Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit, desote.exe


  • This topic is locked This topic is locked
10 replies to this topic

#1 yyyyyyup

yyyyyyup

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 08 September 2009 - 08:13 PM

Hello - I'm a novice and have tried to mimmick a whole lot of similar situations on this site to no avail. I appear to have a desote.exe virus - can't open most applications, including ie, and can't seem to run logs like hijackthis. I think I have Antivirus Pro, Total Security and Windows Police. I've tried combofix, viprer, otm, avenger. I can no longer boot normal...get blue screen. I've attached Win32kDiag. Please help! I posted on the other forum here...and one of your kind says is a doosie...that concerns me!! Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 10 September 2009 - 12:37 PM

Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

Begin copying here:
Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.



NEXT


Go to Start >> Run >> copy/paste below >> Enter. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r



NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 yyyyyyup

yyyyyyup
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 10 September 2009 - 09:40 PM

Thank you for your help AM I CURED...???

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

ComboFix 09-09-10.01 - Administrator 09/10/2009 22:11.1.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.392 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\blyuwrjl.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\svchost.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Alison\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\All Users\Application Data\10818434
c:\documents and settings\All Users\Application Data\10818434\10818434
c:\documents and settings\All Users\Application Data\10818434\10818434.exe
c:\documents and settings\All Users\Application Data\10818434\pc10818434ins
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\emxtqjit.exe
C:\fyblb.exe
C:\osps.exe
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\Common Files\izaqidu.inf
c:\program files\Common
c:\program files\Common\_helper.sig
c:\program files\sFX
c:\program files\sFX\SfX.DlL
c:\program files\sFX\sfX.sYs
c:\program files\Shared\lib.dll
c:\program files\Shared\lib.sig
C:\svfp.exe
C:\tujfbtrj.exe
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\install.exe
c:\windows\Installer\32e725a.msi
c:\windows\laki.exe
c:\windows\ld12.exe
c:\windows\loadernew.exe
c:\windows\mark_32.dll
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\~.exe
c:\windows\system32\1.tmp
c:\windows\system32\2.tmp
c:\windows\system32\3.tmp
c:\windows\system32\afojogek.ini
c:\windows\system32\amazoliz.ini
c:\windows\system32\bennuar.old
c:\windows\system32\bitonuta.exe
c:\windows\system32\braviax.exe
c:\windows\system32\bszip.dll
c:\windows\system32\bufezeza.dll
c:\windows\system32\cru629.dat
c:\windows\system32\desote.exe
c:\windows\system32\deyogisu.dll
c:\windows\system32\drivers\hjgruiupxurtlt.sys
c:\windows\system32\drivers\kbiwkmaiqjxvum.sys
c:\windows\system32\drivers\UACoodulkdvei.sys
c:\windows\system32\dutimode.dll
c:\windows\system32\gajukilu.dll
c:\windows\system32\genahowa.dll
c:\windows\system32\gsf83iujid.dll
c:\windows\system32\herutoho.dll
c:\windows\system32\hjgruikjkorqth.dat
c:\windows\system32\hjgruinkvsauwk.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\igojoyuw.ini
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\jakegetu.dll
c:\windows\system32\kbiwkmhpymetnb.dat
c:\windows\system32\kbiwkmlyhjovbu.dat
c:\windows\system32\kbiwkmrgfthkwn.dll
c:\windows\system32\kbiwkmyaprsill.dll
c:\windows\system32\kupageli.dll
c:\windows\system32\merenugu.dll
c:\windows\system32\nadusifa.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\onhelp.htm
c:\windows\system32\parajami.exe
c:\windows\system32\Process.exe
c:\windows\system32\ridilave.dll
c:\windows\system32\sonhelp.htm
c:\windows\system32\SrchSTS.exe
c:\windows\system32\sysnet.dat
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\tapi.nfo
c:\windows\system32\UACqhyxqjkmek.dll
c:\windows\system32\UACrscnlmnvvxmpralxr.dat
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\wispex.html
c:\windows\Temp\3308127504.exe
c:\windows\Temp\681822792.exe
c:\windows\video.exe
c:\windows\ypavy.vbs

----- BITS: Possible infected sites -----

hxxp://82.98.231.96
hxxp://82.98.231.97
Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\i386\BEEP.SYS

