Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by Security Central, Advanced Virus Remover, Police Pro, and AntivirusPro2010


  • This topic is locked This topic is locked
30 replies to this topic

#1 jetro

jetro

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 20 October 2009 - 03:11 PM

I have at least four of these on my laptop. I have always had success removing them using malwarebytes. However, this time when I try to open it or any other program such as norton it either won't run at all or shuts down immediateltly. I then get a message saying the exe file is infected and cannot run....I have tried renaming to no avail....it is as if the virus recognizes the program by function not name.
I am also unable to open my task manager, or control panel. Once my control panel did open but I couldn't open anything further from it.
I am able to use email and IE. I downloaded rootrepeal, but alas it will not run either.
The pop ups have actually gotten better in the last couple of hours but some of my functionality is worse.
I was able to run DDS and that is below. I also have the attach file from the DDS scan but I can't attach it here (web page error, perhaps due to the virus?). Should I copy and paste it?
thanks in advance for any help you can give!

DDS (Ver_09-10-13.01) - NTFSx86
Run by TERMUSER at 13:09:28.12 on Tue 10/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.439 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\svohost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Windows Police Pro\Windows Police Pro.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\TERMUSER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
mWinlogon: Shell=Explorer.exe rundll32.exe cpcp.cpo bef0regiiav
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: c:\windows\system32\os4jrzkv4.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\os4jrzkv4.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [mserv] c:\documents and settings\termuser\application data\seres.exe
uRun: [svchost] c:\documents and settings\termuser\application data\svcst.exe
uRun: [calc] rundll32.exe c:\windows\system32\config\system~1\ntuser.dll,_IWMPEvents@0
uRun: [Login Software 2009] c:\docume~1\termuser\locals~1\temp\jxvei.exe
uRun: [wow64main.exe] c:\docume~1\termuser\locals~1\temp\wow64main.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\termuser\locals~1\temp\svchost.exe
uRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\PAVRM.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [vptray] c:\progra~1\navnt\vptray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [Security Central] c:\program files\security central\Security Central.exe
mRun: [Qveyulamol] rundll32.exe "c:\windows\eledokawasaxov.dll",Startup
mRun: [lahorovaj] Rundll32.exe "c:\windows\system32\jazefara.dll",a
StartupFolder: c:\documents and settings\termuser\start menu\programs\startup\scandisk.dll
StartupFolder: c:\docume~1\termuser\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\winhelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://beavex.webex.com/client/T26L/training/ieatgpc.cab
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: ztwfri.dll tajatiwe.dll c:\windows\system32\jazefara.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: sejeyawiw - {873f33d4-8d77-47c4-a053-46d51a529f67} - c:\windows\system32\jazefara.dll
STS: c:\windows\system32\os4jrzkv4.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\os4jrzkv4.dll
STS: ThreadingModel - No File
STS: mujuzedij: {873f33d4-8d77-47c4-a053-46d51a529f67} - c:\windows\system32\jazefara.dll
LSA: Notification Packages = scecli ACGina psqlpwd hehoniwu.dll hpiete.dll

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-3-21 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-3-21 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-3-21 4442]
R2 KaseyaAgent;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2009-8-11 610304]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]
R2 WDefend;WDefend;c:\windows\svohost.exe [2009-10-20 287232]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-9-6 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]

============== File Associations ===============

exefile=c:\windows\system32\pump.exe "%1" %*

=============== Created Last 30 ================

2009-10-20 11:40 0 a------- c:\windows\system32\26500.exe
2009-10-20 11:20 0 a------- c:\windows\system32\6334.exe
2009-10-20 11:04 167,936 a------- c:\windows\system32\_scui.cpl
2009-10-20 11:04 <DIR> --d----- c:\program files\AntivirusPro_2010
2009-10-20 11:00 0 a------- c:\windows\system32\18467.exe
2009-10-20 10:46 <DIR> --d----- c:\windows\system32\schtml
2009-10-20 10:43 36 a------- c:\windows\system32\skynet.dat
2009-10-20 10:43 287,232 a------- c:\windows\svohost.exe
2009-10-20 10:43 58 a------- c:\windows\wp4.dat
2009-10-20 10:43 3 a------- c:\windows\wp3.dat
2009-10-20 10:43 565,248 a------- c:\windows\system32\plugie.dll
2009-10-20 10:43 511,488 a------- c:\windows\system32\pump.exe
2009-10-20 10:43 91 a------- c:\windows\system32\wwp.htm
2009-10-20 10:43 9 a------- c:\windows\system32\nuar.old
2009-10-20 10:36 <DIR> --d----- c:\program files\Windows Police Pro
2009-10-20 10:35 120 a------- c:\windows\Hzipoxozoq.dat
2009-10-20 10:35 0 a------- c:\windows\Hpozobifuy.bin
2009-10-20 10:34 <DIR> --d----- c:\program files\Security Central
2009-10-20 10:34 <DIR> --d----- c:\program files\AdvancedVirusRemover
2009-10-20 10:34 27,136 a------- c:\windows\system32\cpcp.cpo
2009-10-20 10:33 0 a------- c:\windows\system32\41.exe
2009-10-20 10:32 22,528 a------- c:\windows\system32\winhelper.dll
2009-10-20 10:30 27,136 a------- c:\windows\system32\winupdate.exe
2009-10-20 10:30 15,000 a------- c:\windows\system32\os4jrzkv4.dll
2009-10-20 10:29 <DIR> --dsh--- c:\windows\system32\lowsec
2009-10-20 10:29 50,688 a------- C:\buxuhto.exe
2009-10-20 10:29 27,136 a------- C:\dtacmawh.exe
2009-10-20 10:29 159,856 a------- c:\docume~1\termuser\applic~1\lizkavd.exe
2009-10-20 10:29 53,248 a------- C:\ldvx.exe
2009-10-20 10:29 113,664 a------- C:\qsdhs.exe
2009-10-20 10:29 45,056 a------- c:\docume~1\termuser\applic~1\svcst.exe
2009-10-20 10:29 45,056 a------- c:\docume~1\termuser\applic~1\seres.exe
2009-10-20 10:29 68,608 a------- c:\windows\system32\~.exe
2009-10-03 16:10 <DIR> --d----- c:\docume~1\termuser\applic~1\Office Genuine Advantage
2009-09-24 09:56 3,251 a------- c:\windows\system32\wbem\Outlook_01ca3d272223013e.mof
2009-09-22 22:10 3,251 a------- c:\windows\system32\wbem\Outlook_01ca3bfb6852b9c4.mof
2009-09-22 09:11 215,920 a------- c:\windows\system32\muweb.dll
2009-09-22 09:11 16,736 a------- c:\windows\system32\mucltui.dll.mui
2009-09-22 09:11 274,288 a------- c:\windows\system32\mucltui.dll

