Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Someone Please Help Me?


  • This topic is locked This topic is locked
18 replies to this topic

#1 chadt

chadt

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 09 November 2009 - 02:45 AM

Our family computer has been running extremely slow. It all began a few days ago so I suspect this computer is infected. Can someone please take a look at my HiJackThis log? Also, we have AVG for virus protection, but there is no firewall with it. Where can I get one from? Is AVG a good virus protection?

Thank you in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:57 PM, on 11/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo1.walgreens.com/WalgreensActivia.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: vijobaje.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SysNet - {6FCE8D4B-C782-447C-B77C-524FE679B558} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8137 bytes

BC AdBot (Login to Remove)

 


#2 chadt

chadt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 12 November 2009 - 11:29 PM

Can someone please help me out? I'll post a new HiJackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:14 PM, on 11/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AppRanger\SWSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AppRanger\SWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AppRanger IE Sandbox - {1ec7abb1-e555-404b-901c-6d24af4ce44d} - C:\Program Files\AppRanger\TSBoxIE.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SWTray] C:\Program Files\AppRanger\SWTray.exe
O4 - HKLM\..\Run: [personalguard] C:\Program Files\Personal Guard 2009\personalguard.exe
O4 - HKLM\..\Run: [reluzovew] Rundll32.exe "c:\windows\system32\pusalazi.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo1.walgreens.com/WalgreensActivia.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: wirubifa.dll c:\windows\system32\sohoyota.dll c:\windows\system32\pusalazi.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SysNet - {6FCE8D4B-C782-447C-B77C-524FE679B558} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll (file missing)
O21 - SSODL: fejegopeg - {13aa5007-50a7-4aaa-8141-939829fe74a7} - c:\windows\system32\pusalazi.dll
O22 - SharedTaskScheduler: mujuzedij - {13aa5007-50a7-4aaa-8141-939829fe74a7} - c:\windows\system32\pusalazi.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AppRanger Service (apprngr_svc) - AppRanger, Inc. - C:\Program Files\AppRanger\SWSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8837 bytes

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:26 AM

Posted 13 November 2009 - 07:37 PM

Hi chadt,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

You computer is infected. We will attend to your questions after cleaning the computer.

If you still need assistance please go through Preparation Guide For Use Before Using HijackThis and other Malware Removal Tools, Instructions for receiving help in cleaning your computer and copy and paste both the DDS logs, and the RootRepeal log.

#4 chadt

chadt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 14 November 2009 - 05:30 AM

Hi Farbar,
Yes, I will agree to not making any changes to my system. Thanks! Just let me know what I need to do to fix it.... Thank you in advance.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:26 AM

Posted 14 November 2009 - 06:04 AM

Hi again chadt,

Please do all the steps fully.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [reluzovew] Rundll32.exe "c:\windows\system32\pusalazi.dll",a
    O20 - AppInit_DLLs: wirubifa.dll c:\windows\system32\sohoyota.dll c:\windows\system32\pusalazi.dll
    O21 - SSODL: fejegopeg - {13aa5007-50a7-4aaa-8141-939829fe74a7} - c:\windows\system32\pusalazi.dll
    O22 - SharedTaskScheduler: mujuzedij - {13aa5007-50a7-4aaa-8141-939829fe74a7} - c:\windows\system32\pusalazi.dll


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Reboot the computer.

  • Please perform the following scan:
    • Download DDS by sUBs from the following links. Save it to your desktop.
    • Double click on the DDS icon, allow it to run. When done it will open two logs:
      • DDS.txt
      • Attach.txt
    • Copy and paste the logs to your reply.
  • Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.


#6 chadt

chadt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 14 November 2009 - 07:52 AM

DDS (Ver_09-10-26.01) - NTFSx86
Run by HP_Administrator at 4:29:23.06 on Sat 11/14/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.61 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AppRanger\SWSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AppRanger\SWTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mWinlogon: Shell=Explorer.exe logon.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: AppRanger IE Sandbox Class: {1ec7abb1-e555-404b-901c-6d24af4ce44d} - c:\program files\appranger\TSBoxIE.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [<NO NAME>]
mRun: [SWTray] c:\program files\appranger\SWTray.exe
mRun: [personalguard] c:\program files\personal guard 2009\personalguard.exe
mRun: [reluzovew] Rundll32.exe "c:\windows\system32\vepekoda.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo1.walgreens.com/WalgreensActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\vepekoda.dll,figovafa.dll
SSODL: SysNet - {6FCE8D4B-C782-447C-B77C-524FE679B558} - c:\documents and settings\all users\microsoft adata\sysnet.dll
SSODL: betafures - {7264ba75-52de-49e9-ab20-11f0f9794e88} - c:\windows\system32\vepekoda.dll
STS: mujuzedij: {7264ba75-52de-49e9-ab20-11f0f9794e88} - c:\windows\system32\vepekoda.dll
LSA: Notification Packages = scecli safodaru.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\nrbitfyi.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 apprngr;AppRanger Scan Driver;c:\windows\system32\drivers\apprngr.sys [2009-10-7 207872]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-8 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-8 360584]
R2 apprngr_svc;AppRanger Service;c:\program files\appranger\SWSvc.exe [2009-10-7 1044554]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-8 285392]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]