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\$NtServicePackUninstall$\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmfwarajiq
-------\Legacy_kbiwkmfwarajiq
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 02:21 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-31 02:20 . 2009-08-31 02:20 -------- d-----w- C:\spoolerlogs
2009-08-31 02:11 . 2009-08-31 02:11 -------- d-----w- c:\documents and settings\Alison\Application Data\PC Tools
2009-08-31 02:09 . 2009-09-11 02:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-31 02:08 . 2009-08-31 02:08 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-31 02:08 . 2009-09-11 01:47 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-08-31 02:08 . 2009-09-11 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-31 01:53 . 2009-08-31 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-31 01:51 . 2009-08-31 01:51 -------- d-----w- c:\program files\STOPzilla!
2009-08-31 01:51 . 2009-08-31 01:51 -------- d-----w- c:\program files\Common Files\iS3
2009-08-31 01:51 . 2006-09-05 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-31 01:33 . 2009-08-31 01:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2009-08-31 00:54 . 2006-09-09 01:33 29184 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-08-31 00:54 . 2004-08-04 10:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-08-29 03:54 . 2009-08-29 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3
2009-08-29 03:38 . 2009-08-29 03:38 163840 ----a-w- c:\windows\svchasts.exe
2009-08-15 14:07 . 2009-09-11 02:20 -------- d-----w- c:\program files\Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 02:58 . 2009-04-21 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-31 01:24 . 2008-05-21 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-29 01:14 . 2009-05-29 01:14 831012 --sha-w- c:\windows\system32\satukivu.exe
2009-07-25 02:36 . 2009-07-25 02:36 17863 ----a-w- c:\windows\yrut.dat
2009-07-25 02:36 . 2009-07-25 02:36 17355 ----a-w- c:\windows\system32\ilusi.bin
2009-07-25 02:36 . 2009-07-25 02:36 14468 ----a-w- c:\documents and settings\All Users\Application Data\xalaga.pif
2009-07-25 02:36 . 2009-07-25 02:36 12327 ----a-w- c:\windows\system32\wapewes.dat
2009-07-25 02:36 . 2009-07-25 02:36 12247 ----a-w- c:\documents and settings\All Users\Application Data\ihib.scr
2009-07-25 02:36 . 2009-07-25 02:36 14560 ----a-w- c:\program files\Common Files\juhiza._sy
2009-07-25 02:11 . 2005-11-11 16:36 -------- d-----w- c:\documents and settings\Alison\Application Data\AdobeUM
2009-07-22 03:45 . 2008-06-14 02:43 -------- d-----w- c:\documents and settings\Alison\Application Data\Skype
2009-07-22 01:22 . 2008-06-14 02:44 -------- d-----w- c:\documents and settings\Alison\Application Data\skypePM
2009-07-20 18:57 . 2009-07-20 18:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 18:56 . 2009-07-20 18:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 18:56 . 2009-07-20 18:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-14 03:06 . 2009-07-14 03:06 107340 ----a-w- c:\windows\system32\drivers\4ef7a345.sys
2009-07-14 03:05 . 2009-07-14 03:05 69845 ----a-w- C:\mhgyi.exe
2009-07-14 03:05 . 2009-07-14 03:05 210046 ----a-w- C:\dixmhtm.exe
2009-07-09 19:52 . 2009-07-09 19:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 19:52 . 2009-07-09 19:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 19:51 . 2009-07-09 19:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 19:51 . 2009-07-09 19:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 19:51 . 2009-07-09 19:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 19:50 . 2009-07-09 19:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 19:50 . 2009-07-09 19:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 19:50 . 2009-07-09 19:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 19:47 . 2009-07-09 19:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2006-06-06 03:08 . 2006-06-06 03:08 50176 --sha-w- c:\windows\SYSTEM32\dakegopu.dll
2006-09-06 03:07 . 2006-06-06 03:07 831524 --sha-w- c:\windows\SYSTEM32\jedepona.exe
2006-09-06 03:07 . 2006-06-06 03:07 88576 --sha-w- c:\windows\SYSTEM32\kefuzego.dll
2006-09-06 03:08 . 2006-06-06 03:07 50176 --sha-w- c:\windows\SYSTEM32\matidaha.dll
2007-08-29 17:07 . 2007-05-29 17:07 49664 --sha-w- c:\windows\SYSTEM32\nilujete.dll
2006-09-06 03:07 . 2006-06-06 03:07 24490 --sha-w- c:\windows\SYSTEM32\ruweyego.exe
2006-09-04 19:06 . 2006-06-04 19:06 831524 --sha-w- c:\windows\SYSTEM32\sehuwuri.exe
2007-08-29 04:05 . 2007-05-29 04:05 831012 --sha-w- c:\windows\SYSTEM32\sesotoja.exe
2006-06-06 03:08 . 2006-06-06 03:08 50176 --sha-w- c:\windows\SYSTEM32\yegusaso.dll
2006-09-04 19:06 . 2006-06-04 19:06 37376 --sha-w- c:\windows\SYSTEM32\yusayena.dll
2007-08-29 04:05 . 2007-05-29 04:05 209408 --sha-w- c:\windows\SYSTEM32\zagubura.dll
2007-08-29 17:07 . 2007-05-29 17:07 83968 --sha-w- c:\windows\SYSTEM32\zanaruma.dll
2006-09-06 03:07 . 2006-06-06 03:07 37376 --sha-w- c:\windows\SYSTEM32\zoyumuhe.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e189a51e-565f-4b13-bcb4-f0616ed8e231}]
2006-06-06 03:08 50176 --sha-w- c:\windows\SYSTEM32\yegusaso.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-15 148888]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-29 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"wavedegup"="c:\windows\system32\kefuzego.dll" [2006-09-06 88576]
"ziledalegu"="c:\windows\system32\dakegopu.dll" [2006-06-06 50176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-7-29 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-3-15 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-3-15 53248]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-9-4 91440]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{8c4a2751-d233-481a-960b-7b6e2c184eed}"= "c:\windows\system32\kefuzego.dll" [2006-09-06 88576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zekewivuw"= {8c4a2751-d233-481a-960b-7b6e2c184eed} - c:\windows\system32\kefuzego.dll [2006-09-06 88576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\system32\kupageli.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\explorer.exe"=

R2 szkg5;szkg;c:\windows\SYSTEM32\DRIVERS\SZKG.sys [5/12/2009 2:13 PM 61328]
S2 jsfkmovy;jsfkmovy;c:\windows\system32\drivers\vwfw.sys --> c:\windows\system32\drivers\vwfw.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\E.tmp --> c:\windows\system32\E.tmp [?]
S3 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [9/4/2006 11:10 PM 92464]
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-21 22:25]

2009-09-11 c:\windows\Tasks\User_Feed_Synchronization-{A766CEF0-F828-43E1-9D58-136F754B28BB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 192.168.1.1:80
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab
FF - ProfilePath - c:\documents and settings\Alison\Application Data\Mozilla\Firefox\Profiles\rir56rg3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msiexec.exe - ~.exe
Notify-scom - c:\program files\Internet Explorer\PLUGINS\scom.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 22:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\E.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1108)
c:\windows\system32\dakegopu.dll
c:\windows\system32\kefuzego.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\logishrd\LComMgr\LVComSX.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\docume~1\Alison\LOCALS~1\Temp\jre-6u15-windows-i586-iftw.exe
.
**************************************************************************
.
Completion time: 2009-09-11 22:32 - machine was rebooted [Alison]
ComboFix-quarantined-files.txt 2009-09-11 02:31

Pre-Run: 14,125,510,656 bytes free
Post-Run: 14,200,832,000 bytes free

338 --- E O F --- 2009-04-16 07:04




File move operation "c:\windows\system32\logevent.dll|c:\windows\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Log file is located at: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Found mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\SHARED\RES\RES

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\JAVA\CLASSES\CLASSES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\JAVA\CLASSES\CLASSES

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MUI\MUI

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5457b20e4d74937d47b86f91637bd134\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5457b20e4d74937d47b86f91637bd134\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f6ae6c01481096f08117233982ca37f9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\f6ae6c01481096f08117233982ca37f9\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SYSTEM32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1025\1025

Found mount point : C:\WINDOWS\SYSTEM32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1028\1028

Found mount point : C:\WINDOWS\SYSTEM32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1031\1031

Found mount point : C:\WINDOWS\SYSTEM32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1037\1037

Found mount point : C:\WINDOWS\SYSTEM32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1041\1041

Found mount point : C:\WINDOWS\SYSTEM32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1042\1042

Found mount point : C:\WINDOWS\SYSTEM32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1054\1054

Found mount point : C:\WINDOWS\SYSTEM32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\2052\2052

Found mount point : C:\WINDOWS\SYSTEM32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\3076\3076

Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CatRoot_bak\CatRoot_bak

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Jasc Software Inc\Paint Shop Pro Studio\Paint Shop Pro Studio

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Jasc Software Inc\Paint Shop Pro Studio\Paint Shop Pro Studio

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1905025777-3795643511-3975696948-1003\S-1-5-21-1905025777-3795643511-3975696948-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1905025777-3795643511-3975696948-1003\S-1-5-21-1905025777-3795643511-3975696948-1003

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1905025777-3795643511-3975696948-1003\S-1-5-21-1905025777-3795643511-3975696948-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1905025777-3795643511-3975696948-1003\S-1-5-21-1905025777-3795643511-3975696948-1003

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Symantec\Symantec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Symantec\Symantec

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1905025777-3795643511-3975696948-1003\S-1-5-21-1905025777-3795643511-3975696948-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1905025777-3795643511-3975696948-1003\S-1-5-21-1905025777-3795643511-3975696948-1003

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Found mount point : C:\WINDOWS\SYSTEM32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\INETSRV\INETSRV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\INETSRV\INETSRV

Found mount point : C:\WINDOWS\SYSTEM32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Found mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Found mount point : C:\WINDOWS\Temp\GUM14.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUM14.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

#4 yyyyyyup

yyyyyyup
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 10 September 2009 - 11:34 PM

Ran Malwarebytes. It removed quite a bit including Security Center, Police Pro, etc. I only get the occasional pop-up. Life Cleanse, freescore.com...what's the best free anit-virus and pop-up programs out there?

Thanks again. I've been working on my computer for over a week now...you're a real pro!!

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 11 September 2009 - 12:05 AM

Err.. We're not finish yet :( Also, when you do other scan that I didn't asked, I lost track and its difficult to determine the next steps..


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
jsfkmovy
MEMSWEEP2

File::
c:\windows\system32\drivers\vwfw.sys
c:\windows\system32\E.tmp
c:\windows\svchasts.exe
c:\windows\system32\satukivu.exe
c:\windows\yrut.dat
c:\windows\system32\ilusi.bin
c:\documents and settings\All Users\Application Data\xalaga.pif
c:\windows\system32\wapewes.dat
c:\documents and settings\All Users\Application Data\ihib.scr
c:\program files\Common Files\juhiza._sy
c:\windows\system32\drivers\4ef7a345.sys
C:\mhgyi.exe
C:\dixmhtm.exe
c:\windows\SYSTEM32\dakegopu.dll
c:\windows\SYSTEM32\jedepona.exe
c:\windows\SYSTEM32\kefuzego.dll
c:\windows\SYSTEM32\matidaha.dll
c:\windows\SYSTEM32\nilujete.dll
c:\windows\SYSTEM32\ruweyego.exe
c:\windows\SYSTEM32\sehuwuri.exe
c:\windows\SYSTEM32\sesotoja.exe
c:\windows\SYSTEM32\yegusaso.dll
c:\windows\SYSTEM32\yusayena.dll
c:\windows\SYSTEM32\zagubura.dll
c:\windows\SYSTEM32\zanaruma.dll
c:\windows\SYSTEM32\zoyumuhe.dll
c:\windows\SYSTEM32\yegusaso.dll
c:\windows\system32\kefuzego.dll
c:\windows\system32\dakegopu.dll
c:\windows\system32\kupageli.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e189a51e-565f-4b13-bcb4-f0616ed8e231}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wavedegup"=-
"ziledalegu"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{8c4a2751-d233-481a-960b-7b6e2c184eed}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zekewivuw"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 yyyyyyup

yyyyyyup
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 13 September 2009 - 08:27 PM

Here's the log from combofix...not sure how to do the hijack this log? Is that Avenger or win32kdiag? I appreciate your help.

ComboFix 09-09-13.04 - Alison 09/13/2009 20:49.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.209 [GMT -4:00]
Running from: c:\documents and settings\Alison\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Alison\Desktop\CFscript.txt

FILE ::
"C:\dixmhtm.exe"
"c:\documents and settings\All Users\Application Data\ihib.scr"
"c:\documents and settings\All Users\Application Data\xalaga.pif"
"C:\mhgyi.exe"
"c:\program files\Common Files\juhiza._sy"
"c:\windows\svchasts.exe"
"c:\windows\system32\dakegopu.dll"
"c:\windows\system32\drivers\4ef7a345.sys"
"c:\windows\system32\drivers\vwfw.sys"
"c:\windows\system32\E.tmp"
"c:\windows\system32\ilusi.bin"
"c:\windows\SYSTEM32\jedepona.exe"
"c:\windows\system32\kefuzego.dll"
"c:\windows\system32\kupageli.dll"
"c:\windows\SYSTEM32\matidaha.dll"
"c:\windows\SYSTEM32\nilujete.dll"
"c:\windows\SYSTEM32\ruweyego.exe"
"c:\windows\system32\satukivu.exe"
"c:\windows\SYSTEM32\sehuwuri.exe"
"c:\windows\SYSTEM32\sesotoja.exe"
"c:\windows\system32\wapewes.dat"
"c:\windows\SYSTEM32\yegusaso.dll"
"c:\windows\SYSTEM32\yusayena.dll"
"c:\windows\SYSTEM32\zagubura.dll"
"c:\windows\SYSTEM32\zanaruma.dll"
"c:\windows\SYSTEM32\zoyumuhe.dll"
"c:\windows\yrut.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dixmhtm.exe
c:\documents and settings\Alison\Local Settings\Application Data\anypojol.reg
c:\documents and settings\All Users\Application Data\ihib.scr
c:\documents and settings\All Users\Application Data\xalaga.pif
c:\program files\Common Files\juhiza._sy
c:\program files\Shared
c:\windows\system32\41.exe
c:\windows\system32\diposeli.dll
c:\windows\system32\gahipewo.dll
c:\windows\system32\ilusi.bin
c:\windows\system32\kefuzego.dll
c:\windows\system32\liseruka.dll
c:\windows\system32\varofeje.dll
c:\windows\system32\vimuvayo.dll
c:\windows\system32\wapewes.dat
c:\windows\SYSTEM32\zanaruma.dll
c:\windows\system32\zizatewa.dll
c:\windows\yrut.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JSFKMOVY
-------\Legacy_MEMSWEEP2
-------\Service_jsfkmovy
-------\Service_MEMSWEEP2
-------\Service_SfX