==================== Find3M ====================

2009-09-15 12:44 10,145 a------- c:\program files\common files\xezufafowi._sy
2009-09-15 12:44 19,756 a------- c:\program files\common files\sufuja.reg
2009-09-15 12:44 18,941 a------- c:\docume~1\termuser\applic~1\apiqicyro.dll
2009-09-15 12:44 16,057 a------- c:\windows\system32\iloluxo.sys
2009-09-15 12:44 12,499 a------- c:\windows\jabecig.dat
2009-09-15 12:44 11,264 a------- c:\program files\common files\asyhibekag.bin
2009-09-15 12:44 10,040 a------- c:\windows\system32\pyduvita.com
2009-09-14 16:15 19,626 a------- c:\docume~1\alluse~1\applic~1\pyty.dat
2009-09-14 16:15 19,325 a------- c:\program files\common files\cikyvenyc.vbs
2009-09-14 16:15 18,785 a------- c:\windows\system32\ipejijyn.exe
2009-09-14 16:15 17,964 a------- c:\windows\igynobaf.dat
2009-09-14 16:15 17,100 a------- c:\windows\system32\vawa.dat
2009-09-14 16:15 14,454 a------- c:\docume~1\alluse~1\applic~1\rofagahyfe.dat
2009-09-14 16:15 12,360 a------- c:\windows\ynuvaji.sys
2009-09-14 16:15 11,213 a------- c:\docume~1\alluse~1\applic~1\ucunexok.vbs
2009-09-14 16:15 18,958 a------- c:\program files\common files\upezup.dl
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 09:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 16:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 05:35 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 03:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 10:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 09:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 09:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-08 22:44 256 -------- c:\documents and settings\termuser\pool.bin
2009-03-21 09:06 23,552 a--sh--- c:\documents and settings\termuser\ntuser.dll
2009-03-21 09:06 23,552 a--sh--- c:\windows\system32\calc.dll
2009-07-20 10:30 53,248 a--sh--- c:\windows\system32\hehoniwu.dll
2009-07-20 11:36 91,648 a--sh--- c:\windows\system32\jazefara.dll
2009-07-20 10:36 193,544 a--sh--- c:\windows\system32\kosugake.exe
2009-07-20 10:36 847,872 a--sh--- c:\windows\system32\kuwilofa.exe
2009-07-20 10:36 27,136 a--sh--- c:\windows\system32\migodada.exe
2009-07-20 10:36 722,944 a--sh--- c:\windows\system32\padanoku.exe
2009-07-20 10:30 53,248 a--sh--- c:\windows\system32\puhejifo.dll
2009-07-20 10:30 53,248 a--sh--- c:\windows\system32\tajatiwe.dll
2009-07-20 10:36 39,424 a--sh--- c:\windows\system32\yokavubo.dll
2009-07-20 11:36 39,424 a--sh--- c:\windows\system32\zogadeli.dll
2009-03-21 09:06 23,552 a--sh--- c:\windows\system32\config\systemprofile\ntuser.dll
2008-03-21 04:39 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-08-30 12:04 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat
2009-03-21 09:06 23,552 a--sh--- c:\windows\system32\config\systemprofile\start menu\programs\startup\scandisk.dll
2009-07-08 22:34 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-07-08 22:34 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-07-08 22:34 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 13:10:08.03 ===============

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 AM

Posted 20 October 2009 - 03:43 PM

Hi, jetro :(

Welcome.

That is quite a log.

Download SREng
  • Extract it to Desktop and double click SREngLdr.EXE to run it
  • Select System Repair from the left pane.
  • Click on File Association
  • Select all entries that has an Error status click [Repair]
  • Refer to this image for an example:

    Posted Image
  • Close SREng now.


    Posted Image Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Edited by JSntgRvr, 20 October 2009 - 03:45 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 jetro

jetro
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 21 October 2009 - 09:43 AM

Well Crap, Thanks for the fast response but when I got home last night I realized it would not allow me to open my air card software so I could not log on.
I was able to download and extract SREng, but unfortunately when I try to run it it does the same thing all of my programs seem to (except Outlook or IE). I get an hourglass and then nothing.....any suggestions?

thanks

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 AM

Posted 21 October 2009 - 10:05 AM

Download the enclosed folder. [attachment=34138:UnHook.zip]Save and extract its contents to the desktop. Once extracted right click on the Unhook.inf file and select Install. Once done, proceed with Combofix as instructed above.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 jetro

jetro
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 21 October 2009 - 11:45 AM

Ugh, I downloaded UnHook and did as you said. Again I got an hour glass and my screen flashed a couple of times. I assume it didn't install but I tried the Combo-Fix anyway and again hourglass and nothing.....
Thanks for all the help so far.....am I done for?

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 AM

Posted 21 October 2009 - 07:43 PM

Hi, jetro :(

Download the enclosed folder. [attachment=34187:ExeRegFix.zip]Save and extract its contents to the desktop. Once extracted open the file and click on the RunMe.bat file. Once done, re-try Combofix.

If that does not help, Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. (Please allow the application to finish. You will know as the last sentence in the report will be "Finished".)

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 jetro

jetro
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 21 October 2009 - 11:07 PM

It worked!!
Here is the Combo-Fix log. Upon reboot, "Security Central" did show up!!