============== File Associations ===============

regfile="%1" %*

=============== Created Last 30 ================

2009-11-11 03:40:47 0 d-----w- c:\program files\Personal Guard 2009
2009-11-09 16:37:06 0 d-----w- c:\windows\logs
2009-11-09 16:37:06 0 d-----w- c:\docume~1\alluse~1\applic~1\AppRanger
2009-11-09 16:36:56 0 d-----w- c:\program files\AppRanger
2009-11-09 07:26:12 0 d-----w- C:\VundoFix Backups
2009-11-09 06:02:58 0 d--h--w- C:\$AVG
2009-11-09 06:02:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-09 06:02:41 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-09 06:02:35 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-09 06:02:24 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-09 06:02:06 0 d-----w- c:\program files\AVG
2009-11-09 06:02:04 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-09 05:38:04 0 d-----w- c:\windows\system32\appmgmt
2009-11-09 05:00:15 2713 --sh--w- c:\windows\system32\puwareda.dll
2009-11-09 04:53:16 114 ---ha-w- C:\aaw7boot.cmd
2009-11-09 03:59:05 38352 ----a-w- c:\windows\regred.exe
2009-11-09 03:59:04 51197 ----a-w- c:\windows\spoov.exe
2009-11-09 03:59:04 47872 ----a-w- c:\windows\certsystem.exe
2009-11-09 03:59:04 33149 ----a-w- c:\windows\usexplorer.exe
2009-11-09 02:08:53 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~0
2009-11-09 01:50:44 0 d-----w- c:\program files\Trend Micro
2009-11-08 18:05:44 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-08 18:05:44 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-08 04:58:01 91648 --sh--w- c:\windows\system32\vigoyusu.dll
2009-11-08 04:57:56 39424 --sh--w- c:\windows\system32\gekohani.dll
2009-11-07 10:07:59 28320 ----a-w- c:\windows\securits.com
2009-11-07 10:07:59 18941 ----a-w- c:\windows\microsoftdef.dll
2009-11-07 10:07:48 0 d-----w- c:\documents and settings\all users\Microsoft AData
2009-10-22 20:55:06 0 d-----w- c:\windows\system32\XPSViewer
2009-10-22 20:53:58 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-22 20:53:57 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-22 20:53:57 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-22 20:53:57 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-22 20:53:57 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-22 20:53:57 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-22 20:53:57 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-22 20:53:57 0 d-----w- C:\2c430fce765b31212abe928efc
2009-10-22 20:46:07 0 d-----w- c:\program files\MSXML 6.0

