\uliejeyi.dll
2009-04-04 18:38 . 2009-04-04 18:38 721 ----a-w- c:\windows\system32\weiudsty.dll
2009-04-04 18:35 . 2009-04-04 18:35 725 ----a-w- c:\windows\system32\jeqyltye.dll
2009-04-04 06:38 . 2009-04-04 06:38 5749 ----a-w- c:\windows\system32\mqqtaggo.dll
2009-04-04 06:35 . 2009-04-04 06:35 5745 ----a-w- c:\windows\system32\qdyfgpkl.dll
2009-04-03 18:39 . 2009-04-03 18:39 721 ----a-w- c:\windows\system32\pvuglqtl.dll
2009-04-03 18:36 . 2009-04-03 18:36 725 ----a-w- c:\windows\system32\uwknlsxk.dll
2009-04-03 06:39 . 2009-04-03 06:39 721 ----a-w- c:\windows\system32\ifkrebso.dll
2009-04-03 06:36 . 2009-04-03 06:36 5749 ----a-w- c:\windows\system32\bhutmsgr.dll
2009-04-02 23:00 . 2008-08-08 23:31 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 23:00 . 2008-08-08 23:31 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 23:00 . 2008-08-08 23:31 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-04-02 18:37 . 2009-04-02 18:37 5745 ----a-w- c:\windows\system32\btslvcfa.dll
2009-04-02 18:34 . 2009-04-02 18:34 725 ----a-w- c:\windows\system32\jwwkkukj.dll
2009-04-01 18:52 . 2009-04-01 18:52 703 ----a-w- c:\windows\system32\elbdptll.exe
2009-04-01 18:49 . 2009-04-01 18:49 725 ----a-w- c:\windows\system32\ujavnxgi.dll
2009-04-01 18:46 . 2009-04-01 18:46 721 ----a-w- c:\windows\system32\xmnibatb.dll
2009-04-01 06:52 . 2009-04-01 06:52 725 ----a-w- c:\windows\system32\rekxwvts.dll
2009-04-01 06:49 . 2009-04-01 06:49 721 ----a-w- c:\windows\system32\yvacgohj.dll
2009-03-31 18:48 . 2009-03-31 18:48 5745 ----a-w- c:\windows\system32\igbvjvoj.dll
2009-03-31 18:45 . 2009-03-31 18:45 5749 ----a-w- c:\windows\system32\unckfepq.dll
2009-03-31 06:48 . 2009-03-31 06:48 5745 ----a-w- c:\windows\system32\qhtjqfea.dll
2009-03-31 06:45 . 2009-03-31 06:45 5749 ----a-w- c:\windows\system32\nluckdkd.dll
2009-03-31 04:08 . 2009-03-31 04:08 5745 ----a-w- c:\windows\system32\cchuhttf.dll
2009-03-31 04:05 . 2009-03-31 04:05 5749 ----a-w- c:\windows\system32\rruetwhg.dll
2009-03-30 04:02 . 2009-03-30 04:02 725 ----a-w- c:\windows\system32\geixpsuf.dll
2009-03-30 04:00 . 2009-03-30 04:00 721 ----a-w- c:\windows\system32\eydurjwl.dll
2009-03-28 22:47 . 2009-03-28 22:47 5745 ----a-w- c:\windows\system32\gbhcanvp.dll
2009-03-28 22:45 . 2009-03-28 22:45 5749 ----a-w- c:\windows\system32\wruvuosk.dll
2009-03-28 07:29 . 2009-03-28 07:29 5745 ----a-w- c:\windows\system32\uvfvmell.dll
2009-03-28 07:26 . 2009-03-28 07:26 5749 ----a-w- c:\windows\system32\duwiremu.dll
2009-03-27 19:27 . 2009-03-27 19:27 5745 ----a-w- c:\windows\system32\justktxa.dll
2009-03-27 03:27 . 2009-03-27 03:27 5749 ----a-w- c:\windows\system32\ewbosxwq.dll
.

------- Sigcheck -------

[7] 2004-08-04 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 !HASH: COULD NOT OPEN FILE ! c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-22 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1024000]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-31 405504]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-02-01 1398024]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-17 185872]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]

c:\documents and settings\Sam\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-5-21 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-21 50688]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-3-25 66864]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [5/21/2008 8:57 PM 3456]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/8/2008 4:31 PM 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/15/2008 7:37 AM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/15/2008 7:37 AM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/8/2008 4:31 PM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [8/8/2008 4:31 PM 648456]
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-efcCuVNe - efcCuVNe.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080522
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\k9fxumxz.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 14:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1232)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(8088)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Dell Network Assistant\ezi_hnm2.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-06-02 14:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-02 21:23

Pre-Run: 28,103,397,376 bytes free
Post-Run: 64,275,570,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

331 --- E O F --- 2009-01-14 06:48

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 02 June 2009 - 05:57 PM

Hi elgruposam,


Looks like you have been infected for several months. :thumbup2:


You need to disable your Trend Micro Internet Security before running ComboFix, as it will prevent it from running.