ComboFix 09-10-20.03 - TERMUSER 10/21/2009 22:39.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.492 [GMT -5:00]
Running from: c:\documents and settings\TERMUSER\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\TERMUSER\LOCALS~1\Temp\services.exe
c:\docume~1\TERMUSER\LOCALS~1\Temp\svchost.exe
c:\documents and settings\All Users\Application Data\32532419
c:\documents and settings\All Users\Application Data\32532419\32532419.bat
c:\documents and settings\All Users\Application Data\32532419\32532419.exe
c:\documents and settings\All Users\Application Data\ucunexok.vbs
c:\documents and settings\LocalService\ntuser.dll
c:\documents and settings\TERMUSER\Application Data\lizkavd.exe
c:\documents and settings\TERMUSER\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\TERMUSER\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\TERMUSER\Application Data\seres.exe
c:\documents and settings\TERMUSER\Application Data\svcst.exe
c:\documents and settings\TERMUSER\Cookies\cyseqiwas.sys
c:\documents and settings\TERMUSER\Cookies\icaviw.bin
c:\documents and settings\TERMUSER\Cookies\opaj.lib
c:\documents and settings\TERMUSER\Local Settings\Application Data\{607F2B09-A4EF-4730-9F0A-91809C0F07FF}
c:\documents and settings\TERMUSER\Local Settings\Application Data\{607F2B09-A4EF-4730-9F0A-91809C0F07FF}\chrome.manifest
c:\documents and settings\TERMUSER\Local Settings\Application Data\{607F2B09-A4EF-4730-9F0A-91809C0F07FF}\chrome\content\_cfg.js
c:\documents and settings\TERMUSER\Local Settings\Application Data\{607F2B09-A4EF-4730-9F0A-91809C0F07FF}\chrome\content\overlay.xul
c:\documents and settings\TERMUSER\Local Settings\Application Data\{607F2B09-A4EF-4730-9F0A-91809C0F07FF}\install.rdf
c:\documents and settings\TERMUSER\Local Settings\Temporary Internet Files\axisoke.bat
c:\documents and settings\TERMUSER\Local Settings\Temporary Internet Files\cacuhil.scr
c:\documents and settings\TERMUSER\Local Settings\Temporary Internet Files\gyvilegi.dl
c:\documents and settings\TERMUSER\Local Settings\Temporary Internet Files\qenasiqyf.pif
c:\documents and settings\TERMUSER\ntuser.dll
c:\documents and settings\TERMUSER\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\TERMUSER\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\TERMUSER\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\TERMUSER\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\TERMUSER\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\TERMUSER\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\TERMUSER\Start Menu\Programs\Windows Police Pro
c:\documents and settings\TERMUSER\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\cikyvenyc.vbs
c:\program files\Common Files\sufuja.reg
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\Windows Police Pro.exe
c:\recycler\S-1-5-21-3198309772-2633423412-502422962-500
c:\windows\AegisP.inf
c:\windows\eledokawasaxov.dll
c:\windows\Installer\15745af.msp
c:\windows\svohost.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\18467.exe
c:\windows\system32\26500.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\behubaza.dll
c:\windows\system32\bincd32.dat
c:\windows\system32\calc.dll
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\doluwuhi.dll
c:\windows\system32\jujujoju.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\nuar.old
c:\windows\system32\os4jrzkv4.dll
c:\windows\system32\pump.exe
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\sijorera.dll
c:\windows\system32\skynet.dat
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\Tasks\tofpliqb.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WDefend
-------\Service_WDefend


((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.