==================== Find3M ====================

2009-10-07 20:23:52 207872 ----a-w- c:\windows\system32\drivers\apprngr.sys
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 20:05:49 17571 ----a-w- c:\docume~1\alluse~1\applic~1\operybem.bin
2009-09-08 20:05:49 17105 ----a-w- c:\windows\paquc.sys
2009-09-08 20:05:49 16241 ----a-w- c:\windows\anuv.pif
2009-09-08 20:05:49 15743 ----a-w- c:\program files\common files\muku.bat
2009-09-08 20:05:49 10364 ----a-w- c:\program files\common files\kekexaj.dl
2009-09-08 20:05:49 10066 ----a-w- c:\windows\system32\apiwefer.reg
2009-09-08 20:05:48 14644 ----a-w- c:\docume~1\alluse~1\applic~1\lupo.bat
2009-09-08 20:05:48 13137 ----a-w- c:\docume~1\alluse~1\applic~1\ysaxiq.scr
2009-09-08 20:05:48 12125 ----a-w- c:\docume~1\hp_adm~1\applic~1\lekuryb.pif
2009-09-08 19:50:46 19831 ----a-w- c:\program files\common files\kecopiv._sy
2009-09-08 19:50:46 15208 ----a-w- c:\program files\common files\diqo.inf
2009-09-08 19:50:46 11145 ----a-w- c:\windows\system32\tysive.com
2009-09-08 19:50:46 10740 ----a-w- c:\program files\common files\ladibob.exe
2009-09-08 19:50:46 10279 ----a-w- c:\docume~1\hp_adm~1\applic~1\saha.exe
2009-09-08 19:50:45 18483 ----a-w- c:\program files\common files\fahiq.ban
2009-09-08 19:50:45 18403 ----a-w- c:\docume~1\hp_adm~1\applic~1\ynybal.reg
2009-09-08 19:50:45 18362 ----a-w- c:\windows\system32\atofotiqan.bin
2009-09-08 19:50:45 17006 ----a-w- c:\windows\onugipyk.scr
2009-09-08 19:50:45 15681 ----a-w- c:\windows\asoj.sys
2009-09-08 19:50:45 10196 ----a-w- c:\windows\yvaxylez.bat
2009-09-08 05:19:47 19521 ----a-w- c:\windows\miqa.exe
2009-09-08 05:19:47 16740 ----a-w- c:\program files\common files\gikyh.dat
2009-09-08 05:19:47 15952 ----a-w- c:\program files\common files\erinaca.dat
2009-09-08 05:19:47 15030 ----a-w- c:\docume~1\hp_adm~1\applic~1\dorunas.bin
2009-09-08 05:19:47 13879 ----a-w- c:\docume~1\alluse~1\applic~1\juda.dat
2009-09-08 05:19:47 13568 ----a-w- c:\docume~1\alluse~1\applic~1\ymifi.vbs
2009-09-08 05:19:47 13515 ----a-w- c:\windows\oweryqica.sys
2009-09-08 05:19:47 12447 ----a-w- c:\windows\wimyf.bin
2009-09-08 05:19:47 12278 ----a-w- c:\windows\odomehuvu.bin
2009-09-08 05:19:47 10715 ----a-w- c:\windows\liwyput.vbs
2009-09-08 05:19:47 10176 ----a-w- c:\program files\common files\ovonatyl.reg
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 16:19:43 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-08-18 06:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-10 20:04:17 51712 --sha-w- c:\windows\system32\bulikuyi.dll
2009-08-11 08:04:14 90624 --sha-w- c:\windows\system32\duwosepu.dll
2009-08-13 20:06:16 51712 --sha-w- c:\windows\system32\figovafa.dll
2009-08-09 16:58:10 51712 --sha-w- c:\windows\system32\fubatuzo.dll
2009-08-11 20:04:40 38400 --sha-w- c:\windows\system32\fupafeyo.dll
2009-08-11 08:04:14 38912 --sha-w- c:\windows\system32\giyafufu.dll
2009-08-13 20:05:41 38912 --sha-w- c:\windows\system32\howefapi.dll
2009-08-10 04:58:38 51712 --sha-w- c:\windows\system32\latadeti.dll
2009-08-13 20:06:16 51712 --sha-w- c:\windows\system32\leheliyo.dll
2009-08-08 04:57:48 39424 --sha-w- c:\windows\system32\miboduka.dll
2009-08-13 20:05:41 90112 --sha-w- c:\windows\system32\najebofi.dll
2009-08-12 08:04:56 61440 --sha-w- c:\windows\system32\noyuruwi.dll
2009-08-13 20:05:41 51712 --sha-w- c:\windows\system32\pogewaso.dll
2009-08-13 08:05:19 1 --sha-w- c:\windows\system32\povufuyu.dll
2009-08-12 08:04:56 38912 --sha-w- c:\windows\system32\pudidoye.dll
2009-08-12 20:05:06 89600 --sha-w- c:\windows\system32\pusalazi.dll
2009-08-08 04:57:48 91648 --sha-w- c:\windows\system32\ragumoze.dll
2009-08-13 20:06:16 51712 --sha-w- c:\windows\system32\safodaru.dll
2009-08-12 20:05:06 38912 --sha-w- c:\windows\system32\supugozi.dll
2009-08-14 08:06:06 89600 --sha-w- c:\windows\system32\vepekoda.dll
2009-08-10 04:58:38 38400 --sha-w- c:\windows\system32\wovayaje.dll
2009-08-08 16:57:39 61440 --sha-w- c:\windows\system32\wumiwuso.dll
2009-08-10 20:04:17 37888 --sha-w- c:\windows\system32\yetisono.dll
2009-08-14 08:06:06 38400 --sha-w- c:\windows\system32\yiyavewe.dll
2009-08-10 04:58:38 90112 --sha-w- c:\windows\system32\yosusadu.dll
2009-08-08 04:57:48 60928 --sha-w- c:\windows\system32\yuworowe.dll
2009-08-07 14:47:47 91648 --sha-w- c:\windows\system32\zikewapo.dll
2009-08-13 08:05:19 39424 --sha-w- c:\windows\system32\zugibiru.dll