((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-11 12:25 . 2009-09-12 13:30 -------- d-----w- c:\windows\SxsCaPendDel
2009-09-11 02:46 . 2009-09-11 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-11 02:41 . 2009-09-11 02:41 37760 ----a-w- c:\windows\system32\drivers\Filter.sys
2009-09-11 02:21 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-31 02:20 . 2009-08-31 02:20 -------- d-----w- C:\spoolerlogs
2009-08-31 02:11 . 2009-09-12 22:12 -------- d-----w- c:\documents and settings\Alison\Application Data\PC Tools
2009-08-31 02:09 . 2009-09-12 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-31 02:08 . 2009-09-12 22:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-31 02:08 . 2009-09-11 01:47 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-08-31 02:08 . 2009-09-11 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-31 01:53 . 2009-08-31 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-31 01:51 . 2009-08-31 01:51 -------- d-----w- c:\program files\Common Files\iS3
2009-08-31 01:51 . 2009-09-11 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-31 01:33 . 2009-08-31 01:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2009-08-31 00:54 . 2004-08-04 10:00 4224 ------w- c:\windows\system32\drivers\beep.sys
2009-08-29 03:54 . 2009-08-29 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 17:00 . 2009-06-13 17:00 88064 --sha-w- c:\windows\system32\wevoyira.dll
2009-09-13 05:00 . 2008-05-21 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-12 22:13 . 2006-09-05 03:36 -------- d-----w- c:\program files\Sophos
2009-09-12 14:42 . 2009-06-12 14:42 88064 --sha-w- c:\windows\system32\yohujoku.dll
2009-09-12 13:36 . 2005-07-29 06:49 -------- d-----w- c:\program files\Java
2009-09-11 02:42 . 2009-06-11 02:41 50176 --sha-w- c:\windows\system32\dojapode.dll
2009-09-11 02:41 . 2009-06-11 02:41 53248 --sha-w- c:\windows\system32\yagejani.exe
2009-09-11 02:40 . 2006-09-05 02:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware4
2009-09-10 18:54 . 2008-11-29 21:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-11-29 21:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 02:58 . 2009-04-21 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-14 10:58 . 2009-09-11 04:34 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-07-25 09:23 . 2009-03-15 19:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-25 02:11 . 2005-11-11 16:36 -------- d-----w- c:\documents and settings\Alison\Application Data\AdobeUM
2009-07-22 03:45 . 2008-06-14 02:43 -------- d-----w- c:\documents and settings\Alison\Application Data\Skype
2009-07-22 01:22 . 2008-06-14 02:44 -------- d-----w- c:\documents and settings\Alison\Application Data\skypePM
2006-06-06 03:08 . 2006-06-06 03:08 50176 --sha-w- c:\windows\SYSTEM32\dakegopu.dll.tmp
2006-06-06 03:08 . 2006-06-06 03:08 50176 --sha-w- c:\windows\SYSTEM32\yegusaso.dll.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-09-11_02.25.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-14 01:05 . 2009-09-14 01:05 16384 c:\windows\temp\Perflib_Perfdata_6e4.dat
+ 2009-09-11 14:42 . 2009-09-13 14:19 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-08-04 00:18 . 2006-09-09 01:34 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-08-04 00:18 . 2009-09-13 14:19 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-11 14:42 . 2009-09-13 14:19 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2005-08-04 00:18 . 2006-09-09 01:34 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2005-11-19 16:02 . 2009-09-12 14:43 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2009-09-12 13:36 . 2009-07-25 09:23 149280 c:\windows\SYSTEM32\javaws.exe
+ 2009-09-12 13:36 . 2009-07-25 09:23 145184 c:\windows\SYSTEM32\javaw.exe
+ 2009-09-12 13:36 . 2009-07-25 09:23 145184 c:\windows\SYSTEM32\java.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-29 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware4\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"wavedegup"="c:\windows\system32\wevoyira.dll" [2009-09-13 88064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-7-29 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-3-15 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-3-15 53248]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-9-4 91440]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{2a002558-b9a1-4128-b822-17231b4524d2}"= "c:\windows\system32\wevoyira.dll" [2009-09-13 88064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zowamemim"= {2a002558-b9a1-4128-b822-17231b4524d2} - c:\windows\system32\wevoyira.dll [2009-09-13 88064]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:ddnsfilter

R1 Filter;Filter;c:\windows\SYSTEM32\DRIVERS\Filter.sys [9/10/2009 10:41 PM 37760]
S3 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [9/4/2006 11:10 PM 92464]
.
Contents of the 'Scheduled Tasks' folder

2009-09-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-21 22:25]

2009-09-14 c:\windows\Tasks\User_Feed_Synchronization-{A766CEF0-F828-43E1-9D58-136F754B28BB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 192.168.1.1:80
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab
FF - ProfilePath - c:\documents and settings\Alison\Application Data\Mozilla\Firefox\Profiles\rir56rg3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 21:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1996)
c:\windows\system32\wevoyira.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\logishrd\LComMgr\LVComSX.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\windows\SoftwareDistribution\Download\7d89c78bdb29ecd56cfe2f1e3d8cdbac\update\update.exe
.
**************************************************************************
.
Completion time: 2009-09-14 21:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 01:12
ComboFix2.txt 2009-09-11 02:32

Pre-Run: 13,976,788,992 bytes free
Post-Run: 13,947,121,664 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

254 --- E O F --- 2009-04-16 07:04

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 14 September 2009 - 12:35 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Filter

Rootkit::
c:\windows\SYSTEM32\DRIVERS\Filter.sys

File::
c:\windows\system32\wevoyira.dll
c:\windows\system32\yohujoku.dll
c:\windows\system32\dojapode.dll
c:\windows\system32\yagejani.exe
c:\windows\SYSTEM32\dakegopu.dll.tmp
c:\windows\SYSTEM32\yegusaso.dll.tmp
c:\windows\SYSTEM32\DRIVERS\Filter.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wavedegup"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{2a002558-b9a1-4128-b822-17231b4524d2}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zowamemim"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 yyyyyyup

yyyyyyup
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 14 September 2009 - 07:08 PM

I appreciate your help. I blue screened but was able to run it after the reboot...

