Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serious case of POLICE PRO


  • This topic is locked This topic is locked
8 replies to this topic

#1 elsinore79

elsinore79

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 19 October 2009 - 01:09 PM

Attached File  Attach.txt   11.93KB   5 downloadsAttached File  root_repeal.txt   2.02KB   5 downloadsI have been at this for nearly 8 hours. Any help would greatly be appreciated, Thanks Mark



DDS (Ver_09-10-13.01) - NTFSx86
Run by Mark Shaw uph at 13:38:59.14 on Mon 10/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.123 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\svohost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Documents and Settings\Mark\My Documents\RCA easyRip\EZDock.exe
C:\WINDOWS\system32\winupdate.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe
C:\Program Files\naeuvj\dumtsysguard.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\Watcher.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark Shaw uph\Local Settings\Temporary Internet Files\Content.IE5\683E3BFV\mpam4_regedit_XP[1].exe
C:\DOCUME~1\MARKSH~1\LOCALS~1\Temp\winamp.exe
C:\DOCUME~1\MARKSH~1\LOCALS~1\Temp\spoolsv.exe
C:\DOCUME~1\MARKSH~1\LOCALS~1\Temp\avp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cobian Backup 9\cbService.exe
C:\Documents and Settings\Mark Shaw uph\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: c:\windows\system32\fngau.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\fngau.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\marksh~1\locals~1\temp\avp.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [WatcherHelper] "c:\program files\sierra wireless inc\3g watcher\WaHelper.exe"
mRun: [TRUUpdater] "c:\program files\sierra wireless inc\webupdater\TRUUpdater.exe" /bkground
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [lxdxmon.exe] "c:\program files\lexmark 3600-4600 series\lxdxmon.exe"
mRun: [lxdxamon] "c:\program files\lexmark 3600-4600 series\lxdxamon.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AirCardEnabler]
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Easy Dock] c:\documents and settings\mark\my documents\rca easyrip\EZDock.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
mRun: [system tool] c:\program files\naeuvj\dumtsysguard.exe
mRun: [Krihek] rundll32.exe "c:\windows\asukunodijip.dll",Startup
mRun: [gitinohek] Rundll32.exe "c:\windows\system32\tefifohi.dll",a
mRun: [Cobian Backup 9 interface] "c:\program files\cobian backup 9\cbInterface.exe" -service
mRunOnce: [Malwarebytes' Anti-Malware] c:\downloads\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stk02n~1.lnk - c:\windows\stk02n\STK02NM.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: bmnet.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo1.walgreens.com/WalgreensActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\tefifohi.dll,kibalebe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: nutadozah - {b640126e-0317-4e3a-91b5-aa4301d1b38e} - c:\windows\system32\yesakuno.dll
SSODL: legusotep - {953d9d3d-3795-4e5d-bb31-ba209bc95bf9} - c:\windows\system32\tefifohi.dll
STS: c:\windows\system32\fngau.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\fngau.dll
STS: kupuhivus: {b640126e-0317-4e3a-91b5-aa4301d1b38e} - c:\windows\system32\yesakuno.dll
STS: mujuzedij: {953d9d3d-3795-4e5d-bb31-ba209bc95bf9} - c:\windows\system32\tefifohi.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~3\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli rsEN50.dll yuzeditu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marksh~1\applic~1\mozilla\firefox\profiles\4960wq0s.default\
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\mark\application data\move networks\plugins\npqmp071505000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {3104D554-1048-4591-BDFE-2C4450FC3514} - c:\documents and settings\mark\local settings\application data\{3104D554-1048-4591-BDFE-2C4450FC3514}
FF - HiddenExtension: XULRunner: {057B0F6A-1047-4365-AB6B-D26B4A5DDB2E} - c:\documents and settings\mark shaw uph\local settings\application data\{057B0F6A-1047-4365-AB6B-D26B4A5DDB2E}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-3-23 3456]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-18 206256]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 CobianBackupAmanita;Cobian Backup 9 service;c:\program files\cobian backup 9\cbService.exe [2009-10-19 583168]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-8-4 94208]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-7-31 609792]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-7-31 609792]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2009-3-8 98984]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-18 348752]
R2 WDefend;WDefend;c:\windows\svohost.exe [2009-10-18 283648]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2007-3-26 20352]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2007-6-27 168192]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2007-6-27 142976]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2007-9-18 109080]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [2009-5-20 101520]
S3 isapeep;isapeep;c:\windows\system32\isapeep.sys [2004-8-10 2304]