Disable Trend Micro PC-cillin Internet Security.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\ehiqxnjl.dll
c:\windows\system32\hhgaacml.dll
c:\windows\system32\bqrcbord.dll
c:\windows\system32\aaltrwut.dll
c:\windows\system32\bldecuoq.dll
c:\windows\system32\evlsxunc.dll
c:\windows\system32\qcxqyydk.dll
c:\windows\system32\uconpslk.dll
c:\windows\system32\hbojrlae.dll
c:\windows\system32\mpgdfnyp.dll
c:\windows\system32\ofsmcqoj.dll
c:\windows\system32\ufrocfko.dll
c:\windows\system32\cojqanco.dll
c:\windows\system32\eqtlgpse.dll
c:\windows\system32\yqcfgrwv.dll
c:\windows\system32\hobqxxcp.dll 
c:\windows\system32\ivafggkv.dll
c:\windows\system32\dnphtprk.dll
c:\windows\system32\upiceopu.dll
c:\windows\system32\jgptkvov.dll
c:\windows\system32\julpalwr.dll
c:\windows\system32\uhxdqmxr.dll
c:\windows\system32\ssruwjjr.dll
c:\windows\system32\wohjhyia.dll
c:\windows\system32\pqmvxvbt.dll
c:\windows\system32\miwjbueh.dll
c:\windows\system32\rwuusnja.dll
c:\windows\system32\cwtjpwvt.dll
c:\windows\system32\cwxvysjj.dll
c:\windows\system32\ppgjgmdp.dll
c:\windows\system32\eboeyqpn.dll
c:\windows\system32\adhweyql.dll
c:\windows\system32\kbnnjyso.dll
c:\windows\system32\cahdlfyh.dll
c:\windows\system32\srwnvecd.dll
c:\windows\system32\uxeasvac.dll
c:\windows\system32\xpxxxefp.dll
c:\windows\system32\revdywcr.dll
c:\windows\system32\itmxgvxs.dll
c:\windows\system32\vxglowhe.exe
c:\windows\system32\wdjfsded.dll
c:\windows\system32\klqcgtlk.dll
c:\windows\system32\notcnofl.dll
c:\windows\system32\qdbvoyqg.exe
c:\windows\system32\tyhkfbdb.exe
c:\windows\system32\vdwaoevh.dll
c:\windows\system32\snrsahtg.dll
c:\windows\system32\enlmfgpf.exe
c:\windows\system32\ucsbsipk.dll
c:\windows\system32\fjaytyda.dll
c:\windows\system32\tyxhpqwu.dll
c:\windows\system32\htkeowmd.dll
c:\windows\system32\qwkyhhli.dll
c:\windows\system32\quslbuvt.dll
c:\windows\system32\qqygyngj.exe
c:\windows\system32\jqodywsg.dll
c:\windows\system32\ijpiongk.dll
c:\windows\system32\flgrppyi.dll
c:\windows\system32\kocdcuam.dll
c:\windows\system32\hxpfnawa.dll
c:\windows\system32\vkscqftu.dll
c:\windows\system32\uliejeyi.dll
c:\windows\system32\weiudsty.dll
c:\windows\system32\jeqyltye.dll
c:\windows\system32\mqqtaggo.dll
c:\windows\system32\qdyfgpkl.dll
c:\windows\system32\pvuglqtl.dll
c:\windows\system32\uwknlsxk.dll
c:\windows\system32\ifkrebso.dll
c:\windows\system32\bhutmsgr.dll
c:\windows\system32\btslvcfa.dll
c:\windows\system32\jwwkkukj.dll
c:\windows\system32\elbdptll.exe
c:\windows\system32\ujavnxgi.dll
c:\windows\system32\xmnibatb.dll
c:\windows\system32\rekxwvts.dll
c:\windows\system32\yvacgohj.dll
c:\windows\system32\igbvjvoj.dll
c:\windows\system32\unckfepq.dll
c:\windows\system32\qhtjqfea.dll
c:\windows\system32\nluckdkd.dll
c:\windows\system32\cchuhttf.dll
c:\windows\system32\rruetwhg.dll
c:\windows\system32\geixpsuf.dll
c:\windows\system32\eydurjwl.dll
c:\windows\system32\gbhcanvp.dll
c:\windows\system32\wruvuosk.dll
c:\windows\system32\uvfvmell.dll
c:\windows\system32\duwiremu.dll
c:\windows\system32\justktxa.dll
c:\windows\system32\ewbosxwq.dll

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 elgruposam

elgruposam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 02 June 2009 - 08:34 PM

second combofix:

ComboFix 09-06-01.03 - Sam 06/02/2009 18:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1332 [GMT -7:00]
Running from: c:\documents and settings\Sam\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sam\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\system32\aaltrwut.dll"
"c:\windows\system32\adhweyql.dll"
"c:\windows\system32\bhutmsgr.dll"
"c:\windows\system32\bldecuoq.dll"
"c:\windows\system32\bqrcbord.dll"
"c:\windows\system32\btslvcfa.dll"
"c:\windows\system32\cahdlfyh.dll"
"c:\windows\system32\cchuhttf.dll"
"c:\windows\system32\cojqanco.dll"
"c:\windows\system32\cwtjpwvt.dll"
"c:\windows\system32\cwxvysjj.dll"
"c:\windows\system32\dnphtprk.dll"
"c:\windows\system32\duwiremu.dll"
"c:\windows\system32\eboeyqpn.dll"
"c:\windows\system32\ehiqxnjl.dll"
"c:\windows\system32\elbdptll.exe"
"c:\windows\system32\enlmfgpf.exe"
"c:\windows\system32\eqtlgpse.dll"
"c:\windows\system32\evlsxunc.dll"
"c:\windows\system32\ewbosxwq.dll"
"c:\windows\system32\eydurjwl.dll"
"c:\windows\system32\fjaytyda.dll"
"c:\windows\system32\flgrppyi.dll"
"c:\windows\system32\gbhcanvp.dll"
"c:\windows\system32\geixpsuf.dll"
"c:\windows\system32\hbojrlae.dll"
"c:\windows\system32\hhgaacml.dll"
"c:\windows\system32\hobqxxcp.dll"
"c:\windows\system32\htkeowmd.dll"
"c:\windows\system32\hxpfnawa.dll"
"c:\windows\system32\ifkrebso.dll"
"c:\windows\system32\igbvjvoj.dll"
"c:\windows\system32\ijpiongk.dll"
"c:\windows\system32\itmxgvxs.dll"
"c:\windows\system32\ivafggkv.dll"
"c:\windows\system32\jeqyltye.dll"
"c:\windows\system32\jgptkvov.dll"
"c:\windows\system32\jqodywsg.dll"
"c:\windows\system32\julpalwr.dll"
"c:\windows\system32\justktxa.dll"
"c:\windows\system32\jwwkkukj.dll"
"c:\windows\system32\kbnnjyso.dll"
"c:\windows\system32\klqcgtlk.dll"
"c:\windows\system32\kocdcuam.dll"
"c:\windows\system32\miwjbueh.dll"
"c:\windows\system32\mpgdfnyp.dll"
"c:\windows\system32\mqqtaggo.dll"
"c:\windows\system32\nluckdkd.dll"
"c:\windows\system32\notcnofl.dll"
"c:\windows\system32\ofsmcqoj.dll"
"c:\windows\system32\ppgjgmdp.dll"
"c:\windows\system32\pqmvxvbt.dll"
"c:\windows\system32\pvuglqtl.dll"
"c:\windows\system32\qcxqyydk.dll"
"c:\windows\system32\qdbvoyqg.exe"
"c:\windows\system32\qdyfgpkl.dll"
"c:\windows\system32\qhtjqfea.dll"
"c:\windows\system32\qqygyngj.exe"
"c:\windows\system32\quslbuvt.dll"
"c:\windows\system32\qwkyhhli.dll"
"c:\windows\system32\rekxwvts.dll"
"c:\windows\system32\revdywcr.dll"
"c:\windows\system32\rruetwhg.dll"
"c:\windows\system32\rwuusnja.dll"
"c:\windows\system32\snrsahtg.dll"
"c:\windows\system32\srwnvecd.dll"
"c:\windows\system32\ssruwjjr.dll"
"c:\windows\system32\tyhkfbdb.exe"
"c:\windows\system32\tyxhpqwu.dll"
"c:\windows\system32\uconpslk.dll"
"c:\windows\system32\ucsbsipk.dll"
"c:\windows\system32\ufrocfko.dll"
"c:\windows\system32\uhxdqmxr.dll"
"c:\windows\system32\ujavnxgi.dll"
"c:\windows\system32\uliejeyi.dll"
"c:\windows\system32\unckfepq.dll"
"c:\windows\system32\upiceopu.dll"
"c:\windows\system32\uvfvmell.dll"
"c:\windows\system32\uwknlsxk.dll"
"c:\windows\system32\uxeasvac.dll"
"c:\windows\system32\vdwaoevh.dll"
"c:\windows\system32\vkscqftu.dll"
"c:\windows\system32\vxglowhe.exe"
"c:\windows\system32\wdjfsded.dll"
"c:\windows\system32\weiudsty.dll"
"c:\windows\system32\wohjhyia.dll"
"c:\windows\system32\wruvuosk.dll"
"c:\windows\system32\xmnibatb.dll"
"c:\windows\system32\xpxxxefp.dll"
"c:\windows\system32\yqcfgrwv.dll"
"c:\windows\system32\yvacgohj.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\aaltrwut.dll
c:\windows\system32\adhweyql.dll
c:\windows\system32\bhutmsgr.dll
c:\windows\system32\bldecuoq.dll
c:\windows\system32\bqrcbord.dll
c:\windows\system32\btslvcfa.dll
c:\windows\system32\cahdlfyh.dll
c:\windows\system32\cchuhttf.dll
c:\windows\system32\cojqanco.dll
c:\windows\system32\cwtjpwvt.dll
c:\windows\system32\cwxvysjj.dll
c:\windows\system32\dnphtprk.dll
c:\windows\system32\duwiremu.dll
c:\windows\system32\eboeyqpn.dll
c:\windows\system32\ehiqxnjl.dll
c:\windows\system32\elbdptll.exe
c:\windows\system32\enlmfgpf.exe
c:\windows\system32\eqtlgpse.dll
c:\windows\system32\evlsxunc.dll
c:\windows\system32\ewbosxwq.dll
c:\windows\system32\eydurjwl.dll
c:\windows\system32\fjaytyda.dll
c:\windows\system32\flgrppyi.dll
c:\windows\system32\gbhcanvp.dll
c:\windows\system32\geixpsuf.dll
c:\windows\system32\hbojrlae.dll
c:\windows\system32\hhgaacml.dll
c:\windows\system32\hobqxxcp.dll
c:\windows\system32\htkeowmd.dll
c:\windows\system32\hxpfnawa.dll
c:\windows\system32\ifkrebso.dll
c:\windows\system32\igbvjvoj.dll
c:\windows\system32\ijpiongk.dll
c:\windows\system32\itmxgvxs.dll
c:\windows\system32\ivafggkv.dll
c:\windows\system32\jeqyltye.dll
c:\windows\system32\jgptkvov.dll
c:\windows\system32\jqodywsg.dll
c:\windows\system32\julpalwr.dll
c:\windows\system32\justktxa.dll
c:\windows\system32\jwwkkukj.dll
c:\windows\system32\kbnnjyso.dll
c:\windows\system32\klqcgtlk.dll
c:\windows\system32\kocdcuam.dll
c:\windows\system32\miwjbueh.dll
c:\windows\system32\mpgdfnyp.dll
c:\windows\system32\mqqtaggo.dll
c:\windows\system32\nluckdkd.dll
c:\windows\system32\notcnofl.dll
c:\windows\system32\ofsmcqoj.dll
c:\windows\system32\ppgjgmdp.dll
c:\windows\system32\pqmvxvbt.dll
c:\windows\system32\pvuglqtl.dll
c:\windows\system32\qcxqyydk.dll
c:\windows\system32\qdbvoyqg.exe
c:\windows\system32\qdyfgpkl.dll
c:\windows\system32\qhtjqfea.dll
c:\windows\system32\qqygyngj.exe
c:\windows\system32\quslbuvt.dll
c:\windows\system32\qwkyhhli.dll
c:\windows\system32\rekxwvts.dll
c:\windows\system32\revdywcr.dll
c:\windows\system32\rruetwhg.dll
c:\windows\system32\rwuusnja.dll
c:\windows\system32\snrsahtg.dll
c:\windows\system32\srwnvecd.dll
c:\windows\system32\ssruwjjr.dll
c:\windows\system32\tyhkfbdb.exe
c:\windows\system32\tyxhpqwu.dll
c:\windows\system32\uconpslk.dll
c:\windows\system32\ucsbsipk.dll
c:\windows\system32\ufrocfko.dll
c:\windows\system32\uhxdqmxr.dll
c:\windows\system32\ujavnxgi.dll
c:\windows\system32\uliejeyi.dll
c:\windows\system32\unckfepq.dll
c:\windows\system32\upiceopu.dll
c:\windows\system32\uvfvmell.dll
c:\windows\system32\uwknlsxk.dll
c:\windows\system32\uxeasvac.dll
c:\windows\system32\vdwaoevh.dll
c:\windows\system32\vkscqftu.dll
c:\windows\system32\vxglowhe.exe
c:\windows\system32\wdjfsded.dll
c:\windows\system32\weiudsty.dll
c:\windows\system32\wohjhyia.dll
c:\windows\system32\wruvuosk.dll