============= FINISH: 4:30:03.43 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/30/2009 7:19:14 PM
System Uptime: 11/14/2009 4:25:53 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | Puffer
Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU 1 | 3001/200mhz
Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU 1 | 3001/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 180 GiB total, 145.067 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 0.561 GiB free.
E: is CDROM (CDFS)
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP42: 8/16/2009 8:16:41 PM - System Checkpoint
RP43: 8/17/2009 9:03:59 PM - System Checkpoint
RP44: 8/18/2009 11:54:50 PM - System Checkpoint
RP45: 8/20/2009 12:13:59 AM - System Checkpoint
RP46: 8/21/2009 12:14:16 AM - System Checkpoint
RP47: 8/22/2009 12:29:19 AM - System Checkpoint
RP48: 8/23/2009 12:39:59 AM - System Checkpoint
RP49: 8/24/2009 12:40:25 AM - System Checkpoint
RP50: 8/25/2009 10:44:11 AM - System Checkpoint
RP51: 8/26/2009 12:35:34 PM - System Checkpoint
RP52: 8/26/2009 9:49:49 PM - Software Distribution Service 3.0
RP53: 8/28/2009 1:19:10 AM - System Checkpoint
RP54: 8/29/2009 2:26:16 PM - System Checkpoint
RP55: 8/30/2009 7:27:48 AM - Software Distribution Service 3.0
RP56: 8/31/2009 7:43:36 AM - System Checkpoint
RP57: 9/1/2009 8:42:15 AM - System Checkpoint
RP58: 9/2/2009 11:08:17 AM - System Checkpoint
RP59: 9/3/2009 11:27:53 AM - System Checkpoint
RP60: 9/4/2009 12:13:30 PM - System Checkpoint
RP61: 9/6/2009 10:49:38 AM - System Checkpoint
RP62: 9/7/2009 2:15:33 PM - System Checkpoint
RP63: 9/8/2009 12:47:03 PM - Software Distribution Service 3.0
RP64: 9/8/2009 1:04:37 PM - Software Distribution Service 3.0
RP65: 9/9/2009 3:28:37 AM - Software Distribution Service 3.0
RP66: 9/10/2009 8:30:07 AM - System Checkpoint
RP67: 9/11/2009 2:40:29 PM - System Checkpoint
RP68: 9/12/2009 2:44:17 PM - System Checkpoint
RP69: 9/15/2009 9:30:34 AM - Software Distribution Service 3.0
RP70: 9/15/2009 10:10:09 PM - Software Distribution Service 3.0
RP71: 9/16/2009 3:27:53 PM - Software Distribution Service 3.0
RP72: 9/17/2009 4:23:12 PM - System Checkpoint
RP73: 9/18/2009 7:08:16 PM - System Checkpoint
RP74: 9/19/2009 8:30:45 PM - System Checkpoint
RP75: 9/21/2009 9:51:42 AM - System Checkpoint
RP76: 9/22/2009 3:00:42 AM - Software Distribution Service 3.0
RP77: 9/23/2009 10:45:08 AM - System Checkpoint
RP78: 9/24/2009 8:42:32 AM - Software Distribution Service 3.0
RP79: 9/25/2009 1:57:37 PM - System Checkpoint
RP80: 9/26/2009 2:16:22 PM - System Checkpoint
RP81: 9/27/2009 7:34:07 PM - System Checkpoint
RP82: 9/29/2009 8:47:35 AM - System Checkpoint
RP83: 9/30/2009 10:15:13 AM - System Checkpoint
RP84: 10/1/2009 11:03:58 AM - System Checkpoint
RP85: 10/2/2009 11:21:31 AM - System Checkpoint
RP86: 10/3/2009 10:31:31 PM - System Checkpoint
RP87: 10/4/2009 11:10:32 PM - System Checkpoint
RP88: 10/6/2009 10:23:02 AM - System Checkpoint
RP89: 10/7/2009 4:25:07 PM - System Checkpoint
RP90: 10/8/2009 4:39:09 PM - System Checkpoint
RP91: 10/10/2009 3:00:17 PM - System Checkpoint
RP92: 10/12/2009 8:41:31 AM - System Checkpoint
RP93: 10/14/2009 12:02:12 AM - System Checkpoint
RP94: 10/14/2009 3:00:53 AM - Software Distribution Service 3.0
RP95: 10/15/2009 3:00:44 AM - Software Distribution Service 3.0
RP96: 10/16/2009 3:25:32 AM - Software Distribution Service 3.0
RP97: 10/17/2009 4:07:59 AM - System Checkpoint
RP98: 10/18/2009 5:07:59 AM - System Checkpoint
RP99: 10/19/2009 7:14:55 AM - System Checkpoint
RP100: 10/20/2009 11:52:57 AM - System Checkpoint
RP101: 10/21/2009 12:14:15 PM - System Checkpoint
RP102: 10/22/2009 12:25:42 PM - System Checkpoint
RP103: 10/22/2009 1:46:31 PM - Installed Windows XP WIC.
RP104: 10/22/2009 1:54:07 PM - Installed Windows KB954550-v5.
RP105: 10/22/2009 1:54:20 PM - Printer Driver Microsoft XPS Document Writer Installed
RP106: 10/22/2009 1:54:31 PM - Printer Driver Microsoft XPS Document Writer Installed
RP107: 10/22/2009 11:00:27 PM - Software Distribution Service 3.0
RP108: 10/23/2009 11:33:11 PM - System Checkpoint
RP109: 10/25/2009 2:09:35 PM - System Checkpoint
RP110: 10/26/2009 9:15:01 PM - System Checkpoint
RP111: 10/28/2009 10:11:33 AM - System Checkpoint
RP112: 10/29/2009 6:16:11 PM - System Checkpoint
RP113: 10/30/2009 10:54:32 PM - System Checkpoint
RP114: 11/1/2009 2:12:58 PM - System Checkpoint
RP115: 11/2/2009 4:52:16 PM - System Checkpoint
RP116: 11/3/2009 5:05:02 PM - System Checkpoint
RP117: 11/4/2009 7:31:58 PM - System Checkpoint
RP118: 11/5/2009 4:06:29 AM - Software Distribution Service 3.0
RP119: 11/6/2009 1:34:50 PM - System Checkpoint
RP120: 11/7/2009 10:01:36 AM - Configured easy Internet sign-up
RP121: 11/8/2009 10:54:10 AM - System Checkpoint
RP122: 11/8/2009 9:37:54 PM - Removed Sonic RecordNow!
RP123: 11/8/2009 9:44:54 PM - Removed Norton Security Center
RP124: 11/8/2009 9:52:34 PM - Removed Norton WMI Update
RP125: 11/8/2009 10:01:04 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP126: 11/8/2009 10:02:04 PM - Installed AVG Free 9.0
RP127: 11/9/2009 8:36:50 AM - Installed AppRanger
RP128: 11/10/2009 8:27:30 AM - Avg8 Update
RP129: 11/10/2009 8:29:00 AM - Avg8 Update
RP130: 11/11/2009 8:48:22 AM - System Checkpoint
RP131: 11/12/2009 1:34:36 PM - System Checkpoint
RP132: 11/13/2009 10:00:09 AM - Avg8 Update