ComboFix 09-09-14.02 - Alison 09/14/2009 19:12.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.233 [GMT -4:00]
Running from: c:\documents and settings\Alison\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Alison\Desktop\cfscript.txt

FILE ::
"c:\windows\SYSTEM32\dakegopu.dll.tmp"
"c:\windows\system32\dojapode.dll"
"c:\windows\SYSTEM32\DRIVERS\Filter.sys"
"c:\windows\system32\wevoyira.dll"
"c:\windows\system32\yagejani.exe"
"c:\windows\SYSTEM32\yegusaso.dll.tmp"
"c:\windows\system32\yohujoku.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alison\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
c:\windows\SYSTEM32\dakegopu.dll.tmp
c:\windows\system32\dojapode.dll
c:\windows\system32\drivers\Filter.sys
c:\windows\system32\wevoyira.dll
c:\windows\system32\yagejani.exe
c:\windows\SYSTEM32\yegusaso.dll.tmp
c:\windows\system32\yohujoku.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FILTER
-------\Service_Filter


((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-14 07:01 . 2009-09-14 07:01 -------- d-----w- c:\windows\ServicePackFiles
2009-09-14 01:14 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-14 01:12 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-09-11 12:25 . 2009-09-12 13:30 -------- d-----w- c:\windows\SxsCaPendDel
2009-09-11 02:46 . 2009-09-11 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-11 02:21 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-31 02:20 . 2009-08-31 02:20 -------- d-----w- C:\spoolerlogs
2009-08-31 02:11 . 2009-09-12 22:12 -------- d-----w- c:\documents and settings\Alison\Application Data\PC Tools
2009-08-31 02:09 . 2009-09-12 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-31 02:08 . 2009-09-12 22:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-31 02:08 . 2009-09-11 01:47 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-08-31 02:08 . 2009-09-11 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-31 01:53 . 2009-08-31 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-31 01:51 . 2009-08-31 01:51 -------- d-----w- c:\program files\Common Files\iS3
2009-08-31 01:51 . 2009-09-11 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-31 01:33 . 2009-08-31 01:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2009-08-31 00:54 . 2004-08-04 10:00 4224 ------w- c:\windows\system32\drivers\beep.sys
2009-08-29 03:54 . 2009-08-29 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 06:01 . 2008-05-21 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-12 22:13 . 2006-09-05 03:36 -------- d-----w- c:\program files\Sophos
2009-09-12 13:36 . 2005-07-29 06:49 -------- d-----w- c:\program files\Java
2009-09-11 02:40 . 2006-09-05 02:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware4
2009-09-10 18:54 . 2008-11-29 21:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-11-29 21:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 02:58 . 2009-04-21 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-14 10:58 . 2009-09-11 04:34 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:53 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-25 09:23 . 2009-03-15 19:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-25 02:11 . 2005-11-11 16:36 -------- d-----w- c:\documents and settings\Alison\Application Data\AdobeUM
2009-07-22 03:45 . 2008-06-14 02:43 -------- d-----w- c:\documents and settings\Alison\Application Data\Skype
2009-07-22 01:22 . 2008-06-14 02:44 -------- d-----w- c:\documents and settings\Alison\Application Data\skypePM
2009-07-17 18:55 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-04 10:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-11_02.25.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-14 23:23 . 2009-09-14 23:23 16384 c:\windows\temp\Perflib_Perfdata_6e0.dat
+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2004-08-04 10:00 . 2009-06-12 11:50 76288 c:\windows\SYSTEM32\telnet.exe
- 2005-08-07 00:49 . 2008-07-09 07:38 26488 c:\windows\SYSTEM32\spupdsvc.exe
+ 2005-08-07 00:49 . 2007-07-27 14:41 26488 c:\windows\SYSTEM32\spupdsvc.exe
+ 2008-09-29 01:46 . 2008-07-08 13:02 17272 c:\windows\SYSTEM32\spmsg.dll
- 2008-09-29 01:46 . 2007-11-30 12:39 17272 c:\windows\SYSTEM32\spmsg.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 44544 c:\windows\SYSTEM32\pngfilt.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\pngfilt.dll
+ 2006-11-08 02:03 . 2009-06-29 16:12 52224 c:\windows\SYSTEM32\msfeedsbs.dll
- 2006-11-08 02:03 . 2009-02-20 18:09 52224 c:\windows\SYSTEM32\msfeedsbs.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 27648 c:\windows\SYSTEM32\jsproxy.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 27648 c:\windows\SYSTEM32\jsproxy.dll
+ 2006-11-07 08:26 . 2009-06-29 11:07 13824 c:\windows\SYSTEM32\ieudinit.exe
- 2006-11-07 08:26 . 2009-02-20 10:20 13824 c:\windows\SYSTEM32\ieudinit.exe
+ 2004-08-04 10:00 . 2009-06-29 16:12 44544 c:\windows\SYSTEM32\iernonce.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\iernonce.dll
- 2004-08-04 10:00 . 2009-02-20 10:20 70656 c:\windows\SYSTEM32\ie4uinit.exe
+ 2004-08-04 10:00 . 2009-06-29 11:07 70656 c:\windows\SYSTEM32\ie4uinit.exe
- 2006-10-17 16:58 . 2009-02-20 18:09 63488 c:\windows\SYSTEM32\icardie.dll
+ 2006-10-17 16:58 . 2009-06-29 16:12 63488 c:\windows\SYSTEM32\icardie.dll
+ 2009-06-12 11:50 . 2009-06-12 11:50 76288 c:\windows\SYSTEM32\DLLCACHE\telnet.exe
+ 2006-05-10 05:23 . 2009-06-29 16:12 44544 c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll
- 2006-05-10 05:23 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-05-19 13:33 . 2009-06-29 16:12 52224 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2008-05-19 13:33 . 2009-02-20 18:09 52224 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 27648 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
- 2006-05-10 05:22 . 2009-02-20 18:09 27648 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-05-19 13:33 . 2009-06-29 11:07 13824 c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
- 2008-05-19 13:33 . 2009-02-20 10:20 13824 c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
- 2006-11-07 08:26 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\DLLCACHE\iernonce.dll
+ 2006-11-07 08:26 . 2009-06-29 16:12 44544 c:\windows\SYSTEM32\DLLCACHE\iernonce.dll
+ 2006-10-17 17:06 . 2009-06-29 16:12 78336 c:\windows\SYSTEM32\DLLCACHE\ieencode.dll
- 2006-10-17 17:06 . 2009-02-20 18:09 78336 c:\windows\SYSTEM32\DLLCACHE\ieencode.dll
+ 2006-11-07 08:26 . 2009-06-29 11:07 70656 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2006-11-07 08:26 . 2009-02-20 10:20 70656 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2008-05-19 13:33 . 2009-02-20 18:09 63488 c:\windows\SYSTEM32\DLLCACHE\icardie.dll
+ 2008-05-19 13:33 . 2009-06-29 16:12 63488 c:\windows\SYSTEM32\DLLCACHE\icardie.dll
+ 2009-07-29 04:53 . 2009-07-29 04:53 82432 c:\windows\SYSTEM32\DLLCACHE\fontsub.dll
- 2006-10-17 17:03 . 2007-01-09 00:01 17408 c:\windows\SYSTEM32\DLLCACHE\corpol.dll
+ 2006-10-17 17:03 . 2009-06-29 16:12 17408 c:\windows\SYSTEM32\DLLCACHE\corpol.dll