c:\windows\system32\xmnibatb.dll
c:\windows\system32\xpxxxefp.dll
c:\windows\system32\yqcfgrwv.dll
c:\windows\system32\yvacgohj.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-01 23:13 . 2009-06-01 23:13 -------- d-----w- c:\documents and settings\Sam\Application Data\Malwarebytes
2009-06-01 23:13 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-01 23:13 . 2009-06-01 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 23:13 . 2009-06-01 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-01 23:13 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-04 04:38 . 2009-05-04 04:38 -------- d-----w- C:\KUNG_FU_PANDA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 01:26 . 2009-03-26 02:44 -------- d-----w- c:\documents and settings\Sam\Application Data\Skype
2009-06-03 01:25 . 2009-03-26 02:47 -------- d-----w- c:\documents and settings\Sam\Application Data\skypePM
2009-06-03 01:24 . 2008-05-22 04:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-01 22:56 . 2008-12-05 01:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-01 22:45 . 2008-05-22 04:16 -------- d-----w- c:\program files\Java
2009-05-29 00:39 . 2008-05-22 04:23 -------- d-----w- c:\program files\Google
2009-05-03 21:38 . 2009-05-03 21:38 -------- d-----w- c:\documents and settings\Sam\Application Data\dvdcss
2009-05-03 21:30 . 2009-05-03 03:14 -------- d-----w- c:\documents and settings\Sam\Application Data\Vso
2009-05-03 21:30 . 2009-05-03 03:14 47360 ----a-w- c:\documents and settings\Sam\Application Data\pcouffin.sys
2009-05-03 21:30 . 2009-05-03 03:14 47360 ----a-w- c:\documents and settings\Sam\Application Data\pcouffin.sys
2009-05-03 03:14 . 2009-05-03 03:14 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-05-03 00:49 . 2008-05-22 04:23 -------- d-----w- c:\program files\CyberLink
2009-05-03 00:49 . 2008-05-22 04:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-27 04:12 . 2009-04-27 04:12 -------- d-----w- c:\program files\7-Zip
2009-04-18 00:04 . 2009-03-10 21:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-12 22:14 . 2009-04-12 22:13 -------- d-----w- c:\program files\iTunes
2009-04-12 22:14 . 2009-04-12 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-12 22:13 . 2009-04-12 22:13 -------- d-----w- c:\program files\iPod
2009-04-12 22:13 . 2008-08-09 00:15 -------- d-----w- c:\program files\Common Files\Apple
2009-04-12 22:04 . 2009-04-12 22:01 -------- d-----w- c:\program files\QuickTime
2009-04-12 21:45 . 2009-04-12 21:45 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-12 21:43 . 2009-04-12 21:43 -------- d-----w- c:\program files\Bonjour
2009-04-09 20:38 . 2008-10-20 22:49 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-02 23:00 . 2008-08-08 23:31 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 23:00 . 2008-08-08 23:31 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 23:00 . 2008-08-08 23:31 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-03-27 03:24 . 2009-03-27 03:24 5745 ----a-w- c:\windows\system32\bseummam.dll
2009-03-26 22:23 . 2009-04-12 21:50 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-26 22:23 . 2008-11-23 23:24 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-03-26 15:27 . 2009-03-26 15:27 5745 ----a-w- c:\windows\system32\hhjyypug.dll
2009-03-26 15:24 . 2009-03-26 15:24 5749 ----a-w- c:\windows\system32\xvdspmds.dll
2009-03-26 04:36 . 2009-03-26 04:36 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-03-26 03:28 . 2009-03-26 03:28 5749 ----a-w- c:\windows\system32\qrfehyro.dll
2009-03-26 03:25 . 2009-03-26 03:25 5745 ----a-w- c:\windows\system32\oljrxxrn.dll
2009-03-26 02:47 . 2009-03-26 02:47 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 22:56 . 2009-03-18 22:56 5745 ----a-w- c:\windows\system32\othtfyur.dll
2009-03-18 22:53 . 2009-03-18 22:53 5749 ----a-w- c:\windows\system32\omoqqjrr.dll
2009-03-18 08:01 . 2009-03-18 08:01 5749 ----a-w- c:\windows\system32\gsvumxat.dll
2009-03-18 07:58 . 2009-03-18 07:58 5745 ----a-w- c:\windows\system32\soscrtij.dll
2009-03-17 19:59 . 2009-03-17 19:59 721 ----a-w- c:\windows\system32\mbyshosu.dll
2009-03-17 19:58 . 2009-03-17 19:58 725 ----a-w- c:\windows\system32\emprsyyu.dll
2009-03-16 19:19 . 2009-03-16 19:19 721 ----a-w- c:\windows\system32\tmocnldj.dll
2009-03-16 19:18 . 2009-03-16 19:18 725 ----a-w- c:\windows\system32\hiudftaq.dll
2009-03-15 22:08 . 2009-03-15 22:08 721 ----a-w- c:\windows\system32\owqggabq.dll
2009-03-15 00:54 . 2009-03-15 00:54 721 ----a-w- c:\windows\system32\xxaxpffl.dll
2009-03-14 20:30 . 2009-03-14 20:30 721 ----a-w- c:\windows\system32\kdkglkyg.dll
2009-03-14 20:27 . 2009-03-14 20:27 725 ----a-w- c:\windows\system32\houwaxxt.dll
2009-03-14 08:30 . 2009-03-14 08:30 5745 ----a-w- c:\windows\system32\iqtaloxs.dll
2009-03-14 08:27 . 2009-03-14 08:27 5749 ----a-w- c:\windows\system32\dngdinvk.dll
2009-03-13 20:28 . 2009-03-13 20:28 5749 ----a-w- c:\windows\system32\cpdewhya.dll
2009-03-13 20:25 . 2009-03-13 20:25 721 ----a-w- c:\windows\system32\itlsuilm.dll
2009-03-12 20:40 . 2009-03-12 20:40 5745 ----a-w- c:\windows\system32\ioibqohf.dll
2009-03-12 20:38 . 2009-03-12 20:38 725 ----a-w- c:\windows\system32\rkxkvrhm.dll
2009-03-11 19:26 . 2009-03-11 19:26 5749 ----a-w- c:\windows\system32\mdsetnfk.dll
2009-03-11 19:24 . 2009-03-11 19:24 721 ----a-w- c:\windows\system32\oxalgekt.dll
2009-03-10 18:14 . 2009-03-10 18:14 5745 ----a-w- c:\windows\system32\rpkdcdbm.dll
2009-03-09 21:14 . 2009-03-09 21:14 5749 ----a-w- c:\windows\system32\ppwyercy.dll
2009-03-09 21:12 . 2009-03-09 21:12 721 ----a-w- c:\windows\system32\thgybyyk.dll
2009-03-08 20:29 . 2009-03-08 20:29 5749 ----a-w- c:\windows\system32\lrjfxhbk.dll
2009-03-08 20:26 . 2009-03-08 20:26 5745 ----a-w- c:\windows\system32\lixcieho.dll
2009-03-07 21:48 . 2009-03-07 21:48 721 ----a-w- c:\windows\system32\jhdlifda.dll
2009-03-07 08:44 . 2009-03-07 08:44 5749 ----a-w- c:\windows\system32\eynlihwo.dll
2009-03-07 08:44 . 2009-03-07 08:44 5745 ----a-w- c:\windows\system32\trflxkyk.dll
2009-03-06 20:48 . 2009-03-06 20:48 5745 ----a-w- c:\windows\system32\edtmircw.dll
2009-03-06 20:45 . 2009-03-06 20:45 725 ----a-w- c:\windows\system32\xphmoixf.dll
2009-03-05 19:33 . 2009-03-05 19:33 725 ----a-w- c:\windows\system32\rcwayskg.dll
2009-03-05 19:31 . 2009-03-05 19:31 721 ----a-w- c:\windows\system32\crehevtm.dll
.