2009-10-20 15:43 . 2009-10-22 03:15 58 ----a-w- c:\windows\wp4.dat
2009-10-20 15:43 . 2009-10-22 03:15 1 ----a-w- c:\windows\wp3.dat
2009-10-20 15:43 . 2009-10-22 03:15 565248 ----a-w- c:\windows\system32\plugie.dll
2009-10-20 15:35 . 2009-10-21 18:33 120 ----a-w- c:\windows\Hzipoxozoq.dat
2009-10-20 15:35 . 2009-10-21 14:32 0 ----a-w- c:\windows\Hpozobifuy.bin
2009-10-20 15:34 . 2009-10-20 15:34 -------- d-----w- c:\program files\Security Central
2009-10-20 15:29 . 2009-10-20 15:29 50688 ----a-w- C:\buxuhto.exe
2009-10-20 15:29 . 2009-10-20 15:29 27136 ----a-w- C:\dtacmawh.exe
2009-10-20 15:29 . 2009-10-20 15:29 53248 ----a-w- C:\ldvx.exe
2009-10-20 15:29 . 2009-10-20 15:29 113664 ----a-w- C:\qsdhs.exe
2009-10-03 21:10 . 2009-10-03 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-03 21:10 . 2009-10-03 21:10 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Office Genuine Advantage
2009-09-22 14:11 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-09-22 14:11 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 21:29 . 2009-01-09 15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 03:04 . 2008-11-20 20:02 256 ----a-w- c:\windows\system32\pool.bin
2009-09-23 03:02 . 2008-04-25 11:48 -------- d-----w- c:\program files\Microsoft Works
2009-09-21 15:27 . 2009-09-21 15:27 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-15 17:44 . 2009-09-15 17:44 10145 ----a-w- c:\program files\Common Files\xezufafowi._sy
2009-09-15 17:44 . 2009-09-15 17:44 19948 ----a-w- c:\documents and settings\TERMUSER\Local Settings\Application Data\woko.com
2009-09-15 17:44 . 2009-09-15 17:44 18941 ----a-w- c:\documents and settings\TERMUSER\Application Data\apiqicyro.dll
2009-09-15 17:44 . 2009-09-15 17:44 17910 ----a-w- c:\documents and settings\TERMUSER\Local Settings\Application Data\buxizabybu.pif
2009-09-15 17:44 . 2009-09-15 17:44 16057 ----a-w- c:\windows\system32\iloluxo.sys
2009-09-15 17:44 . 2009-09-15 17:44 12499 ----a-w- c:\windows\jabecig.dat
2009-09-15 17:44 . 2009-09-15 17:44 11264 ----a-w- c:\program files\Common Files\asyhibekag.bin
2009-09-15 17:44 . 2009-09-15 17:44 10040 ----a-w- c:\windows\system32\pyduvita.com
2009-09-14 21:15 . 2009-09-14 21:15 19626 ----a-w- c:\documents and settings\All Users\Application Data\pyty.dat
2009-09-14 21:15 . 2009-09-14 21:15 18910 ----a-w- c:\documents and settings\TERMUSER\Local Settings\Application Data\foryc.bin
2009-09-14 21:15 . 2009-09-14 21:15 18785 ----a-w- c:\windows\system32\ipejijyn.exe
2009-09-14 21:15 . 2009-09-14 21:15 17964 ----a-w- c:\windows\igynobaf.dat
2009-09-14 21:15 . 2009-09-14 21:15 17100 ----a-w- c:\windows\system32\vawa.dat
2009-09-14 21:15 . 2009-09-14 21:15 14454 ----a-w- c:\documents and settings\All Users\Application Data\rofagahyfe.dat
2009-09-14 21:15 . 2009-09-14 21:15 12360 ----a-w- c:\windows\ynuvaji.sys
2009-09-14 21:15 . 2009-09-14 21:15 18958 ----a-w- c:\program files\Common Files\upezup.dl
2009-09-11 18:23 . 2009-08-09 14:58 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\foobar2000
2009-09-11 14:38 . 2008-03-21 10:03 85072 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2006-04-30 06:55 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 22:48 . 2009-09-10 22:48 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Blackberry Desktop
2009-09-10 22:47 . 2009-09-10 22:47 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Research In Motion
2009-09-10 22:44 . 2008-04-25 08:48 85072 ----a-w- c:\documents and settings\TERMUSER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 22:37 . 2008-11-20 18:36 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-10 22:37 . 2009-09-10 22:36 -------- d-----w- c:\program files\Roxio
2009-09-10 22:36 . 2008-11-20 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-09-10 22:36 . 2008-03-21 09:44 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-09-10 22:31 . 2008-11-20 18:29 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-09-10 22:30 . 2009-09-10 22:30 -------- d-----w- c:\program files\Research In Motion
2009-09-10 19:54 . 2009-01-09 15:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-01-09 15:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2006-04-30 06:55 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 17:07 . 2009-08-28 20:20 -------- d-----w- c:\program files\DivX
2009-08-31 15:41 . 2009-08-29 05:10 -------- d-----w- c:\program files\Common Files\Nero
2009-08-31 15:40 . 2009-08-29 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-31 14:47 . 2009-08-29 03:58 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\DivX
2009-08-29 08:08 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 05:16 . 2009-08-29 05:16 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Nero
2009-08-29 03:55 . 2009-08-29 03:55 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-28 20:22 . 2009-08-28 20:22 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Pegasys Inc
2009-08-26 08:00 . 2006-04-30 06:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 19:01 . 2008-04-25 11:32 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\U3
2009-08-07 00:24 . 2006-04-30 07:11 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2006-04-30 07:11 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2007-07-31 02:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2006-04-30 07:11 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2006-04-30 07:11 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2006-04-30 06:55 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2006-04-30 07:11 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-04-30 07:11 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2006-04-30 06:55 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:52 . 2009-08-05 00:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2006-04-30 06:55 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-21 14:32 . 2009-07-21 14:32 53248 --sha-w- c:\windows\system32\dutuhabe.dll
2009-07-20 15:36 . 2009-07-20 15:36 193544 --sha-w- c:\windows\system32\kosugake.exe
2009-07-20 15:36 . 2009-07-20 15:36 851968 --sha-w- c:\windows\system32\kuwilofa.exe
2009-07-21 14:31 . 2009-07-21 14:31 39424 --sha-w- c:\windows\system32\lewiyidi.dll
2009-07-20 15:36 . 2009-07-20 15:36 27136 --sha-w- c:\windows\system32\migodada.exe
2009-07-20 15:36 . 2009-07-20 15:36 786432 --sha-w- c:\windows\system32\padanoku.exe
2009-07-20 15:36 . 2009-07-20 15:36 39424 --sha-w- c:\windows\system32\yokavubo.dll
2009-07-20 16:36 . 2009-07-20 16:36 39424 --sha-w- c:\windows\system32\zogadeli.dll
2009-07-21 14:31 . 2009-07-21 14:31 1050658 --sha-w- c:\windows\system32\zukepive.exe
2009-03-21 14:06 . 2006-04-30 06:55 23552 --sha-w- c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{068bcb64-31e1-4bf3-87fa-d8e03b8175ef}]
2009-07-21 14:32 53248 --sha-w- c:\windows\system32\dutuhabe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-28 68856]
"ISUSPM"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-12-06 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-12-06 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-05 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 512000]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-07 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-07 137752]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]
"vptray"="c:\progra~1\NavNT\vptray.exe" [2001-09-24 73728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2006-07-12 626688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Kaseya Agent Service Helper"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2008-09-04 229376]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"Security Central"="c:\program files\Security Central\Security Central.exe" [2009-10-20 1317376]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-21 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 05:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 21:52 32768 ------w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd hpiete.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\WINDOWS\\system32\\ibmpmsvc.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 8:32 PM 19504]
R2 KaseyaAgent;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [8/11/2009 11:05 AM 610304]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/15/2007 12:10 AM 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 3:11 PM 569344]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [5/22/2007 5:59 PM 30336]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [9/6/2007 3:30 PM 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 4:04 PM 99200]
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2009-10-22 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-03-21 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {8CAF0D74-2144-4947-B3F5-302C1D3EF0B0} = 68.28.178.91 68.28.186.91
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\os4jrzkv4.dll
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-Qveyulamol - c:\windows\eledokawasaxov.dll
HKLM-Run-lahorovaj - c:\windows\system32\sijorera.dll
HKLM-Run-32532419 - c:\documents and settings\All Users\Application Data\32532419\32532419.exe
HKLM-Run-dubewirusa - behubaza.dll
SharedTaskScheduler-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\os4jrzkv4.dll
SharedTaskScheduler-ThreadingModel - (no file)
SharedTaskScheduler-{1f99c538-33c1-4a25-a212-b35643a82cd9} - c:\windows\system32\sijorera.dll
SSODL-vofedesiy-{1f99c538-33c1-4a25-a212-b35643a82cd9} - c:\windows\system32\sijorera.dll
AddRemove-{92420e53-21aa-4e1d-98ff-b0d422c434da} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 22:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,53,e8,01,ee,42,1a,a3,4b,96,79,d4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,53,e8,01,ee,42,1a,a3,4b,96,79,d4,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1616)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(1672)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\windows\hpiete.dll

- - - - - - - > 'explorer.exe'(3700)
c:\windows\system32\WININET.dll
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_think_res.dll
c:\program files\Lenovo\Client Security Solution\css_think_res.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\hpiete.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NavNT\rtvscan.exe
c:\program files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\MsgSys.EXE
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\combo-fix\CF13102.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\Rundll32.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-22 23:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-22 04:01

Pre-Run: 72,058,273,792 bytes free
Post-Run: 77,763,428,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4C1BDE05A3F0EEACDA5269E714BA02AF

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 AM

Posted 22 October 2009 - 12:21 AM

Hi, jetro :(

Congratulations.

Right click here-->. [attachment=34205:CFScript.txt] and select Save as or Save link as, to download this file to your desktop next to Combofix.

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a fresh DDS log.

Edited by JSntgRvr, 22 October 2009 - 12:35 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 jetro

jetro
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 22 October 2009 - 10:56 AM

Ok here is the ComboFix Log and new DDS log:

ComboFix 09-10-20.03 - TERMUSER 10/22/2009 10:36.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.410 [GMT -5:00]
Running from: c:\documents and settings\TERMUSER\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\TERMUSER\Desktop\CFScript.txt