==== Installed Programs ======================

Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
AppRanger
ATI Control Panel
ATI Display Driver
AVG Free 9.0
Bonjour
BufferChm
CameraDrivers
Copy
CreativeProjects
CreativeProjectsTemplates
CueTour
Dell Driver Download Manager
Destinations
Director
DocProc
DocumentViewer
EASEUS Photo Recovery 2.1.1
Fax
GemMaster Mystic
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Deskjet Preloaded Printer Drivers
HP Diagnostic Assistant
HP Image Zone 4.2
HP Image Zone for Media Center PC
HP Image Zone Plus 4.2
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 4.0
HP Software Update
HP Tunes
hpg2436
hpg3970
hpg4600
hpg5530
hpg8200
HPIZ402
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
IntelliMover Data Transfer Demo
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
KBD
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Move Media Player
Mozilla Firefox (3.5.5)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
muvee autoProducer 3.5 magicMoments - HPD
muvee autoProducer unPlugged - HPD
Otto
PC-Doctor for Windows
Personal Guard 2009
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
PrintScreen
PS2
PSPrinters06
Python 2.2 combined Win32 extensions
Python 2.2.1
QFolder
QuickProjects
QuickTime
Readme
RealPlayer
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SkinsHP1
SkinsHP2
Sonic Encoders
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Updates from HP
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual J# .NET Redistributable Package
WebFldrs XP
WebReg
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Media Center Edition 2005 KB973768
WinRAR archiver
Yahoo! BrowserPlus
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/9/2009 8:59:27 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'morazolu.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
11/9/2009 10:15:40 AM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {0C0A3666-30C9-11D0-8F20-00805F2CD064} to the user YOUR-136F2019DC\Mariah SID (S-1-5-21-2761954292-112336790-31800702-1028). This security permission can be modified using the Component Services administrative tool.
11/8/2009 9:50:55 PM, error: PlugPlayManager [12] - The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000) disappeared from the system without first being prepared for removal.
11/8/2009 8:06:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
11/8/2009 6:16:00 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
11/8/2009 6:16:00 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/8/2009 5:56:12 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
11/7/2009 7:58:45 AM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 00112FA648ED has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
11/12/2009 8:20:17 PM, error: DCOM [10000] - Unable to start a DCOM Server: {3C16E079-E4C7-493C-BE9F-E0F2BB0B7430}. The error: "%2" Happened while starting this command: "C:\Program Files\Yahoo!\Companion\Installs\cpn1\ytbb.exe" -Embedding
11/12/2009 8:07:51 AM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk5\D.

==== End Of File ===========================

GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-14 04:48:52
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxoyaoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwClose [0xECE505F2]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwCreateFile [0xECE4D540]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwCreateKey [0xECE4D8D8]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwCreateProcessEx [0xECE4DB18]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwCreateSection [0xECE4DD5E]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwCreateThread [0xECE4DCF0]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwDeleteValueKey [0xECE4F27C]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwOpenFile [0xECE4D70E]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwQueryKey [0xECE4D9C4]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwQuerySystemInformation [0xECE4DF48]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwQueryValueKey [0xECE4F230]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwRestoreKey [0xECE4DA06]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwResumeThread [0xECE4DD22]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwSetInformationFile [0xECE4D73A]
SSDT \SystemRoot\system32\Drivers\apprngr.sys (AppRanger Scan Driver/AppRanger Inc.) ZwSetValueKey [0xECE4F1C8]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:26 AM

Posted 14 November 2009 - 09:41 AM

  • Disable AVG Resident Shield:
    • Double click AVG system tray icon to open AVG.
    • In Overview section double click Resident Shield.
    • Uncheck Resident Shield Active.
    • Press Save Changes.