------- Sigcheck -------

[7] 2004-08-04 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 !HASH: COULD NOT OPEN FILE ! c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-06-02_21.17.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-03 01:24 . 2009-06-03 01:24 16384 c:\windows\Temp\Perflib_Perfdata_e98.dat
+ 2009-06-03 01:16 . 2009-06-03 01:16 16384 c:\windows\Temp\Perflib_Perfdata_938.dat
+ 2009-06-03 01:21 . 2009-06-03 01:21 16384 c:\windows\Temp\Perflib_Perfdata_1dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-22 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1024000]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-31 405504]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-02-01 1398024]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-17 185872]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]

c:\documents and settings\Sam\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-5-21 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-21 50688]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-3-25 66864]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [5/21/2008 8:57 PM 3456]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/8/2008 4:31 PM 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/15/2008 7:37 AM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/15/2008 7:37 AM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/8/2008 4:31 PM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [8/8/2008 4:31 PM 648456]
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080522
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\k9fxumxz.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 18:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1232)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6632)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Dell Network Assistant\ezi_hnm2.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-06-03 18:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 01:29
ComboFix2.txt 2009-06-02 21:23

Pre-Run: 64,103,305,216 bytes free
Post-Run: 64,062,332,928 bytes free

415 --- E O F --- 2009-01-14 06:48

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 02 June 2009 - 09:56 PM

Hi elgruposam,

You deserve the prize for the most infected computer this month. I am surprised it even runs.
:thumbup2:
Is this your computer? Or a clients?

How did it get so infected? These infections go back for months.

It is going to take me a while to write the script.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 elgruposam

elgruposam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 03 June 2009 - 10:03 PM

Haha yea i guess it did get pretty bad. It is my computer but i haven't been using it as much as i used to, it started acting weird a while a go.
Thanks so much for all your help its been running better

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 03 June 2009 - 10:24 PM

Hi elgruposam,

What a mess!

You need to disable your Trend Micro Internet Security before running ComboFix, as it will prevent it from running.

Disable Trend Micro PC-cillin Internet Security.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

file::
c:\windows\system32\bseummam.dll
c:\windows\system32\hhjyypug.dll
c:\windows\system32\xvdspmds.dll
c:\windows\bwUnin-8.1.1.50-8876480SL.exe
c:\windows\system32\qrfehyro.dll
c:\windows\system32\oljrxxrn.dll
c:\windows\system32\ezsidmv.dat
c:\windows\system32\othtfyur.dll
c:\windows\system32\omoqqjrr.dll
c:\windows\system32\gsvumxat.dll
c:\windows\system32\soscrtij.dll
c:\windows\system32\mbyshosu.dll
c:\windows\system32\emprsyyu.dll
c:\windows\system32\tmocnldj.dll
c:\windows\system32\hiudftaq.dll
c:\windows\system32\owqggabq.dll
c:\windows\system32\xxaxpffl.dll
c:\windows\system32\kdkglkyg.dll
c:\windows\system32\houwaxxt.dll
c:\windows\system32\iqtaloxs.dll
c:\windows\system32\dngdinvk.dll
c:\windows\system32\cpdewhya.dll
c:\windows\system32\itlsuilm.dll
c:\windows\system32\ioibqohf.dll
c:\windows\system32\rkxkvrhm.dll
c:\windows\system32\mdsetnfk.dll
c:\windows\system32\oxalgekt.dll
c:\windows\system32\rpkdcdbm.dll
c:\windows\system32\ppwyercy.dll
c:\windows\system32\thgybyyk.dll
c:\windows\system32\lrjfxhbk.dll
c:\windows\system32\lixcieho.dll
c:\windows\system32\jhdlifda.dll
c:\windows\system32\eynlihwo.dll
c:\windows\system32\trflxkyk.dll
c:\windows\system32\edtmircw.dll
c:\windows\system32\xphmoixf.dll
c:\windows\system32\rcwayskg.dll
c:\windows\system32\crehevtm.dll


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 elgruposam

elgruposam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 04 June 2009 - 09:09 PM