FILE ::
"C:\buxuhto.exe"
"c:\docume~1\termuser\locals~1\temp\jxvei.exe"
"c:\docume~1\termuser\locals~1\temp\svchost.exe"
"c:\docume~1\termuser\locals~1\temp\wow64main.exe"
"c:\docume~1\termuser\startm~1\programs\startup\scandisk.lnk"
"c:\documents and settings\All Users\Application Data\pyty.dat"
"c:\documents and settings\All Users\Application Data\rofagahyfe.dat"
"c:\documents and settings\TERMUSER\Application Data\apiqicyro.dll"
"c:\documents and settings\termuser\application data\seres.exe"
"c:\documents and settings\termuser\application data\svcst.exe"
"c:\documents and settings\TERMUSER\Local Settings\Application Data\buxizabybu.pif"
"c:\documents and settings\TERMUSER\Local Settings\Application Data\foryc.bin"
"c:\documents and settings\TERMUSER\Local Settings\Application Data\woko.com"
"C:\dtacmawh.exe"
"C:\ldvx.exe"
"c:\program files\Common Files\asyhibekag.bin"
"c:\program files\Common Files\upezup.dlc:\program files\Common Files\xezufafowi._sy"
"C:\qsdhs.exe"
"c:\windows\eledokawasaxov.dll"
"c:\windows\hpiete.dll"
"c:\windows\Hpozobifuy.bin"
"c:\windows\Hzipoxozoq.dat"
"c:\windows\igynobaf.dat"
"c:\windows\jabecig.dat"
"c:\windows\system32\calc.dll"
"c:\windows\system32\config\system~1\ntuser.dll"
"c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll"
"c:\windows\system32\dutuhabe.dll"
"c:\windows\system32\iloluxo.sys"
"c:\windows\system32\ipejijyn.exe"
"c:\windows\system32\jazefara.dll"
"c:\windows\system32\kosugake.exe"
"c:\windows\system32\kuwilofa.exe"
"c:\windows\system32\lewiyidi.dll"
"c:\windows\system32\migodada.exe"
"c:\windows\system32\os4jrzkv4.dll"
"c:\windows\system32\padanoku.exe"
"c:\windows\system32\pyduvita.com"
"c:\windows\system32\sdra64.exe"
"c:\windows\system32\vawa.dat"
"c:\windows\system32\winhelper.dll"
"c:\windows\system32\winupdate.exe"
"c:\windows\system32\yokavubo.dll"
"c:\windows\system32\zogadeli.dll"
"c:\windows\system32\zukepive.exe"
"c:\windows\ynuvaji.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\buxuhto.exe
c:\documents and settings\All Users\Application Data\85840934
c:\documents and settings\All Users\Application Data\85840934\85840934.exe
c:\documents and settings\All Users\Application Data\pyty.dat
c:\documents and settings\All Users\Application Data\rofagahyfe.dat
c:\documents and settings\TERMUSER\Application Data\apiqicyro.dll
c:\documents and settings\TERMUSER\Desktop\Security Tool.lnk
c:\documents and settings\TERMUSER\Local Settings\Application Data\buxizabybu.pif
c:\documents and settings\TERMUSER\Local Settings\Application Data\foryc.bin
c:\documents and settings\TERMUSER\Local Settings\Application Data\woko.com
c:\documents and settings\TERMUSER\Start Menu\Programs\Security Tool.lnk
C:\dtacmawh.exe
C:\explorer.exe
C:\ldvx.exe
c:\program files\Common Files\asyhibekag.bin
c:\program files\security central
c:\program files\security central\Security Central.exe
C:\qsdhs.exe
c:\windows\hpiete.dll
c:\windows\Hpozobifuy.bin
c:\windows\Hzipoxozoq.dat
c:\windows\igynobaf.dat
c:\windows\jabecig.dat
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\dutuhabe.dll
c:\windows\system32\iloluxo.sys
c:\windows\system32\ipejijyn.exe
c:\windows\system32\kosugake.exe
c:\windows\system32\kuwilofa.exe
c:\windows\system32\lewiyidi.dll
c:\windows\system32\migodada.exe
c:\windows\system32\nosadepu.exe
c:\windows\system32\padanoku.exe
c:\windows\system32\pyduvita.com
c:\windows\system32\vawa.dat
c:\windows\system32\yokavubo.dll
c:\windows\system32\zogadeli.dll
c:\windows\system32\zukepive.exe
c:\windows\ynuvaji.sys

.
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.

2009-10-22 15:15 . 2009-10-22 15:34 -------- d-----w- C:\Combo-Fix
2009-10-20 15:43 . 2009-10-22 03:15 58 ----a-w- c:\windows\wp4.dat
2009-10-20 15:43 . 2009-10-22 03:15 1 ----a-w- c:\windows\wp3.dat
2009-10-20 15:43 . 2009-10-22 03:15 565248 ----a-w- c:\windows\system32\plugie.dll
2009-10-03 21:10 . 2009-10-03 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-03 21:10 . 2009-10-03 21:10 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 15:11 . 2009-01-09 15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 03:04 . 2008-11-20 20:02 256 ----a-w- c:\windows\system32\pool.bin
2009-09-23 03:02 . 2008-04-25 11:48 -------- d-----w- c:\program files\Microsoft Works
2009-09-21 15:27 . 2009-09-21 15:27 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-15 17:44 . 2009-09-15 17:44 10145 ----a-w- c:\program files\Common Files\xezufafowi._sy
2009-09-14 21:15 . 2009-09-14 21:15 18958 ----a-w- c:\program files\Common Files\upezup.dl
2009-09-11 18:23 . 2009-08-09 14:58 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\foobar2000
2009-09-11 14:38 . 2008-03-21 10:03 85072 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2006-04-30 06:55 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 22:48 . 2009-09-10 22:48 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Blackberry Desktop
2009-09-10 22:47 . 2009-09-10 22:47 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Research In Motion
2009-09-10 22:44 . 2008-04-25 08:48 85072 ----a-w- c:\documents and settings\TERMUSER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 22:37 . 2008-11-20 18:36 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-10 22:37 . 2009-09-10 22:36 -------- d-----w- c:\program files\Roxio
2009-09-10 22:36 . 2008-11-20 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-09-10 22:36 . 2008-03-21 09:44 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-09-10 22:31 . 2008-11-20 18:29 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-09-10 22:30 . 2009-09-10 22:30 -------- d-----w- c:\program files\Research In Motion
2009-09-10 19:54 . 2009-01-09 15:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-01-09 15:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2006-04-30 06:55 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 17:07 . 2009-08-28 20:20 -------- d-----w- c:\program files\DivX
2009-08-31 15:41 . 2009-08-29 05:10 -------- d-----w- c:\program files\Common Files\Nero
2009-08-31 15:40 . 2009-08-29 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-31 14:47 . 2009-08-29 03:58 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\DivX
2009-08-29 08:08 . 2006-04-30 06:56 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 05:16 . 2009-08-29 05:16 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Nero
2009-08-29 03:55 . 2009-08-29 03:55 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-28 20:22 . 2009-08-28 20:22 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Pegasys Inc
2009-08-26 08:00 . 2006-04-30 06:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 19:01 . 2008-04-25 11:32 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\U3
2009-08-07 00:24 . 2006-04-30 07:11 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2006-04-30 07:11 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2007-07-31 02:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2006-04-30 07:11 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2006-04-30 07:11 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2006-04-30 06:55 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2006-04-30 07:11 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2009-09-22 14:11 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2009-09-22 14:11 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2006-04-30 07:11 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2006-04-30 06:55 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:52 . 2009-08-05 00:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2006-04-30 06:55 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-22 04:13 . 2009-07-22 04:13 39424 --sha-w- c:\windows\system32\jujutoji.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-22_03.56.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-22 15:43 . 2009-10-22 15:43 16384 c:\windows\Temp\Perflib_Perfdata_72c.dat
+ 2009-10-22 15:43 . 2009-10-22 15:43 16384 c:\windows\Temp\Perflib_Perfdata_48c.dat
+ 2009-10-22 14:50 . 2009-10-22 14:50 16384 c:\windows\Temp\Perflib_Perfdata_3ac.dat
+ 2006-04-30 06:55 . 2009-10-22 15:48 72306 c:\windows\system32\perfc009.dat
- 2006-04-30 06:55 . 2009-10-22 03:17 72306 c:\windows\system32\perfc009.dat
+ 2006-04-30 06:55 . 2009-10-22 15:48 444596 c:\windows\system32\perfh009.dat
- 2006-04-30 06:55 . 2009-10-22 03:17 444596 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-28 68856]
"ISUSPM"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-12-06 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-12-06 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-05 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 512000]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-07 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-07 137752]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]
"vptray"="c:\progra~1\NavNT\vptray.exe" [2001-09-24 73728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2006-07-12 626688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Kaseya Agent Service Helper"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2008-09-04 229376]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"lahorovaj"="c:\windows\system32\viwafinu.dll" [BU]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]
"dubewirusa"="behubaza.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-21 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 05:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 21:52 32768 ------w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ %I

