Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log, Please Evaluate


  • This topic is locked This topic is locked
2 replies to this topic

#1 validitor

validitor

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 28 August 2009 - 02:53 AM

Problem: After getting online in Afghanistan (Im a soldier) through our wireless internet service offered on base, most of the soldiers were hit with a huge virus. The ISP denies anything but I know the Army looked into it almost immediately. Im not sure what virus or malware or spyware was installed and ran but I have been cleaning up peoples computers for almost a month now. The main ones I have found is (username).exe where the username is replaced with their individual username on their own computers. Another has been sysmon.exe and various others. Spybot S&D, Ad-aware, AVG, Norton, Mcafee, SpywareCease all could not touch most of the crap installed. The deep rooted viruses could not be touched by those removal software and the only thing that could stop most of em was Avira. I know I still have something on my computer but I am lost and need help. Short of reinstalling Windows XP I want to tackle this problem and find out how to remove this crap so I can learn how to help people without wiping hard drives. Alright on to the log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:57, on 28-Aug-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\wmldqqcwxn.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\izzars.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\program files\common files\mozilla shared\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: Shell=Explorer.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\svchost.exe"
O2 - BHO: (no name) - {000044A2-7283-4D76-B417-36774B1312D5} - C:\WINDOWS\system32\jvsazmyv.dll
O2 - BHO: (no name) - {00005ACC-F082-46EC-A3DE-D1283192DFA7} - C:\WINDOWS\system32\jvsazmyv.dll
O2 - BHO: (no name) - {0000AC18-8C30-4544-B92F-F4532B493BC3} - C:\WINDOWS\system32\jvsazmyv.dll
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {15830850-8C30-4544-B92F-F4532B493BC3} - C:\WINDOWS\system32\jvsazmyv.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A7D760BB-618D-4813-857A-A80F092E7251} - c:\windows\system32\maverfv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AESTFltr] "C:\WINDOWS\system32\AESTFltr.exe" /NoDlg
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [System Monitor] sysmon.exe
O4 - HKCU\..\Run: [Validitor] C:\Documents and Settings\Validitor\Validitor.exe
O4 - HKUS\S-1-5-18\..\Run: [System Monitor] sysmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Monopod] C:\WINDOWS\TEMP\b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [System Monitor] sysmon.exe (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Validitor\Start Menu\Programs\IMVU\Run IMVU.lnk
O17 - HKLM\System\CCS\Services\Tcpip\..\{460F8157-F5DC-4CC1-AF12-32579D504F20}: NameServer = 208.67.222.222 208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll
O20 - Winlogon Notify: pqmdszwx - C:\WINDOWS\SYSTEM32\maverfv.dll
O20 - Winlogon Notify: rgadtm - rgadtm.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Darkness - Unknown owner - C:\WINDOWS\system\svchost.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: WinCam - Unknown owner - C:\WINDOWS\TEMP\wmldqqcwxn.exe
O23 - Service: WinCamDll - Unknown owner - C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\izzars.exe

--
End of file - 6622 bytes

Thanks for your time to read this post!