+ 2009-06-10 14:21 . 2009-06-10 14:21 84992 c:\windows\SYSTEM32\DLLCACHE\avifil32.dll
+ 2009-07-17 18:55 . 2009-07-17 18:55 58880 c:\windows\SYSTEM32\DLLCACHE\atl.dll
+ 2005-08-04 00:18 . 2009-09-13 14:19 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-08-04 00:18 . 2006-09-09 01:34 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-04 10:00 . 2004-08-04 10:00 84992 c:\windows\SYSTEM32\AVIFIL32.DLL
+ 2004-08-04 10:00 . 2009-06-10 14:21 84992 c:\windows\SYSTEM32\avifil32.dll
- 2005-11-19 16:02 . 2008-09-05 02:27 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2009-09-14 07:02 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB972260-IE7\pngfilt.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 52224 c:\windows\ie7updates\KB972260-IE7\msfeedsbs.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 27648 c:\windows\ie7updates\KB972260-IE7\jsproxy.dll
+ 2009-09-14 07:02 . 2009-02-20 10:20 13824 c:\windows\ie7updates\KB972260-IE7\ieudinit.exe
+ 2009-09-14 07:02 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB972260-IE7\iernonce.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 78336 c:\windows\ie7updates\KB972260-IE7\ieencode.dll
+ 2009-09-14 07:02 . 2009-02-20 10:20 70656 c:\windows\ie7updates\KB972260-IE7\ie4uinit.exe
+ 2009-09-14 07:02 . 2009-02-20 18:09 63488 c:\windows\ie7updates\KB972260-IE7\icardie.dll
+ 2009-09-14 07:02 . 2007-01-09 00:01 17408 c:\windows\ie7updates\KB972260-IE7\corpol.dll
+ 2005-11-19 16:02 . 2009-09-12 14:43 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2005-05-17 00:25 . 2008-02-15 09:06 351744 c:\windows\SYSTEM32\xpsp3res.dll
+ 2005-05-17 00:25 . 2009-04-15 09:24 351744 c:\windows\SYSTEM32\xpsp3res.dll
+ 2004-08-04 10:00 . 2009-06-10 06:32 132096 c:\windows\SYSTEM32\wkssvc.dll
- 2004-08-04 10:00 . 2006-08-17 12:28 132096 c:\windows\SYSTEM32\wkssvc.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 233472 c:\windows\SYSTEM32\webcheck.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 233472 c:\windows\SYSTEM32\webcheck.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 105984 c:\windows\SYSTEM32\url.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 105984 c:\windows\SYSTEM32\url.dll
+ 2004-08-04 10:00 . 2009-04-15 15:26 583168 c:\windows\SYSTEM32\rpcrt4.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 102912 c:\windows\SYSTEM32\occache.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 102912 c:\windows\SYSTEM32\occache.dll
+ 2004-08-04 10:00 . 2009-06-05 07:42 655872 c:\windows\SYSTEM32\mstscax.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 671232 c:\windows\SYSTEM32\mstime.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 671232 c:\windows\SYSTEM32\mstime.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 193024 c:\windows\SYSTEM32\msrating.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 193024 c:\windows\SYSTEM32\msrating.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 477696 c:\windows\SYSTEM32\mshtmled.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 477696 c:\windows\SYSTEM32\mshtmled.dll
+ 2006-11-08 02:03 . 2009-06-29 16:12 459264 c:\windows\SYSTEM32\msfeeds.dll
- 2006-11-08 02:03 . 2009-02-20 18:09 459264 c:\windows\SYSTEM32\msfeeds.dll
+ 2004-08-04 10:00 . 2009-05-07 15:44 344064 c:\windows\SYSTEM32\localspl.dll
+ 2004-08-04 10:00 . 2009-08-13 15:16 512000 c:\windows\SYSTEM32\jscript.dll
+ 2009-09-12 13:36 . 2009-07-25 09:23 149280 c:\windows\SYSTEM32\javaws.exe
+ 2009-09-12 13:36 . 2009-07-25 09:23 145184 c:\windows\SYSTEM32\javaw.exe
+ 2009-09-12 13:36 . 2009-07-25 09:23 145184 c:\windows\SYSTEM32\java.exe
- 2006-10-17 16:57 . 2009-02-20 18:09 268288 c:\windows\SYSTEM32\iertutil.dll
+ 2006-10-17 16:57 . 2009-06-29 16:12 268288 c:\windows\SYSTEM32\iertutil.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 385024 c:\windows\SYSTEM32\iedkcs32.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 385024 c:\windows\SYSTEM32\iedkcs32.dll
+ 2006-10-17 16:27 . 2009-06-29 16:12 380928 c:\windows\SYSTEM32\ieapfltr.dll
- 2004-08-04 10:00 . 2009-02-20 05:14 161792 c:\windows\SYSTEM32\ieakui.dll
+ 2004-08-04 10:00 . 2009-06-29 08:33 161792 c:\windows\SYSTEM32\ieakui.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 230400 c:\windows\SYSTEM32\ieaksie.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 230400 c:\windows\SYSTEM32\ieaksie.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 153088 c:\windows\SYSTEM32\ieakeng.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 153088 c:\windows\SYSTEM32\ieakeng.dll
+ 2004-08-10 18:08 . 2009-09-14 07:12 162728 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2004-08-10 18:08 . 2009-03-12 11:50 162728 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2004-08-04 10:00 . 2009-06-29 16:12 133120 c:\windows\SYSTEM32\extmgr.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 133120 c:\windows\SYSTEM32\extmgr.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 214528 c:\windows\SYSTEM32\dxtrans.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 214528 c:\windows\SYSTEM32\dxtrans.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 347136 c:\windows\SYSTEM32\dxtmsft.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 347136 c:\windows\SYSTEM32\dxtmsft.dll
+ 2004-08-04 10:00 . 2009-07-14 03:43 286208 c:\windows\SYSTEM32\DLLCACHE\wmpdxm.dll
+ 2006-08-17 12:28 . 2009-06-10 06:32 132096 c:\windows\SYSTEM32\DLLCACHE\wkssvc.dll
- 2006-08-17 12:28 . 2006-08-17 12:28 132096 c:\windows\SYSTEM32\DLLCACHE\wkssvc.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 827392 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
- 2006-11-08 02:03 . 2009-02-20 18:09 233472 c:\windows\SYSTEM32\DLLCACHE\webcheck.dll
+ 2006-11-08 02:03 . 2009-06-29 16:12 233472 c:\windows\SYSTEM32\DLLCACHE\webcheck.dll
- 2006-10-17 17:05 . 2009-02-20 18:09 105984 c:\windows\SYSTEM32\DLLCACHE\url.dll
+ 2006-10-17 17:05 . 2009-06-29 16:12 105984 c:\windows\SYSTEM32\DLLCACHE\url.dll
+ 2009-07-29 04:53 . 2009-07-29 04:53 119808 c:\windows\SYSTEM32\DLLCACHE\t2embed.dll
+ 2008-05-19 13:33 . 2009-04-15 15:26 583168 c:\windows\SYSTEM32\DLLCACHE\rpcrt4.dll
- 2006-10-17 17:04 . 2009-02-20 18:09 102912 c:\windows\SYSTEM32\DLLCACHE\occache.dll
+ 2006-10-17 17:04 . 2009-06-29 16:12 102912 c:\windows\SYSTEM32\DLLCACHE\occache.dll
+ 2009-08-05 09:11 . 2009-08-05 09:11 204800 c:\windows\SYSTEM32\DLLCACHE\mswebdvd.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 671232 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2006-05-10 05:23 . 2009-02-20 18:09 671232 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2006-05-10 05:23 . 2009-02-20 18:09 193024 c:\windows\SYSTEM32\DLLCACHE\msrating.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 193024 c:\windows\SYSTEM32\DLLCACHE\msrating.dll
- 2006-05-10 05:23 . 2009-02-20 18:09 477696 c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 477696 c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
- 2008-05-19 13:33 . 2009-02-20 18:09 459264 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2008-05-19 13:33 . 2009-06-29 16:12 459264 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2009-05-07 15:44 . 2009-05-07 15:44 344064 c:\windows\SYSTEM32\DLLCACHE\localspl.dll