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\WINDOWS\\system32\\ibmpmsvc.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 8:32 PM 19504]
R2 KaseyaAgent;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [8/11/2009 11:05 AM 610304]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/15/2007 12:10 AM 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 3:11 PM 569344]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [8/11/2009 11:05 AM 20792]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [5/22/2007 5:59 PM 30336]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [9/6/2007 3:30 PM 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 4:04 PM 99200]
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2009-10-22 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-03-21 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-85840934 - c:\docume~1\ALLUSE~1\APPLIC~1\85840934\85840934.exe
SharedTaskScheduler-{8fb7dd32-7edc-4bde-9e1a-635222e44d7a} - c:\windows\system32\viwafinu.dll
SSODL-guzedowag-{8fb7dd32-7edc-4bde-9e1a-635222e44d7a} - c:\windows\system32\viwafinu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 10:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(1308)
c:\windows\system32\WININET.dll
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_think_res.dll
c:\program files\Lenovo\Client Security Solution\css_think_res.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NavNT\rtvscan.exe
c:\program files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\MsgSys.EXE
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\combo-fix14854c\CF18917.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\Rundll32.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\combo-fix14854c\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-22 10:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-22 15:52
ComboFix2.txt 2009-10-22 04:01

Pre-Run: 77,739,872,256 bytes free
Post-Run: 77,663,404,032 bytes free

- - End Of File - - 5E4D524B04EC9EE4FE90BEF2760B9447


DDS (Ver_09-10-13.01) - NTFSx86
Run by TERMUSER at 10:53:48.92 on Thu 10/22/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.105 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Installshield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\TERMUSER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [vptray] c:\progra~1\navnt\vptray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [lahorovaj] Rundll32.exe "c:\windows\system32\viwafinu.dll",a
mRun: [dubewirusa] Rundll32.exe "behubaza.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: DisableRegedit = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://beavex.webex.com/client/T26L/training/ieatgpc.cab
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ACGina psqlpwd

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-3-21 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-3-21 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-3-21 4442]
R2 KaseyaAgent;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2009-8-11 610304]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2009-8-11 20792]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-9-6 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]

=============== Created Last 30 ================

2009-10-22 10:15 <DIR> --d----- C:\Combo-Fix
2009-10-21 22:37 <DIR> a-dshr-- C:\cmdcons
2009-10-21 22:33 236,544 a------- c:\windows\PEV.exe
2009-10-21 22:33 161,792 a------- c:\windows\SWREG.exe
2009-10-21 22:33 98,816 a------- c:\windows\sed.exe
2009-10-20 10:43 58 a------- c:\windows\wp4.dat
2009-10-20 10:43 1 a------- c:\windows\wp3.dat
2009-10-20 10:43 565,248 a------- c:\windows\system32\plugie.dll
2009-10-20 10:43 91 a------- c:\windows\system32\wwp.htm
2009-10-20 10:34 27,136 a------- c:\windows\system32\cpcp.cpo
2009-10-03 16:10 <DIR> --d----- c:\docume~1\termuser\applic~1\Office Genuine Advantage
2009-09-24 09:56 3,251 a------- c:\windows\system32\wbem\Outlook_01ca3d272223013e.mof
2009-09-22 22:10 3,251 a------- c:\windows\system32\wbem\Outlook_01ca3bfb6852b9c4.mof

==================== Find3M ====================

2009-09-15 12:44 10,145 a------- c:\program files\common files\xezufafowi._sy
2009-09-14 16:15 18,958 a------- c:\program files\common files\upezup.dl
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 09:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 16:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 05:35 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 03:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 09:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-08 22:44 256 -------- c:\documents and settings\termuser\pool.bin
2009-07-21 23:13 39,424 a--sh--- c:\windows\system32\jujutoji.dll
2008-03-21 04:39 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-08-30 12:04 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat


Thanks!!

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 AM

Posted 22 October 2009 - 09:12 PM

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
c:\windows\system32\plugie.dll
c:\windows\system32\jujutoji.dll
c:\windows\system32\behubaza.dll
c:\program files\common files\xezufafowi._sy
c:\program files\common files\upezup.dl


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a fresh DDS log.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Make sure the C:\Program Files\JAVA folder is removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 jetro

jetro
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 23 October 2009 - 03:09 AM

ok, here are the 3 logs:

ComboFix 09-10-21.02 - TERMUSER 10/22/2009 23:24.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.441 [GMT -5:00]
Running from: c:\documents and settings\TERMUSER\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\TERMUSER\Desktop\CFScript.txt