ComboFix 09-06-01.03 - Sam 06/04/2009 18:44.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1359 [GMT -7:00]
Running from: c:\documents and settings\Sam\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sam\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\bwUnin-8.1.1.50-8876480SL.exe"
"c:\windows\system32\bseummam.dll"
"c:\windows\system32\cpdewhya.dll"
"c:\windows\system32\crehevtm.dll"
"c:\windows\system32\dngdinvk.dll"
"c:\windows\system32\edtmircw.dll"
"c:\windows\system32\emprsyyu.dll"
"c:\windows\system32\eynlihwo.dll"
"c:\windows\system32\ezsidmv.dat"
"c:\windows\system32\gsvumxat.dll"
"c:\windows\system32\hhjyypug.dll"
"c:\windows\system32\hiudftaq.dll"
"c:\windows\system32\houwaxxt.dll"
"c:\windows\system32\ioibqohf.dll"
"c:\windows\system32\iqtaloxs.dll"
"c:\windows\system32\itlsuilm.dll"
"c:\windows\system32\jhdlifda.dll"
"c:\windows\system32\kdkglkyg.dll"
"c:\windows\system32\lixcieho.dll"
"c:\windows\system32\lrjfxhbk.dll"
"c:\windows\system32\mbyshosu.dll"
"c:\windows\system32\mdsetnfk.dll"
"c:\windows\system32\oljrxxrn.dll"
"c:\windows\system32\omoqqjrr.dll"
"c:\windows\system32\othtfyur.dll"
"c:\windows\system32\owqggabq.dll"
"c:\windows\system32\oxalgekt.dll"
"c:\windows\system32\ppwyercy.dll"
"c:\windows\system32\qrfehyro.dll"
"c:\windows\system32\rcwayskg.dll"
"c:\windows\system32\rkxkvrhm.dll"
"c:\windows\system32\rpkdcdbm.dll"
"c:\windows\system32\soscrtij.dll"
"c:\windows\system32\thgybyyk.dll"
"c:\windows\system32\tmocnldj.dll"
"c:\windows\system32\trflxkyk.dll"
"c:\windows\system32\xphmoixf.dll"
"c:\windows\system32\xvdspmds.dll"
"c:\windows\system32\xxaxpffl.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\bwUnin-8.1.1.50-8876480SL.exe
c:\windows\system32\bseummam.dll
c:\windows\system32\cpdewhya.dll
c:\windows\system32\crehevtm.dll
c:\windows\system32\dngdinvk.dll
c:\windows\system32\edtmircw.dll
c:\windows\system32\emprsyyu.dll
c:\windows\system32\eynlihwo.dll
c:\windows\system32\ezsidmv.dat
c:\windows\system32\gsvumxat.dll
c:\windows\system32\hhjyypug.dll
c:\windows\system32\hiudftaq.dll
c:\windows\system32\houwaxxt.dll
c:\windows\system32\ioibqohf.dll
c:\windows\system32\iqtaloxs.dll
c:\windows\system32\itlsuilm.dll
c:\windows\system32\jhdlifda.dll
c:\windows\system32\kdkglkyg.dll
c:\windows\system32\lixcieho.dll
c:\windows\system32\lrjfxhbk.dll
c:\windows\system32\mbyshosu.dll
c:\windows\system32\mdsetnfk.dll
c:\windows\system32\oljrxxrn.dll
c:\windows\system32\omoqqjrr.dll
c:\windows\system32\othtfyur.dll
c:\windows\system32\owqggabq.dll
c:\windows\system32\oxalgekt.dll
c:\windows\system32\ppwyercy.dll
c:\windows\system32\qrfehyro.dll
c:\windows\system32\rcwayskg.dll
c:\windows\system32\rkxkvrhm.dll
c:\windows\system32\rpkdcdbm.dll
c:\windows\system32\soscrtij.dll
c:\windows\system32\thgybyyk.dll
c:\windows\system32\tmocnldj.dll
c:\windows\system32\trflxkyk.dll
c:\windows\system32\xphmoixf.dll
c:\windows\system32\xvdspmds.dll
c:\windows\system32\xxaxpffl.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-02 22:24 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-06-02 22:24 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-06-02 22:24 . 2009-02-06 10:39 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-06-02 22:24 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-02 22:24 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-06-02 22:24 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-02 22:24 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-06-02 22:24 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-02 22:24 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-06-02 22:24 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-06-02 21:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-02 21:26 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-06-01 23:13 . 2009-06-01 23:13 -------- d-----w- c:\documents and settings\Sam\Application Data\Malwarebytes
2009-06-01 23:13 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-01 23:13 . 2009-06-01 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 23:13 . 2009-06-01 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-01 23:13 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 01:51 . 2008-05-22 04:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-05 01:35 . 2009-03-26 02:44 -------- d-----w- c:\documents and settings\Sam\Application Data\Skype
2009-06-04 22:10 . 2009-03-26 02:47 -------- d-----w- c:\documents and settings\Sam\Application Data\skypePM
2009-06-03 06:50 . 2008-08-09 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-01 22:56 . 2008-12-05 01:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-01 22:45 . 2008-05-22 04:16 -------- d-----w- c:\program files\Java
2009-05-29 00:39 . 2008-05-22 04:23 -------- d-----w- c:\program files\Google
2009-05-03 21:38 . 2009-05-03 21:38 -------- d-----w- c:\documents and settings\Sam\Application Data\dvdcss
2009-05-03 21:30 . 2009-05-03 03:14 -------- d-----w- c:\documents and settings\Sam\Application Data\Vso
2009-05-03 21:30 . 2009-05-03 03:14 47360 ----a-w- c:\documents and settings\Sam\Application Data\pcouffin.sys
2009-05-03 21:30 . 2009-05-03 03:14 47360 ----a-w- c:\documents and settings\Sam\Application Data\pcouffin.sys
2009-05-03 03:14 . 2009-05-03 03:14 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-05-03 00:49 . 2008-05-22 04:23 -------- d-----w- c:\program files\CyberLink
2009-05-03 00:49 . 2008-05-22 04:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-27 04:12 . 2009-04-27 04:12 -------- d-----w- c:\program files\7-Zip
2009-04-18 00:04 . 2009-03-10 21:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-12 22:14 . 2009-04-12 22:13 -------- d-----w- c:\program files\iTunes
2009-04-12 22:14 . 2009-04-12 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-12 22:13 . 2009-04-12 22:13 -------- d-----w- c:\program files\iPod
2009-04-12 22:13 . 2008-08-09 00:15 -------- d-----w- c:\program files\Common Files\Apple
2009-04-12 22:04 . 2009-04-12 22:01 -------- d-----w- c:\program files\QuickTime
2009-04-12 21:45 . 2009-04-12 21:45 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-12 21:43 . 2009-04-12 21:43 -------- d-----w- c:\program files\Bonjour
2009-04-09 20:38 . 2008-10-20 22:49 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-02 23:00 . 2008-08-08 23:31 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 23:00 . 2008-08-08 23:31 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 23:00 . 2008-08-08 23:31 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-03-26 22:23 . 2009-04-12 21:50 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-26 22:23 . 2008-11-23 23:24 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
.