      Note: It is important to activate the resident shield immediately after ComboFix produced its log.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#8 chadt

chadt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 14 November 2009 - 06:26 PM

ComboFix 09-11-15.01 - HP_Administrator 11/14/2009 14:53..2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.133 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\lupo.bat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\ymifi.vbs
c:\documents and settings\All Users\Documents\ihyzo.bat
c:\documents and settings\All Users\Microsoft AData
c:\documents and settings\All Users\Microsoft AData\t.sid
c:\documents and settings\HP_Administrator\Application Data\ynybal.reg
c:\documents and settings\HP_Administrator\Application Data\yvodyna.inf
c:\documents and settings\HP_Administrator\Desktop\Personal Guard 2009.lnk
c:\documents and settings\HP_Administrator\Local Settings\Application Data\gacyq.inf
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\hatobafuqy.ban
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\isep.vbs
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\kadirexif.scr
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\nanibo.dl
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\zazose.sys
c:\documents and settings\HP_Administrator\Start Menu\Programs\Personal Guard 2009
c:\documents and settings\HP_Administrator\Start Menu\Programs\Personal Guard 2009\Personal Guard 2009.lnk
c:\documents and settings\HP_Administrator\Start Menu\Programs\Personal Guard 2009\Uninstall.lnk
c:\program files\Common Files\diqo.inf
c:\program files\Common Files\muku.bat
c:\program files\Common Files\ovonatyl.reg
c:\program files\Personal Guard 2009
c:\program files\Personal Guard 2009\config.scf
c:\program files\Personal Guard 2009\mmbase.sdb
c:\program files\Personal Guard 2009\personalguard.exe
c:\program files\Personal Guard 2009\q.sdb
c:\program files\Personal Guard 2009\queue.sdb
c:\program files\Personal Guard 2009\uninstalls.exe
c:\program files\Personal Guard 2009\vvbase.sdb
c:\windows\certsystem.exe
c:\windows\liwyput.vbs
c:\windows\microsoftdef.dll
c:\windows\miqa.exe
c:\windows\onugipyk.scr
c:\windows\regred.exe
c:\windows\securits.com
c:\windows\spoov.exe
c:\windows\system32\apiwefer.reg
c:\windows\system32\asuwixotet.inf
c:\windows\system32\bigivete.dll.tmp
c:\windows\system32\bubodozu.dll.tmp
c:\windows\system32\bulikuyi.dll
c:\windows\system32\duwosepu.dll
c:\windows\system32\figovafa.dll
c:\windows\system32\fubatuzo.dll
c:\windows\system32\fupafeyo.dll
c:\windows\system32\gekohani.dll
c:\windows\system32\giyafufu.dll
c:\windows\system32\gohifodi.dll
c:\windows\system32\howefapi.dll
c:\windows\system32\latadeti.dll
c:\windows\system32\lawaragu.dll.tmp
c:\windows\system32\lupeyoyu.dll.tmp
c:\windows\system32\miboduka.dll
c:\windows\system32\mopiseje.dll.tmp
c:\windows\system32\najebofi.dll
c:\windows\system32\noyuruwi.dll
c:\windows\system32\povufuyu.dll
c:\windows\system32\ps2.bat
c:\windows\system32\pudidoye.dll
c:\windows\system32\pusalazi.dll
c:\windows\system32\puwareda.dll
c:\windows\system32\ragumoze.dll
c:\windows\system32\safodaru.dll
c:\windows\system32\supugozi.dll
c:\windows\system32\vigoyusu.dll
c:\windows\system32\wewafuse.dll.tmp
c:\windows\system32\wirubifa.dll.tmp
c:\windows\system32\wovayaje.dll
c:\windows\system32\wumiwuso.dll
c:\windows\system32\wurubawu.dll
c:\windows\system32\yetisono.dll
c:\windows\system32\yiyavewe.dll
c:\windows\system32\yosusadu.dll
c:\windows\system32\yuworowe.dll
c:\windows\system32\zekazide.dll.tmp
c:\windows\system32\zikewapo.dll
c:\windows\system32\zosemijo.dll.tmp
c:\windows\system32\zugibiru.dll
c:\windows\Tasks\ldfsvglx.job
c:\windows\usexplorer.exe
c:\windows\vuvug.inf
c:\windows\yvaxylez.bat
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://82.98.231.99
.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-13 18:00 . 2009-11-10 16:28 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-13 18:00 . 2009-11-10 16:28 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-13 18:00 . 2009-11-10 16:28 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-13 18:00 . 2009-11-09 06:02 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-13 18:00 . 2009-11-10 16:28 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-13 18:00 . 2009-11-09 06:02 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-10 16:29 . 2009-11-09 06:02 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 16:27 . 2009-11-09 06:02 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-10 16:27 . 2009-11-09 06:02 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 16:37 . 2009-11-14 12:55 49236 ------w- c:\documents and settings\All Users\Application Data\AppRanger\system\WebDOMFilter.dll
2009-11-09 16:37 . 2009-11-09 16:37 446538 ------w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\nrbitfyi.default\extensions\{d0c29249-27c7-4192-aec8-6c84436aeb80}\components\TSBoxFF.dll