FILE ::
"c:\program files\common files\upezup.dl"
"c:\program files\common files\xezufafowi._sy"
"c:\windows\system32\behubaza.dll"
"c:\windows\system32\jujutoji.dll"
"c:\windows\system32\plugie.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\common files\upezup.dl
c:\program files\common files\xezufafowi._sy
c:\windows\system32\jujutoji.dll
c:\windows\system32\plugie.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-22 17:35 . 2009-10-23 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-22 15:15 . 2009-10-22 15:34 -------- d-----w- C:\Combo-Fix
2009-10-20 15:43 . 2009-10-22 03:15 58 ----a-w- c:\windows\wp4.dat
2009-10-20 15:43 . 2009-10-22 03:15 1 ----a-w- c:\windows\wp3.dat
2009-10-03 21:10 . 2009-10-03 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-03 21:10 . 2009-10-03 21:10 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 15:11 . 2009-01-09 15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 03:04 . 2008-11-20 20:02 256 ----a-w- c:\windows\system32\pool.bin
2009-09-23 03:02 . 2008-04-25 11:48 -------- d-----w- c:\program files\Microsoft Works
2009-09-21 15:27 . 2009-09-21 15:27 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 18:23 . 2009-08-09 14:58 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\foobar2000
2009-09-11 14:38 . 2008-03-21 10:03 85072 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2006-04-30 06:55 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 22:48 . 2009-09-10 22:48 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Blackberry Desktop
2009-09-10 22:47 . 2009-09-10 22:47 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Research In Motion
2009-09-10 22:44 . 2008-04-25 08:48 85072 ----a-w- c:\documents and settings\TERMUSER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 22:37 . 2008-11-20 18:36 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-10 22:37 . 2009-09-10 22:36 -------- d-----w- c:\program files\Roxio
2009-09-10 22:36 . 2008-11-20 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-09-10 22:36 . 2008-03-21 09:44 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-09-10 22:31 . 2008-11-20 18:29 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-09-10 22:30 . 2009-09-10 22:30 -------- d-----w- c:\program files\Research In Motion
2009-09-10 19:54 . 2009-01-09 15:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-01-09 15:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2006-04-30 06:55 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 17:07 . 2009-08-28 20:20 -------- d-----w- c:\program files\DivX
2009-08-31 15:41 . 2009-08-29 05:10 -------- d-----w- c:\program files\Common Files\Nero
2009-08-31 15:40 . 2009-08-29 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-31 14:47 . 2009-08-29 03:58 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\DivX
2009-08-29 08:08 . 2006-04-30 06:56 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 05:16 . 2009-08-29 05:16 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Nero
2009-08-29 03:55 . 2009-08-29 03:55 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-28 20:22 . 2009-08-28 20:22 -------- d-----w- c:\documents and settings\TERMUSER\Application Data\Pegasys Inc
2009-08-26 08:00 . 2006-04-30 06:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2006-04-30 07:11 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2006-04-30 07:11 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2007-07-31 02:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2006-04-30 07:11 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2006-04-30 07:11 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2006-04-30 06:55 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2006-04-30 07:11 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2009-09-22 14:11 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2009-09-22 14:11 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2006-04-30 07:11 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2006-04-30 06:55 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:52 . 2009-08-05 00:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2006-04-30 06:55 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-22_03.56.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-23 04:32 . 2009-10-23 04:32 16384 c:\windows\Temp\Perflib_Perfdata_3f8.dat
+ 2009-10-23 04:32 . 2009-10-23 04:32 16384 c:\windows\Temp\Perflib_Perfdata_38c.dat
+ 2009-10-23 02:57 . 2009-10-23 02:57 16384 c:\windows\Temp\Perflib_Perfdata_1fc.dat
+ 2006-04-30 06:55 . 2009-10-23 03:01 72306 c:\windows\system32\perfc009.dat
- 2006-04-30 06:55 . 2009-10-22 03:17 72306 c:\windows\system32\perfc009.dat
+ 2008-04-30 15:34 . 2009-10-22 17:36 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2006-04-30 06:55 . 2009-10-23 03:01 444596 c:\windows\system32\perfh009.dat
- 2006-04-30 06:55 . 2009-10-22 03:17 444596 c:\windows\system32\perfh009.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-28 68856]
"ISUSPM"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-12-06 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-12-06 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-05 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 512000]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-07 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-07 137752]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]
"vptray"="c:\progra~1\NavNT\vptray.exe" [2001-09-24 73728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2006-07-12 626688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Kaseya Agent Service Helper"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2008-09-04 229376]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"lahorovaj"="c:\windows\system32\viwafinu.dll" [BU]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]
"dubewirusa"="behubaza.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-21 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 05:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 21:52 32768 ------w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\WINDOWS\\system32\\ibmpmsvc.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 8:32 PM 19504]
R2 KaseyaAgent;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [8/11/2009 11:05 AM 610304]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/15/2007 12:10 AM 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 3:11 PM 569344]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [5/22/2007 5:59 PM 30336]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [9/6/2007 3:30 PM 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 4:04 PM 99200]
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2009-10-23 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-03-21 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {8CAF0D74-2144-4947-B3F5-302C1D3EF0B0} = 68.28.178.91 68.28.186.91
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 23:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1616)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(2012)
c:\windows\system32\WININET.dll
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_think_res.dll
c:\program files\Lenovo\Client Security Solution\css_think_res.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NavNT\rtvscan.exe
c:\program files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\MsgSys.EXE
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\combo-fix6758c\CF7167.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\Rundll32.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
c:\combo-fix6758c\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 23:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 04:37
ComboFix2.txt 2009-10-22 15:52
ComboFix3.txt 2009-10-22 04:01

Pre-Run: 76,915,408,896 bytes free
Post-Run: 77,233,893,376 bytes free

- - End Of File - - FD2FD1F72E127DA8FB9DE0E5425363BF

DDS (Ver_09-10-13.01) - NTFSx86
Run by TERMUSER at 23:38:37.71 on Thu 10/22/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.253 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Installshield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\TERMUSER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [vptray] c:\progra~1\navnt\vptray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [lahorovaj] Rundll32.exe "c:\windows\system32\viwafinu.dll",a
mRun: [dubewirusa] Rundll32.exe "behubaza.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: DisableRegedit = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://beavex.webex.com/client/T26L/training/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {8CAF0D74-2144-4947-B3F5-302C1D3EF0B0} = 68.28.178.91 68.28.186.91
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-3-21 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-3-21 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-3-21 4442]
R2 KaseyaAgent;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2009-8-11 610304]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-9-6 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]

=============== Created Last 30 ================

2009-10-22 10:15 <DIR> --d----- C:\Combo-Fix
2009-10-21 22:37 <DIR> a-dshr-- C:\cmdcons
2009-10-21 22:33 236,544 a------- c:\windows\PEV.exe
2009-10-21 22:33 161,792 a------- c:\windows\SWREG.exe
2009-10-21 22:33 98,816 a------- c:\windows\sed.exe
2009-10-20 10:43 58 a------- c:\windows\wp4.dat
2009-10-20 10:43 1 a------- c:\windows\wp3.dat
2009-10-20 10:43 91 a------- c:\windows\system32\wwp.htm
2009-10-20 10:34 27,136 a------- c:\windows\system32\cpcp.cpo
2009-10-03 16:10 <DIR> --d----- c:\docume~1\termuser\applic~1\Office Genuine Advantage
2009-09-24 09:56 3,251 a------- c:\windows\system32\wbem\Outlook_01ca3d272223013e.mof