------- Sigcheck -------

[7] 2004-08-04 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 !HASH: COULD NOT OPEN FILE ! c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-06-02_21.17.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-05 01:48 . 2009-06-05 01:48 16384 c:\windows\Temp\Perflib_Perfdata_1e8.dat
+ 2008-05-22 04:22 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2008-05-22 04:22 . 2007-08-11 03:46 26488 c:\windows\system32\spupdsvc.exe
+ 2004-08-10 17:51 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2004-08-10 17:51 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe
+ 2004-08-10 17:51 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 44544 c:\windows\system32\pngfilt.dll
+ 2004-08-10 17:51 . 2009-06-03 07:16 63214 c:\windows\system32\perfc009.dat
- 2004-08-10 17:51 . 2009-05-03 00:36 63214 c:\windows\system32\perfc009.dat
- 2004-08-10 18:01 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
+ 2004-08-10 18:01 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
+ 2004-08-10 17:51 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
- 2004-08-10 17:51 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
- 2007-08-14 01:54 . 2008-10-16 20:38 52224 c:\windows\system32\msfeedsbs.dll
+ 2007-08-14 01:54 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2004-08-10 18:01 . 2008-04-14 00:11 58880 c:\windows\system32\msdtclog.dll
+ 2004-08-10 18:01 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 27648 c:\windows\system32\jsproxy.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
+ 2007-08-14 01:39 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
- 2007-08-14 01:39 . 2008-10-16 13:11 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-10 17:51 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 44544 c:\windows\system32\iernonce.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 78336 c:\windows\system32\ieencode.dll
+ 2004-08-10 17:51 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
- 2004-08-10 17:51 . 2008-10-16 13:11 70656 c:\windows\system32\ie4uinit.exe
- 2007-08-14 01:36 . 2008-10-16 20:38 63488 c:\windows\system32\icardie.dll
+ 2007-08-14 01:36 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2008-05-22 04:13 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2008-05-22 04:13 . 2008-10-16 20:38 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
- 2008-09-24 02:45 . 2008-10-16 20:38 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-09-24 02:45 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2008-05-22 04:13 . 2008-10-16 20:38 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-05-22 04:13 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2008-09-24 02:45 . 2008-10-16 13:11 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2008-09-24 02:45 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2007-08-14 01:39 . 2008-10-16 20:38 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2007-08-14 01:39 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
- 2007-08-14 01:39 . 2008-10-16 13:11 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-14 01:39 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-09-24 02:45 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
- 2008-09-24 02:45 . 2008-10-16 20:38 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-06-03 06:51 . 2009-06-03 06:51 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
- 2008-11-18 21:42 . 2008-11-18 21:42 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
- 2008-08-09 00:44 . 2008-12-27 23:45 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-08-09 00:44 . 2009-06-03 06:50 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-08-09 00:44 . 2008-12-27 23:45 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-08-09 00:44 . 2009-06-03 06:50 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-08-09 00:44 . 2008-12-27 23:45 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-08-09 00:44 . 2009-06-03 06:50 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-12-27 23:45 . 2008-12-27 23:45 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-06-03 06:51 . 2009-06-03 06:51 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2006-10-27 02:07 . 2006-10-27 02:07 17680 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.4518\PXBPROXY.DLL
+ 2009-06-03 06:51 . 2008-10-16 20:38 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 52224 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 27648 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-06-03 06:51 . 2008-10-16 13:11 13824 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-06-03 06:51 . 2008-10-16 20:38 44544 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-06-03 06:51 . 2008-04-14 00:11 81920 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-06-03 06:51 . 2008-10-16 13:11 70656 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-06-03 06:51 . 2008-10-16 20:38 63488 c:\windows\ie7updates\KB963027-IE7\icardie.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 826368 c:\windows\system32\wininet.dll
+ 2004-08-10 17:51 . 2009-03-03 00:18 826368 c:\windows\system32\wininet.dll
- 2004-08-10 17:51 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
+ 2004-08-10 17:51 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 233472 c:\windows\system32\webcheck.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2004-08-10 18:01 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2004-08-10 18:01 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2004-08-10 18:01 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 105984 c:\windows\system32\url.dll
+ 2004-08-10 17:51 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2004-08-10 17:51 . 2008-12-05 06:54 144896 c:\windows\system32\schannel.dll
+ 2004-08-10 17:51 . 2009-02-09 12:10 401408 c:\windows\system32\rpcss.dll
+ 2004-08-10 17:51 . 2009-06-03 07:16 402644 c:\windows\system32\perfh009.dat
- 2004-08-10 17:51 . 2009-05-03 00:36 402644 c:\windows\system32\perfh009.dat
- 2004-08-10 17:51 . 2008-04-14 00:12 284160 c:\windows\system32\pdh.dll
+ 2004-08-10 17:51 . 2009-03-06 14:22 284160 c:\windows\system32\pdh.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 102912 c:\windows\system32\occache.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
+ 2004-08-10 17:51 . 2009-02-09 12:10 714752 c:\windows\system32\ntdll.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 671232 c:\windows\system32\mstime.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 193024 c:\windows\system32\msrating.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 477696 c:\windows\system32\mshtmled.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
- 2007-08-14 01:54 . 2008-10-16 20:38 459264 c:\windows\system32\msfeeds.dll
+ 2007-08-14 01:54 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
- 2004-08-10 18:01 . 2008-04-14 00:11 161792 c:\windows\system32\msdtcuiu.dll
+ 2004-08-10 18:01 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2004-08-10 18:01 . 2008-04-14 00:11 956928 c:\windows\system32\msdtctm.dll
+ 2004-08-10 18:01 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
+ 2004-08-10 18:01 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
+ 2004-08-10 17:51 . 2009-02-09 12:10 729088 c:\windows\system32\lsasrv.dll
+ 2004-08-10 17:51 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2004-08-10 17:51 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2007-08-14 01:34 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2007-07-11 19:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
- 2007-07-11 19:27 . 2008-10-16 20:38 383488 c:\windows\system32\ieapfltr.dll
- 2004-08-10 17:51 . 2008-10-15 07:04 161792 c:\windows\system32\ieakui.dll
+ 2004-08-10 17:51 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-10 17:57 . 2009-06-03 07:10 181040 c:\windows\system32\FNTCACHE.DAT
- 2004-08-10 17:57 . 2008-10-15 22:50 181040 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-10 17:51 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 133120 c:\windows\system32\extmgr.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-10 17:51 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 347136 c:\windows\system32\dxtmsft.dll
- 2008-05-22 04:13 . 2008-10-16 20:38 826368 c:\windows\system32\dllcache\wininet.dll
+ 2008-05-22 04:13 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
+ 2007-08-14 01:54 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
- 2007-08-14 01:54 . 2008-10-16 20:38 233472 c:\windows\system32\dllcache\webcheck.dll
- 2007-08-14 01:44 . 2008-10-16 20:38 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-14 01:44 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
+ 2008-12-05 06:54 . 2008-12-05 06:54 144896 c:\windows\system32\dllcache\schannel.dll
+ 2007-08-14 01:44 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
- 2007-08-14 01:44 . 2008-10-16 20:38 102912 c:\windows\system32\dllcache\occache.dll
- 2008-05-22 04:13 . 2008-10-16 20:38 671232 c:\windows\system32\dllcache\mstime.dll
+ 2008-05-22 04:13 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
+ 2008-05-22 04:13 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
- 2008-05-22 04:13 . 2008-10-16 20:38 193024 c:\windows\system32\dllcache\msrating.dll
- 2008-05-22 04:13 . 2008-10-16 20:38 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-05-22 04:13 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-09-24 02:45 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2008-09-24 02:45 . 2008-10-16 20:38 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2009-03-21 14:06 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2007-08-14 01:43 . 2009-02-28 04:54 636072 c:\windows\system32\dllcache\iexplore.exe
+ 2008-09-24 02:45 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-08-14 01:39 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2008-09-24 02:45 . 2008-10-16 20:38 383488 c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-09-24 02:45 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-08-14 00:56 . 2008-10-15 07:04 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2007-08-14 00:56 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2007-08-14 01:39 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2007-08-14 01:39 . 2008-10-16 20:38 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2007-08-14 01:39 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2007-08-14 01:39 . 2008-10-16 20:38 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2008-05-22 04:13 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
- 2008-05-22 04:13 . 2008-10-16 20:38 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2008-05-22 04:13 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2008-05-22 04:13 . 2008-10-16 20:38 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2008-05-22 04:13 . 2008-10-16 20:38 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-05-22 04:13 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-08-14 01:39 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
- 2007-08-14 01:39 . 2008-10-16 20:38 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-10 17:50 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
- 2004-08-10 17:50 . 2008-10-16 20:38 124928 c:\windows\system32\advpack.dll
- 2004-08-10 17:50 . 2008-04-14 00:11 617472 c:\windows\system32\advapi32.dll
+ 2004-08-10 17:50 . 2009-02-09 12:10 617472 c:\windows\system32\advapi32.dll
- 2008-08-09 00:44 . 2008-12-27 23:45 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-08-09 00:44 . 2009-06-03 06:50 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-08-09 00:44 . 2009-06-03 06:50 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2008-08-09 00:44 . 2008-12-27 23:45 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-08-09 00:44 . 2009-06-03 06:50 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2008-08-09 00:44 . 2008-12-27 23:45 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2008-08-09 00:44 . 2008-12-27 23:45 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-08-09 00:44 . 2009-06-03 06:50 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-06-03 06:51 . 2008-10-16 20:38 826368 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 233472 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-06-03 06:51 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-06-03 06:51 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-06-03 06:51 . 2008-10-16 20:38 102912 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 671232 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 193024 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 477696 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 459264 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-06-03 06:51 . 2008-10-15 07:06 633632 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-06-03 06:51 . 2008-10-16 20:38 267776 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 384512 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-06-03 06:51 . 2008-10-15 07:04 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 230400 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 153088 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 133120 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 347136 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 124928 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2009-06-03 06:50 . 2009-06-03 06:50 350064 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2009-06-02 22:23 . 2008-04-15 17:47 1724416 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
+ 2004-08-10 17:51 . 2009-02-09 11:13 1846784 c:\windows\system32\win32k.sys
+ 2004-08-10 17:51 . 2009-02-20 18:09 1160192 c:\windows\system32\urlmon.dll
- 2004-08-10 17:51 . 2008-10-16 20:38 1160192 c:\windows\system32\urlmon.dll
+ 2004-08-10 17:51 . 2008-06-17 19:02 8461312 c:\windows\system32\shell32.dll
- 2004-08-10 17:51 . 2008-04-14 00:12 8461312 c:\windows\system32\shell32.dll
+ 2004-08-10 17:51 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
- 2004-08-10 17:51 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2004-08-10 17:51 . 2009-02-06 11:06 2145280 c:\windows\system32\ntoskrnl.exe
- 2004-08-10 17:51 . 2008-08-14 10:09 2145280 c:\windows\system32\ntoskrnl.exe
- 2004-08-04 03:59 . 2008-08-14 09:33 2023936 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-04 03:59 . 2009-02-06 10:32 2023936 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-10 17:51 . 2009-02-20 18:09 3595264 c:\windows\system32\mshtml.dll
- 2007-08-14 01:54 . 2008-10-16 20:38 6066176 c:\windows\system32\ieframe.dll
+ 2007-08-14 01:54 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
- 2007-02-12 23:10 . 2007-04-17 09:32 2455488 c:\windows\system32\ieapfltr.dat
+ 2007-02-12 23:10 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
+ 2008-10-15 01:16 . 2009-02-09 11:13 1846784 c:\windows\system32\dllcache\win32k.sys
+ 2008-05-22 04:13 . 2009-02-20 18:09 1160192 c:\windows\system32\dllcache\urlmon.dll
- 2008-05-22 04:13 . 2008-10-16 20:38 1160192 c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-17 19:02 . 2008-06-17 19:02 8461312 c:\windows\system32\dllcache\shell32.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-15 01:15 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-15 01:15 . 2008-08-14 09:33 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 01:15 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-15 01:15 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-15 01:15 . 2009-02-08 02:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-15 01:15 . 2008-08-14 10:09 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-10-15 01:15 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2007-12-08 01:07 . 2009-02-20 18:09 3595264 c:\windows\system32\dllcache\mshtml.dll
+ 2008-09-24 02:45 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
- 2008-09-24 02:45 . 2008-10-16 20:38 6066176 c:\windows\system32\dllcache\ieframe.dll
- 2008-09-24 02:45 . 2007-04-17 09:32 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2008-09-24 02:45 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
- 2008-08-09 00:44 . 2008-12-27 23:45 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-08-09 00:44 . 2009-06-03 06:50 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-06-03 06:51 . 2008-10-16 20:38 1160192 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-06-03 06:51 . 2008-12-13 06:40 3593216 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-06-03 06:51 . 2008-10-16 20:38 6066176 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-06-03 06:51 . 2007-04-17 09:32 2455488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2008-10-15 01:15 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-15 01:15 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 01:15 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 01:15 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-15 01:15 . 2009-02-08 02:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 01:15 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-15 01:15 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2004-08-10 17:51 . 2008-11-12 01:34 10838016 c:\windows\system32\wmp.dll
+ 2008-09-28 21:33 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
+ 2004-08-10 17:51 . 2008-11-12 01:34 10838016 c:\windows\system32\dllcache\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-22 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1024000]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-31 405504]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-02-01 1398024]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-17 185872]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]