EDIT: Adding other logs.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Validitor at 12:36:41.68 on 28-Aug-09
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.524 [GMT 4.5:30]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\wmldqqcwxn.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\izzars.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\program files\common files\mozilla shared\firefox.exe
C:\Documents and Settings\Validitor\Desktop\Temp\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.Yahoo.com
uDefault_Page_URL = hxxp://www.Yahoo.com
uSearch Bar =
mSearchAssistant =
mWinlogon: Shell=Explorer.exe "c:\documents and settings\all users\application data\microsoft\svchost.exe"
BHO: {000044a2-7283-4d76-b417-36774b1312d5} - c:\windows\system32\jvsazmyv.dll
BHO: {00005acc-f082-46ec-a3de-d1283192dfa7} - c:\windows\system32\jvsazmyv.dll
BHO: {0000ac18-8c30-4544-b92f-f4532b493bc3} - c:\windows\system32\jvsazmyv.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {15830850-8c30-4544-b92f-f4532b493bc3} - c:\windows\system32\jvsazmyv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: : {a7d760bb-618d-4813-857a-a80f092e7251} - c:\windows\system32\maverfv.dll
uRun: [Validitor] c:\documents and settings\validitor\Validitor.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [AESTFltr] "c:\windows\system32\AESTFltr.exe" /NoDlg
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunServices: [System Monitor] sysmon.exe
dRun: [System Monitor] sysmon.exe
dRun: [Monopod] c:\windows\temp\b.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\validitor\start menu\programs\imvu\Run IMVU.lnk
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
TCP: {460F8157-F5DC-4CC1-AF12-32579D504F20} = 208.67.222.222 208.67.220.220
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\ievony\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
Notify: pqmdszwx - maverfv.dll
Notify: rgadtm - rgadtm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\validi~1\applic~1\mozilla\firefox\profiles\lbedtp91.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/intl/en/
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 obxmxmpv;obxmxmpv;c:\windows\system32\drivers\obxmxmpv.sys [2008-4-15 23424]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-16 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-16 55656]
R2 jysvozfp;Microsoft USB 2.0 Enhanced Host Controller Miniport Controller;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
R2 WinCam;WinCam;c:\windows\temp\wmldqqcwxn.exe [2009-8-27 53760]
R2 WinCamDll;WinCamDll;c:\documents and settings\localservice\local settings\temporary internet files\izzars.exe [2009-8-28 53760]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-19 112128]
S2 Darkness;Darkness;c:\windows\system\svchost.exe --> c:\windows\system\svchost.exe [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-8-27 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-8-27 3072]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-6-2 40832]

=============== Created Last 30 ================

2009-08-28 12:11 <DIR> --d----- c:\docume~1\validi~1\applic~1\ujezouyc
2009-08-28 11:58 <DIR> --d----- c:\program files\Trend Micro
2009-08-27 21:16 0 a------- c:\windows\libwinsock32.cab
2009-08-27 20:19 1,663,488 a------- c:\windows\system32\BootMan.exe
2009-08-27 20:19 86,408 a------- c:\windows\system32\setupempdrv03.exe
2009-08-27 20:19 14,848 a------- c:\windows\system32\EuEpmGdi.dll
2009-08-27 20:19 8,704 a------- c:\windows\system32\epmntdrv.sys
2009-08-27 20:19 3,072 a------- c:\windows\system32\EuGdiDrv.sys
2009-08-27 20:18 <DIR> --d----- c:\program files\EASEUS
2009-08-27 12:42 <DIR> --d----- c:\program files\Wolfenstein - Enemy Territory
2009-08-26 18:53 127 a------- c:\windows\system32\MRT.INI
2009-08-26 18:48 <DIR> --d----- c:\windows\ie8updates
2009-08-26 18:27 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-26 18:24 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-26 18:24 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-26 18:24 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-26 18:24 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-26 18:24 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-26 18:24 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-26 18:24 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-26 18:24 <DIR> --d----- C:\5d817c47747860a54da1a7050708
2009-08-26 17:48 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-08-26 17:48 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-26 17:48 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-08-26 17:48 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-08-26 17:48 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-08-26 11:52 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-26 11:47 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-08-26 11:46 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-08-26 11:39 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-26 11:19 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-08-26 11:18 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-26 11:17 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-08-26 11:13 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-08-26 11:13 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-08-26 11:02 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-26 11:02 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-08-26 11:02 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-08-26 10:09 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-26 10:02 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-08-26 09:36 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-08-26 05:01 <DIR> --d----- c:\windows\system32\PreInstall
2009-08-25 20:31 <DIR> --dsh--- c:\documents and settings\validitor\PrivacIE
2009-08-25 20:29 <DIR> --dsh--- c:\documents and settings\validitor\IETldCache
2009-08-25 20:19 <DIR> -cd-h--- c:\windows\ie8
2009-08-25 19:44 268,648 a------- c:\windows\system32\mucltui.dll
2009-08-25 19:44 208,744 a------- c:\windows\system32\muweb.dll
2009-08-25 19:44 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-08-24 23:11 36,864 a------- c:\windows\system\Shlwapi.dll
2009-08-24 23:10 474,112 a------- C:\shlwapi.dll
2009-08-24 20:48 <DIR> --d----- c:\windows\system32\NtmsData
2009-08-16 20:41 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-16 20:41 <DIR> --d----- c:\program files\Avira
2009-08-16 20:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-15 14:48 <DIR> --d----- c:\windows\Mozilla
2009-08-13 16:29 0 a------- c:\windows\system32\a99k.bin
2009-08-13 10:23 <DIR> --d----- c:\program files\14 Degrees East
2009-08-13 10:22 306,688 a------- c:\windows\IsUninst.exe
2009-08-12 17:44 0 a--sh--- c:\windows\system32\GC4DD.tmp.exe
2009-08-11 19:50 207,876 a------- c:\windows\system32\msxml71.dll
2009-08-10 18:29 <DIR> --d----- C:\Downloads
2009-08-10 18:29 <DIR> --d----- c:\program files\Orbitdownloader
2009-08-06 18:25 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-05 13:31 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-30 13:55 <DIR> --d----- c:\docume~1\validi~1\applic~1\IMVU
2009-07-30 13:52 <DIR> --d----- c:\docume~1\validi~1\applic~1\IMVUClient
2009-07-30 08:00 12,160 a------- c:\windows\system32\drivers\mouhid.sys