2009-11-09 16:37 . 2009-11-14 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\AppRanger
2009-11-09 16:37 . 2009-11-09 16:37 -------- d-----w- c:\windows\logs
2009-11-09 16:36 . 2009-11-14 22:48 -------- d-----w- c:\program files\AppRanger
2009-11-09 07:26 . 2009-11-09 07:26 -------- d-----w- C:\VundoFix Backups
2009-11-09 06:02 . 2009-11-09 06:02 -------- d-----w- C:\$AVG
2009-11-09 06:02 . 2009-11-10 16:28 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-09 06:02 . 2009-11-09 06:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-09 06:02 . 2009-11-09 06:02 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-09 06:02 . 2009-11-09 06:02 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-09 06:02 . 2009-11-14 17:42 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-09 06:02 . 2009-11-09 06:02 -------- d-----w- c:\program files\AVG
2009-11-09 06:02 . 2009-11-14 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-09 04:53 . 2009-11-09 05:03 114 ---ha-w- C:\aaw7boot.cmd
2009-11-09 02:08 . 2009-10-03 08:15 2924848 -c----w- c:\documents and settings\All Users\Application Data\~0\Ad-AwareInstallation.exe
2009-11-09 02:08 . 2009-11-09 05:34 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-11-09 02:08 . 2009-11-09 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-09 01:50 . 2009-11-09 01:50 -------- d-----w- c:\program files\Trend Micro
2009-11-08 22:34 . 2009-11-08 22:34 -------- d-----w- c:\documents and settings\Mariah\Local Settings\Application Data\Yahoo
2009-11-08 22:34 . 2009-11-08 22:34 -------- d-----w- c:\documents and settings\Mariah\Application Data\Yahoo!
2009-11-08 18:05 . 2004-08-04 07:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-08 18:05 . 2004-08-04 07:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-08 05:00 . 2009-11-08 05:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-11-06 19:49 . 2009-11-06 19:49 126970 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\uninstall.exe
2009-11-06 19:49 . 2009-11-07 01:25 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-11-04 05:31 . 2009-11-04 05:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-10-25 18:26 . 2009-10-25 18:26 -------- d-----w- c:\documents and settings\yuo\Local Settings\Application Data\Mozilla
2009-10-22 21:00 . 2009-10-22 21:23 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Deployment
2009-10-22 20:55 . 2009-10-22 20:55 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-22 20:55 . 2009-10-22 20:55 -------- d-----w- c:\program files\MSBuild
2009-10-22 20:54 . 2009-10-22 20:54 -------- d-----w- c:\program files\Reference Assemblies
2009-10-22 20:53 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-22 20:53 . 2009-10-22 20:54 -------- d-----w- C:\2c430fce765b31212abe928efc
2009-10-22 20:53 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-22 20:53 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-22 20:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-22 20:53 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-22 20:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-22 20:53 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-22 20:46 . 2009-10-22 20:46 -------- d-----w- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 05:54 . 2004-09-03 09:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-09 05:51 . 2004-09-03 09:31 -------- d-----w- c:\program files\Symantec
2009-11-09 05:51 . 2004-09-03 09:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-09 05:36 . 2009-09-08 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 05:35 . 2009-07-13 20:00 -------- d-----w- c:\program files\Google
2009-11-08 18:09 . 2009-07-01 02:20 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2009-11-07 17:03 . 2004-09-03 07:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-07 17:02 . 2004-09-03 07:42 -------- d-----w- c:\program files\Easy Internet signup
2009-11-06 19:49 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-22 21:00 . 2009-07-02 05:03 46200 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 10:32 . 2009-07-09 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-16 01:42 . 2009-07-06 02:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-10-14 10:11 . 2004-09-03 07:14 -------- d-----w- c:\program files\Microsoft Works
2009-09-22 10:06 . 2009-09-22 10:06 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-09-22 00:11 . 2009-09-22 00:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:33 . 2004-09-10 23:16 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 20:05 . 2009-09-08 20:05 17571 ----a-w- c:\documents and settings\All Users\Application Data\operybem.bin
2009-09-08 20:05 . 2009-09-08 20:05 17105 ----a-w- c:\windows\paquc.sys
2009-09-08 20:05 . 2009-09-08 20:05 16241 ----a-w- c:\windows\anuv.pif
2009-09-08 20:05 . 2009-09-08 20:05 10364 ----a-w- c:\program files\Common Files\kekexaj.dl
2009-09-08 20:05 . 2009-09-08 20:05 13137 ----a-w- c:\documents and settings\All Users\Application Data\ysaxiq.scr