c:\documents and settings\Sam\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-5-21 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-21 50688]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-3-25 66864]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [5/21/2008 8:57 PM 3456]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/8/2008 4:31 PM 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/15/2008 7:37 AM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/15/2008 7:37 AM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/8/2008 4:31 PM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [8/8/2008 4:31 PM 648456]
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080522
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\k9fxumxz.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 18:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1228)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7460)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\Dell Network Assistant\ezi_hnm2.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-06-05 18:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-05 01:56
ComboFix2.txt 2009-06-03 01:29
ComboFix3.txt 2009-06-02 21:23

Pre-Run: 63,715,729,408 bytes free
Post-Run: 63,690,829,824 bytes free

531 --- E O F --- 2009-06-03 06:52

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 04 June 2009 - 09:23 PM

Hi elgruposam,

Looks much better. :thumbup2: How is the computer working?


Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 elgruposam

elgruposam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 04 June 2009 - 11:58 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, June 05, 2009 04:51:28
Records in database: 2309173
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 70299
Threat name: 5
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 01:31:15


File name / Threat name / Threats count
C:\Program Files\Trend Micro\Internet Security\Quarantine\tdssserv.sys Infected: Backdoor.Win32.Agent.roc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tluvgvet.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zdakzo.dll.vir Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP57\A0071789.EXE Infected: Trojan-Downloader.Win32.Agent.ahkm 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP57\A0071790.exe Infected: Trojan-Downloader.Win32.Agent.ahkm 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP71\A0078757.dll Infected: Trojan.Win32.Monder.atjn 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP72\A0084978.EXE Infected: Email-Worm.Win32.Iksmas.gen 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP76\A0094099.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP76\A0094100.dll Infected: Packed.Win32.Krap.q 1

The selected area was scanned.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 05 June 2009 - 12:20 AM

Hi elgruposam,

Looks good. :thumbup2: Kasperksy found previously quarentined malware files and previously deleted malware files (in System Restore folder).

Please tell me how the computer is running.

We still need to the program clean up.

Edited by SifuMike, 05 June 2009 - 12:21 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 elgruposam

elgruposam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 05 June 2009 - 04:17 PM

Its running pretty much good as new

Thank you so much




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users