+ 2006-05-18 05:24 . 2009-08-13 15:16 512000 c:\windows\SYSTEM32\DLLCACHE\jscript.dll
+ 2006-10-17 17:04 . 2009-06-29 08:35 634632 c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
+ 2008-05-19 13:33 . 2009-06-29 16:12 268288 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
- 2008-05-19 13:33 . 2009-02-20 18:09 268288 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
+ 2006-11-07 08:27 . 2009-06-29 16:12 385024 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
- 2006-11-07 08:27 . 2009-02-20 18:09 385024 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2008-05-19 13:33 . 2009-06-29 16:12 380928 c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
+ 2006-11-07 08:25 . 2009-06-29 08:33 161792 c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
- 2006-11-07 08:25 . 2009-02-20 05:14 161792 c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
+ 2006-11-07 08:27 . 2009-06-29 16:12 230400 c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll
- 2006-11-07 08:27 . 2009-02-20 18:09 230400 c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll
+ 2006-11-07 08:26 . 2009-06-29 16:12 153088 c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll
- 2006-11-07 08:26 . 2009-02-20 18:09 153088 c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 133120 c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
- 2006-05-10 05:22 . 2009-02-20 18:09 133120 c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 214528 c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll
- 2006-05-10 05:22 . 2009-02-20 18:09 214528 c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll
- 2006-05-10 05:22 . 2009-02-20 18:09 347136 c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 347136 c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2006-11-07 08:26 . 2009-06-29 16:12 124928 c:\windows\SYSTEM32\DLLCACHE\advpack.dll
- 2006-11-07 08:26 . 2009-02-20 18:09 124928 c:\windows\SYSTEM32\DLLCACHE\advpack.dll
- 2004-08-04 10:00 . 2009-02-20 18:09 124928 c:\windows\SYSTEM32\advpack.dll
+ 2004-08-04 10:00 . 2009-06-29 16:12 124928 c:\windows\SYSTEM32\advpack.dll
+ 2005-11-19 16:02 . 2009-09-12 14:43 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2005-11-19 16:02 . 2009-09-12 14:43 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2005-11-19 16:02 . 2008-09-05 02:27 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2009-09-14 07:02 . 2009-03-03 00:18 826368 c:\windows\ie7updates\KB972260-IE7\wininet.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 233472 c:\windows\ie7updates\KB972260-IE7\webcheck.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 105984 c:\windows\ie7updates\KB972260-IE7\url.dll
+ 2009-09-14 07:02 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB972260-IE7\spuninst\updspapi.dll
+ 2009-09-14 07:02 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB972260-IE7\spuninst\spuninst.exe
+ 2009-09-14 07:02 . 2009-02-20 18:09 102912 c:\windows\ie7updates\KB972260-IE7\occache.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 671232 c:\windows\ie7updates\KB972260-IE7\mstime.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 193024 c:\windows\ie7updates\KB972260-IE7\msrating.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 477696 c:\windows\ie7updates\KB972260-IE7\mshtmled.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 459264 c:\windows\ie7updates\KB972260-IE7\msfeeds.dll
+ 2009-09-14 07:02 . 2009-02-28 04:54 636072 c:\windows\ie7updates\KB972260-IE7\iexplore.exe
+ 2009-09-14 07:02 . 2009-02-20 18:09 268288 c:\windows\ie7updates\KB972260-IE7\iertutil.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 385024 c:\windows\ie7updates\KB972260-IE7\iedkcs32.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 383488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dll
+ 2009-09-14 07:02 . 2009-02-20 05:14 161792 c:\windows\ie7updates\KB972260-IE7\ieakui.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 230400 c:\windows\ie7updates\KB972260-IE7\ieaksie.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 153088 c:\windows\ie7updates\KB972260-IE7\ieakeng.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 133120 c:\windows\ie7updates\KB972260-IE7\extmgr.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 214528 c:\windows\ie7updates\KB972260-IE7\dxtrans.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 347136 c:\windows\ie7updates\KB972260-IE7\dxtmsft.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 124928 c:\windows\ie7updates\KB972260-IE7\advpack.dll
- 2004-08-04 10:00 . 2008-06-18 10:03 2458112 c:\windows\SYSTEM32\WMVCore.dll
+ 2004-08-04 10:00 . 2009-05-20 08:56 2458112 c:\windows\SYSTEM32\WMVCore.dll
+ 2008-05-20 07:08 . 2009-04-17 09:58 1846656 c:\windows\SYSTEM32\win32k.sys
+ 2004-08-04 10:00 . 2009-06-29 16:12 1159680 c:\windows\SYSTEM32\urlmon.dll
+ 2004-08-04 10:00 . 2009-06-03 19:27 1290752 c:\windows\SYSTEM32\quartz.dll
+ 2004-08-04 10:00 . 2009-07-19 13:33 3597824 c:\windows\SYSTEM32\mshtml.dll
+ 2006-11-08 02:03 . 2009-07-19 13:32 6067200 c:\windows\SYSTEM32\ieframe.dll
+ 2006-09-06 04:01 . 2009-06-29 08:33 2452872 c:\windows\SYSTEM32\ieapfltr.dat
+ 2004-08-04 10:00 . 2009-05-20 08:56 2458112 c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll
- 2004-08-04 10:00 . 2008-06-18 10:03 2458112 c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll
+ 2008-03-19 09:47 . 2009-04-17 09:58 1846656 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
+ 2006-05-10 05:23 . 2009-06-29 16:12 1159680 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2007-10-29 22:43 . 2009-06-03 19:27 1290752 c:\windows\SYSTEM32\DLLCACHE\quartz.dll
+ 2006-11-08 05:06 . 2009-07-10 13:42 1315328 c:\windows\SYSTEM32\DLLCACHE\msoe.dll
+ 2006-05-19 15:08 . 2009-07-19 13:33 3597824 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2008-05-19 13:33 . 2009-07-19 13:32 6067200 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
+ 2008-05-19 13:33 . 2009-06-29 08:33 2452872 c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat
+ 2009-09-14 07:02 . 2009-02-20 18:09 1160192 c:\windows\ie7updates\KB972260-IE7\urlmon.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 3595264 c:\windows\ie7updates\KB972260-IE7\mshtml.dll
+ 2009-09-14 07:02 . 2009-02-20 18:09 6066176 c:\windows\ie7updates\KB972260-IE7\ieframe.dll
+ 2009-09-14 07:02 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dat
+ 2004-08-04 10:00 . 2009-07-14 03:43 10841088 c:\windows\SYSTEM32\wmp.dll
+ 2009-09-14 07:04 . 2009-08-28 18:38 24689600 c:\windows\SYSTEM32\MRT.exe
+ 2004-08-04 10:00 . 2009-07-14 03:43 10841088 c:\windows\SYSTEM32\DLLCACHE\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-29 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware4\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-7-29 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-3-15 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-3-15 53248]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-9-4 91440]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