==================== Find3M ====================

2009-08-05 13:31 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 09:07 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 09:07 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-29 09:07 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-29 09:07 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-24 21:24 6,766 a------- c:\windows\system32\uacinit.dll
2009-07-22 16:00 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 17:48 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 23:31 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 23:31 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 21:39 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 21:39 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 21:39 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 21:39 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 21:39 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 21:39 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 21:39 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 15:31 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 12:55 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 12:55 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 12:55 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 12:55 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 12:55 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 12:55 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 12:55 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 12:55 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 12:55 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 12:55 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 12:55 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 12:55 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 15:48 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-12 17:01 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 17:01 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 18:43 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 18:43 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 10:44 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 10:44 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-04 16:07 499,712 a------- c:\windows\system32\msvcp71.dll
2009-06-03 23:39 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 23:39 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2008-06-24 21:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 12:40:41.62 ===============


ROOT REPEAL -

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/28 12:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA33A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ABC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hjgruimwkiextj.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruimwkiextj.sys
Address: 0xAA52B000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA915B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruiecoiblpp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruifooctrhy.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiquddivtc.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiwdeehehm.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiyfreqbjvel.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruidhnmbfujlh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruidrxvgxywtw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruigpisryroyw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiigdtphtspe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruikfudwclvht.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruinibnqsimth.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiplkecefqaw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruirkpbmvwtvy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruishupgwaeyy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiwhaufdffdq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiwmvssbvuhu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruimwkiextj.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\notovdvt.dat
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Validitor\Application Data\Mozilla\Firefox\Profiles\lbedtp91.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Stealth Objects
-------------------
Object: Hidden Module [Name: maverfv.dll]
Process: winlogon.exe (PID: 612) Address: 0x01670000 Size: 286720

Object: Hidden Module [Name: hjgruiecoiblpp.dll]
Process: svchost.exe (PID: 872) Address: 0x10000000 Size: 57344

Object: Hidden Module [Name: maverfv.dll]
Process: svchost.exe (PID: 1036) Address: 0x020a0000 Size: 286720

Object: Hidden Module [Name: maverfv.dll]
Process: Explorer.exe (PID: 1800) Address: 0x0aa00000 Size: 286720

Hidden Services
-------------------
Service Name: hjgruildliopta
Image Path: C:\WINDOWS\system32\drivers\hjgruimwkiextj.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACsirwtqxoqmiptuxtm.sys

==EOF==

Edited by validitor, 28 August 2009 - 03:20 AM.


BC AdBot (Login to Remove)

 


#2 validitor

validitor
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 02 September 2009 - 04:13 AM

Close this post, no replies after so long I am just gonna start reinstalling windows lol.

Thanks for your time.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,060 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:51 PM

Posted 04 September 2009 - 12:38 PM

I'm sorry we could not get to you sooner. Our backlog of topics is very large given the number of requests for assistance. Sometimes reformatting and reinstalling is the best and quickest solution.

This topic shall now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users