============== File Associations ===============

exefile=c:\windows\system32\pump.exe "%1" %*
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-10-19 13:26 <DIR> --d----- c:\program files\Cobian Backup 9
2009-10-19 11:31 146,432 a------- c:\windows\regedit.com
2009-10-19 10:40 <DIR> --d----- C:\_OTM
2009-10-19 10:06 <DIR> --d----- c:\docume~1\marksh~1\applic~1\Malwarebytes
2009-10-18 21:24 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-10-18 21:23 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-10-18 21:23 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-18 21:23 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-10-18 21:23 <DIR> --d----- c:\program files\common files\PC Tools
2009-10-18 21:23 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-10-18 21:22 <DIR> --d----- c:\program files\Spyware Doctor
2009-10-18 21:22 <DIR> --d----- c:\docume~1\marksh~1\applic~1\PC Tools
2009-10-18 21:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-18 12:23 0 a------- c:\windows\Vpipak.bin
2009-10-18 12:23 120 a------- c:\windows\Vjacaz.dat
2009-10-18 12:21 12,032 a------- c:\windows\system32\iehelper.dll
2009-10-18 12:20 0 a------- c:\windows\system32\AVR09.exe
2009-10-18 12:20 0 a------- c:\windows\system32\winhelper.dll
2009-10-18 12:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\16851526
2009-10-18 12:18 <DIR> --d----- c:\windows\system32\schtml
2009-10-18 12:15 283,648 a------- c:\windows\svohost.exe
2009-10-18 12:15 58 a------- c:\windows\wp4.dat
2009-10-18 12:15 3 a------- c:\windows\wp3.dat
2009-10-18 12:15 577,024 a------- c:\windows\system32\plugie.dll
2009-10-18 12:15 9 a------- c:\windows\system32\nuar.old
2009-10-18 12:14 36 a------- c:\windows\system32\skynet.dat
2009-10-18 12:14 505,856 a------- c:\windows\system32\pump.exe
2009-10-18 12:14 107 a------- c:\windows\system32\wwp.htm
2009-10-18 12:13 <DIR> --d----- c:\program files\naeuvj
2009-10-18 12:11 831 a------- c:\windows\system32\critical_warning.html
2009-10-18 12:09 24,576 a------- c:\windows\system32\winupdate.exe
2009-10-18 12:09 25,600 a--sh--- c:\windows\system32\calc.dll
2009-10-18 12:09 15,000 a------- c:\windows\system32\fngau.dll
2009-10-18 12:09 <DIR> --d----- c:\program files\Windows Police Pro
2009-10-18 12:09 9,216 a------- C:\svhkapw.exe
2009-10-18 12:09 251,904 a------- C:\tfdp.exe
2009-10-18 12:09 52,736 a------- C:\nmihj.exe
2009-10-18 12:09 49,152 a------- C:\bqefoh.exe
2009-10-18 12:09 24,576 a------- C:\jboy.exe
2009-10-18 12:07 284,672 a------- c:\windows\system32\~.exe
2009-10-02 20:52 195,440 -------- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-09-11 10:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 10:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 17:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 17:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:29 93,096 a------- c:\windows\system32\IncContxMenu.dll
2009-08-28 10:29 2,116,008 a------- c:\windows\system32\Incinerator.dll
2009-08-28 06:35 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 15:42 30,208 a------- c:\windows\system32\iolobtdfg.exe
2009-08-26 15:42 12,288 a------- c:\windows\system32\smrgdf.exe
2009-08-26 04:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 04:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 11:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 11:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 10:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 10:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 10:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-31 20:38 74,703 a------- c:\windows\system32\mfc45.dll
2009-07-18 12:17 193,544 a--sh--- c:\windows\system32\kasuyuru.exe
2009-07-19 10:19 53,760 a--sh--- c:\windows\system32\kibalebe.dll
2009-07-19 10:19 53,760 a--sh--- c:\windows\system32\lelasuba.dll
2009-07-18 12:17 39,424 a--sh--- c:\windows\system32\mowoledo.dll
2009-07-19 10:18 39,424 a--sh--- c:\windows\system32\pubinibu.dll
2009-07-18 12:17 1,114,455 a--sh--- c:\windows\system32\pufegogu.exe
2009-07-18 12:17 1,084,962 a--sh--- c:\windows\system32\setegabo.exe
2009-07-19 10:18 90,112 a--sh--- c:\windows\system32\tefifohi.dll
2009-07-19 10:18 53,760 a--sh--- c:\windows\system32\winusime.dll
2009-07-18 12:17 24,576 a--sh--- c:\windows\system32\yokayinu.exe
2009-07-19 10:19 53,760 a--sh--- c:\windows\system32\yuzeditu.dll
2008-07-30 14:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008073020080731\index.dat

============= FINISH: 13:40:57.20 =====ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 13:46
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEC676000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B6E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7C8B000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5C31000 Size: 49152 File Visible: No Signed: -
Status: -

Name: uphcleanhlp.sys
Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Address: 0xB70AF000 Size: 8960 File Visible: No Signed: -
Status: -

==EOF============

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 19 October 2009 - 02:27 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

One or more of the identified infections is a Backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If after careful consideration you have decided to move forward with cleanup then please proceed as I have outlined below.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 elsinore79

elsinore79
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 19 October 2009 - 02:41 PM

can not run that file after I download it. It says that it is corrupt.

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 19 October 2009 - 03:10 PM

Yikes. I was afraid that might be the case. This could mean very serious trouble I am sorry to report. :(

==========

Please do this....