==================== Find3M ====================

2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 09:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 16:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 05:35 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 03:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 09:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-08 22:44 256 -------- c:\documents and settings\termuser\pool.bin
2008-03-21 04:39 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-08-30 12:04 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 23:38:53.78 ===============

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 23, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 23, 2009 07:22:48
Records in database: 3047906
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 76336
Threats found: 25
Infected objects found: 85
Suspicious objects found: 0
Scan duration: 02:05:57


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\015C0000.VBN Infected: Trojan.Win32.Agent.bgbt 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\015C0002.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.fzm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\077C0000.VBN Infected: Trojan.HTML.Fraud.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08200000.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09800000.VBN Infected: not-a-virus:FraudTool.Win32.SpywareProtect2009.ae 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ACC0000.VBN Infected: Trojan-Downloader.Win32.Boltolog.bhh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AD40000.VBN Infected: Trojan-Downloader.Win32.Suurch.hx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB80000.VBN Infected: Trojan-PSW.Win32.Delf.dnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CD00000.VBN Infected: Trojan-PSW.Win32.Delf.dnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CF40000.VBN Infected: Trojan.Win32.Agent2.cgbr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D040000.VBN Infected: Trojan-PSW.Win32.Delf.dnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D200000.VBN Infected: Trojan.HTML.Fraud.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D780000.VBN Infected: Trojan-Dropper.SWF.Agent.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DB40000.VBN Infected: Trojan.HTML.Fraud.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DBC0000.VBN Infected: Trojan.HTML.Fraud.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E540000.VBN Infected: Trojan-PSW.Win32.Delf.dnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E600000.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.fzm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E840000.VBN Infected: Trojan-PSW.Win32.Delf.dnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900000.VBN Infected: Trojan-PSW.Win32.Delf.dnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900001.VBN Infected: Trojan-PSW.Win32.Delf.dnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E980000.VBN Infected: Trojan-PSW.Win32.Delf.dnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA40000.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vnla 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE00000.VBN Infected: Trojan.Win32.Pincav.ffx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EF00000.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F2C0000.VBN Infected: Trojan-PSW.Win32.Delf.dnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F380000.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vnla 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F380001.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vnla 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F3C0000.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vnla 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F400000.VBN Infected: Trojan.HTML.Fraud.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FA00000.VBN Infected: Trojan.Win32.Agent.bzkw 1
C:\ntldrs Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\32532419\32532419.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\85840934\85840934.exe.vir Infected: Trojan.Win32.FraudPack.xek 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\ntuser.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Documents and Settings\TERMUSER\Application Data\lizkavd.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Documents and Settings\TERMUSER\Application Data\seres.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Documents and Settings\TERMUSER\Application Data\svcst.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Documents and Settings\TERMUSER\ntuser.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Documents and Settings\TERMUSER\Start Menu\Programs\Startup\scandisk.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AdvancedVirusRemover\PAVRM.exe.vir Infected: Trojan.Win32.FraudPack.xdj 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AVEngn.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\htmlayout.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\Security Central\Security Central.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\Windows Police Pro.exe.vir Infected: Trojan.Win32.FraudPack.wtb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\behubaza.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\calc.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\ntuser.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\doluwuhi.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dutuhabe.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jujujoju.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jujutoji.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nosadepu.exe.vir Infected: Trojan.Win32.FraudPack.xek 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\os4jrzkv4.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sijorera.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir Infected: Trojan.Win32.BHO.abfo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir Infected: Trojan.Win32.FraudPack.xcs 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-22_10.36.03.zip Infected: Trojan.Win32.FraudPack.xcs 2
C:\Qoobox\Quarantine\[4]-Submit_2009-10-22_10.36.03.zip Infected: Packed.Win32.TDSS.aa 4
C:\Qoobox\Quarantine\[4]-Submit_2009-10-22_10.36.03.zip Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-22_10.36.03.zip Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-22_10.36.03.zip Infected: Trojan.Win32.Scar.zmi 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-22_10.36.03.zip Infected: Packed.Win32.Krap.x 2
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000095.exe Infected: Trojan.Win32.FraudPack.xek 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000101.exe Infected: Trojan.Win32.FraudPack.xcs 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000103.exe Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000104.exe Infected: Packed.Win32.Krap.ah 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000105.exe Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000108.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000113.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000115.exe Infected: Trojan.Win32.FraudPack.xek 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000118.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000119.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0000456.dll Infected: Packed.Win32.TDSS.aa 1
C:\WINDOWS\system32\cpcp.cpo Infected: Backdoor.Win32.Bredavi.aok 1

Selected area has been scanned.

Thanks

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 AM

Posted 23 October 2009 - 06:40 PM

Hi, jetro :(

We still have something producing bad files. Please upload the following zipped file here:

C:\Qoobox\Quarantine\[4]-Submit_2009-10-22_10.36.03.zip

Please include a link to this topic in the message.

++++++++++++++++++++++++++++++++++++++++++

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\WINDOWS\system32\cpcp.cpo

Suspect::
C:\ntldrs

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Additonally, ComboFix will generate another zipped file on the C:\Qoobox\Quarantine\ called Submit [Date Time].zip that would correspond to this date.

Please also submit this file as you did above.

One of these files is the Windows XP Boot file. Do you have the XP installation CD to replace this file?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 jetro

jetro
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 23 October 2009 - 09:46 PM

ok both files were submitted successfully!
No, unfortunately I don't have the disk!

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 AM

Posted 23 October 2009 - 10:42 PM

Hi, jetro :(

That is a real nasty. It is a backdoor Trojan.

These are the most dangerous, and most widespread, type of Trojan. Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear.

Although I would never ask a member to reformat, you should be thinking in doing so as it will be the only solution that would, without a doubt, remove all traces.

Going back to the fix, two files may need to be replaced, C:\ntldr and C:\ntdetect.com. These are the files XP uses to boot. Without these files XP wont boot. Chances are you may also need to create a new boot sector. For this, however, you will need to obtain an installation CD.

Lets take a deeper look:

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.
Please also download MBR.EXE by GMER. Save the file in your Root directory, C:\, then bring your computer to a Command prompt.

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -t


The program will check the Master Boot Record and will produce a report. Post the contents of that report i your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 jetro

jetro
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 24 October 2009 - 12:58 AM

Ok doing as you suggest concerning passwords, etc.
When I try to run GMER it runs for several minutes then the computer goes blue saying it is shutting down to protect the computer, serious error, etc.
It then restarts. Tried 2 times with this result.
Ran MBR and here are the results:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
kernel: MBR read successfully
user & kernel MBR OK

Thanks!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users