S3 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [9/4/2006 11:10 PM 92464]
.
Contents of the 'Scheduled Tasks' folder

2009-09-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-21 22:25]

2009-09-14 c:\windows\Tasks\User_Feed_Synchronization-{A766CEF0-F828-43E1-9D58-136F754B28BB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 192.168.1.1:80
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab
FF - ProfilePath - c:\documents and settings\Alison\Application Data\Mozilla\Firefox\Profiles\rir56rg3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
- - - - ORPHANS REMOVED - - - -

AddRemove-StreetPlugin - c:\program files\Learn2.com\StRunner\stuninst.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 19:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Common Files\logishrd\LComMgr\LVComSX.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-09-14 19:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 23:48
ComboFix2.txt 2009-09-14 01:13
ComboFix3.txt 2009-09-11 02:32

Pre-Run: 13,565,214,720 bytes free
Post-Run: 13,576,257,536 bytes free

400 --- E O F --- 2009-09-14 07:06

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 15 September 2009 - 02:33 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 yyyyyyup

yyyyyyup
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 16 September 2009 - 07:02 AM

Thank you for your help.

Malwarebytes' Anti-Malware 1.41
Database version: 2806
Windows 5.1.2600 Service Pack 2

9/15/2009 10:37:08 PM
mbam-log-2009-09-15 (22-37-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 171798
Time elapsed: 44 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 65

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\emxtqjit.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\fyblb.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\osps.exe.vir (Spyware.Banker) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\tujfbtrj.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\10818434\10818434.exe.vir (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\AdvancedVirusRemover\PAVRM.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\sFX\SfX.DlL.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\sFX\sfX.sYs.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\install.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\loadernew.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\video.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Installer\32e725a.msi.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bitonuta.exe.vir (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kbiwkmyaprsill.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\merenugu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\parajami.exe.vir (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\deyogisu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\diposeli.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gahipewo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gajukilu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\genahowa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tajf83ikdmf.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tapi.nfo.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\varofeje.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vimuvayo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winhelper.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winupdate.exe.vir (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wisdstr.exe.vir (Rogue.PC_AntiSpyware2010) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\zizatewa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\herutoho.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jakegetu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bufezeza.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gsf83iujid.dll.vir (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kbiwkmrgfthkwn.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\beep.sys.vir (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\kbiwkmaiqjxvum.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WBEM\proquota.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001005.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001006.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001007.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001008.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001009.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001010.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001011.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001012.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001013.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001014.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001015.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001016.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001018.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001019.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001020.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001021.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001022.dll (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001027.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001028.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001032.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0002743.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0002746.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0002747.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0002749.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tftp.msc (Trojan.Downloader) -> Quarantined and deleted successfully.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=b6409c366488ed4b93d8b303c2d137a9
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-16 03:20:00
# local_time=2009-09-15 11:20:00 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=2561 62 25 16 187960247031250
# scanned=76769
# found=20
# cleaned=20
# scan_time=2054
C:\Qoobox\Quarantine\C\blyuwrjl.exe.vir a variant of Win32/Adware.Virtumonde.NFM application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\svfp.exe.vir a variant of Win32/Rustock.NKU trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Shared\lib.dll.vir a variant of Win32/BHO.NMM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\ld12.exe.vir a variant of Win32/Koobface.NCF worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\afojogek.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\amazoliz.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\braviax.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\igojoyuw.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kupageli.dll.vir a variant of Win32/Adware.Virtumonde.NFM application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\liseruka.dll.vir a variant of Win32/Kryptik.AJK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ridilave.dll.vir a variant of Win32/Kryptik.AII trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wispex.html.vir Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\~.exe.vir a variant of Win32/Kryptik.AIN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\UACoodulkdvei.sys.vir a variant of Win32/Olmarik.HI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000084.dll a variant of Win32/Adware.Virtumonde.NFM application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000085.dll a variant of Win32/Adware.Virtumonde.NFM application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001029.dll a variant of Win32/Adware.Virtumonde.NFM application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001030.dll a variant of Win32/Adware.Virtumonde.NFM application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0002745.dll a variant of Win32/Kryptik.AJK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 16 September 2009 - 08:00 PM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :(



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users