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Documents and Settings\Mark Shaw uph\Local Settings\Temp\winamp.exe
C:\Documents and Settings\Mark Shaw uph\Local Settings\Temp\spoolsv.exe
C:\Documents and Settings\Mark Shaw uph\Local Settings\Temp\avp.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal

==========

Right click and delete your copy of Combofix....

Download and Run ComboFix (by sUBs) in Safe Mode

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

==========

Now reboot into Safe Mode.
  • This can be done tapping the F8 key as soon as you start your computer.
  • You will be brought to a menu where you can choose to boot into safe mode.
  • Make sure you choose the option with networking support.
  • Please see here for additional details.
==========
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Upload results
* Combofix.txt

Kind regards,
~t

Edited by thcbytes, 19 October 2009 - 03:21 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 elsinore79

elsinore79
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 19 October 2009 - 04:54 PM

When I open the my computer and click on tools there is no option to change hiddin folder settings. all it says is Map network drive,Disconect network drive, and Synchronize. Am I looking in the wrong place?

#6 elsinore79

elsinore79
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 19 October 2009 - 04:56 PM

Also forgot to metion that I can not start the computer in safe mode. When I try to go into safe mode it just keeps reverting back to the screen that asks me how I want to start windows.

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 19 October 2009 - 09:01 PM

Your computer is very seriously infected. I am not certain you can ever rely on it again from a security standpoint. You should be seriously considering backing up your data and formatting. Then reinstalling your OS.

==========

If you want to proceed then follow my instructions below.

==========

Alright. It is going to be very important for you to take your time and follow my instructions. Did you follow the link How to see hidden files in Windows?

Here is a pictorial...

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Posted Image

Posted Image

Posted Image

Posted Image

Posted Image

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Documents and Settings\Mark Shaw uph\Local Settings\Temp\winamp.exe
C:\Documents and Settings\Mark Shaw uph\Local Settings\Temp\spoolsv.exe
C:\Documents and Settings\Mark Shaw uph\Local Settings\Temp\avp.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal

==========

Since Safe Mode is inaccessible please try this...........

We need to execute an OTM script

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

**********
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Processes
    explorer.exe
    
    :files
    C:\WINDOWS\svohost.exe
    C:\WINDOWS\system32\winupdate.exe
    C:\Program Files\naeuvj\dumtsysguard.exe
    c:\windows\system32\fngau.dll
    c:\docume~1\marksh~1\locals~1\temp\avp.exe
    c:\windows\asukunodijip.dll
    c:\windows\system32\tefifohi.dll
    c:\windows\system32\yesakuno.dll
    c:\windows\Vpipak.bin
    c:\windows\Vjacaz.dat
    c:\windows\system32\iehelper.dll
    c:\windows\system32\AVR09.exe
    c:\windows\system32\winhelper.dll
    c:\docume~1\alluse~1\applic~1\16851526
    c:\windows\system32\schtml
    c:\windows\svohost.exe
    c:\windows\wp4.dat
    c:\windows\wp3.dat
    c:\windows\system32\plugie.dll
    c:\windows\system32\nuar.old
    c:\windows\system32\skynet.dat
    c:\windows\system32\pump.exe
    c:\windows\system32\wwp.htm
    c:\program files\naeuvj
    c:\windows\system32\critical_warning.html
    c:\windows\system32\winupdate.exe
    c:\windows\system32\calc.dll
    c:\windows\system32\fngau.dll
    c:\program files\Windows Police Pro
    C:\svhkapw.exe
    C:\tfdp.exe
    C:\nmihj.exe
    C:\bqefoh.exe
    C:\jboy.exe
    c:\windows\system32\~.exe
    
    :Registry
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yjafosi8kdf98winmdkmnkmfnwe"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "winupdate.exe"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "system tool"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Krihek"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "gitinohek"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoActiveDesktopChanges"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\ShellServiceObjectDelayLoad]
    "nutadozah"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\ShellServiceObjectDelayLoad]
    "legusotep"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
    "{a2234b15-23f2-42ad-f4e4-00aac39c0004}"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
    "{b640126e-0317-4e3a-91b5-aa4301d1b38e}"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
    "{953d9d3d-3795-4e5d-bb31-ba209bc95bf9}"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
     
    :commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Please note:
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


==========

We need to repair Safe Mode
  • Please download Safe Boot Key Repair and save it to your desktop.
  • Run Posted Image by double clicking on it or Right-click on it and click Open
  • Copy and paste the resultant log here in your next reply.
==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

With your next post please provide:

* Upload results
* OTM fix log
* Safe mode log
* OTL.txt
* OTL Extra.txt

Kind regards,
~t

Edited by thcbytes, 20 October 2009 - 07:22 AM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 elsinore79

elsinore79
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 20 October 2009 - 06:58 PM

decided to reformat. Thank you for your time. It is greatly appreciated. You can close this post.

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 20 October 2009 - 08:49 PM

Since this topic appears to be resolved, I will now close it.
If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users