2009-09-08 20:05 . 2009-09-08 20:05 13137 ----a-w- c:\documents and settings\All Users\Application Data\ysaxiq.scr
2009-09-08 20:05 . 2009-09-08 20:05 12125 ----a-w- c:\documents and settings\HP_Administrator\Application Data\lekuryb.pif
2009-09-08 20:05 . 2009-09-08 20:05 12125 ----a-w- c:\documents and settings\HP_Administrator\Application Data\lekuryb.pif
2009-09-08 19:50 . 2009-09-08 19:50 19831 ----a-w- c:\program files\Common Files\kecopiv._sy
2009-09-08 19:50 . 2009-09-08 19:50 11145 ----a-w- c:\windows\system32\tysive.com
2009-09-08 19:50 . 2009-09-08 19:50 10279 ----a-w- c:\documents and settings\HP_Administrator\Application Data\saha.exe
2009-09-08 19:50 . 2009-09-08 19:50 10279 ----a-w- c:\documents and settings\HP_Administrator\Application Data\saha.exe
2009-09-08 19:50 . 2009-09-08 19:50 10740 ----a-w- c:\program files\Common Files\ladibob.exe
2009-09-08 19:50 . 2009-09-08 19:50 18483 ----a-w- c:\program files\Common Files\fahiq.ban
2009-09-08 19:50 . 2009-09-08 19:50 18362 ----a-w- c:\windows\system32\atofotiqan.bin
2009-09-08 19:50 . 2009-09-08 19:50 15681 ----a-w- c:\windows\asoj.sys
2009-09-08 05:19 . 2009-09-08 05:19 16740 ----a-w- c:\program files\Common Files\gikyh.dat
2009-09-08 05:19 . 2009-09-08 05:19 15952 ----a-w- c:\program files\Common Files\erinaca.dat
2009-09-08 05:19 . 2009-09-08 05:19 15030 ----a-w- c:\documents and settings\HP_Administrator\Application Data\dorunas.bin
2009-09-08 05:19 . 2009-09-08 05:19 14287 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\iquxupoq.exe
2009-09-08 05:19 . 2009-09-08 05:19 13879 ----a-w- c:\documents and settings\All Users\Application Data\juda.dat
2009-09-08 05:19 . 2009-09-08 05:19 13515 ----a-w- c:\windows\oweryqica.sys
2009-09-08 05:19 . 2009-09-08 05:19 12447 ----a-w- c:\windows\wimyf.bin
2009-09-08 05:19 . 2009-09-08 05:19 12278 ----a-w- c:\windows\odomehuvu.bin
2009-09-04 20:45 . 2004-09-10 23:15 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-09-10 23:18 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-09-10 23:15 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-09-10 23:14 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2004-09-10 23:17 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 16:19 . 2009-08-25 16:19 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-13 20:06 . 2009-08-13 20:06 51712 --sha-w- c:\windows\system32\leheliyo.dll
2009-08-13 20:05 . 2009-08-13 20:05 51712 --sha-w- c:\windows\system32\pogewaso.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69092540-e9e7-4165-b6cf-c96a6ea72220}]
2009-08-13 20:06 51712 --sha-w- c:\windows\system32\leheliyo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-09-03 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-09-03 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-27 339968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-13 2020120]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-02 73728]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-07-06 2550272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-09 06:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgtray.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/8/2009 10:02 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/8/2009 10:02 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/8/2009 10:02 PM 285392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\nrbitfyi.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\HP_Administrator\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-reluzovew - c:\windows\system32\gohifodi.dll
HKLM-Run-lemasifoso - safodaru.dll
SharedTaskScheduler-{0ba3b919-af55-46cd-a2dd-91320f9a109e} - c:\windows\system32\gohifodi.dll
SSODL-SysNet-{6FCE8D4B-C782-447C-B77C-524FE679B558} - c:\documents and settings\All Users\Microsoft AData\sysnet.dll
SSODL-zabuzomuv-{0ba3b919-af55-46cd-a2dd-91320f9a109e} - c:\windows\system32\gohifodi.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 15:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\browselc.dll
c:\windows\system32\leheliyo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-11-14 15:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-14 23:23

Pre-Run: 155,698,937,856 bytes free
Post-Run: 155,419,959,296 bytes free

- - End Of File - - 3C53C477A4D2FA2225D26D7B1ABF8B8D

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:26 AM

Posted 14 November 2009 - 07:05 PM

Well done. :(

ComboFix got a lot of them but it is not clean yet.

Please download Malwarebytes' Anti-Malware from one of these locations:
malwarebytes.org
majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#10 chadt

chadt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 14 November 2009 - 08:56 PM

When I get to this part

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

I get a "Unable to execute file" "CreateProcess Failed; Code 2. The system cannot find the file specified".

Am I doing something wrong?

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:26 AM

Posted 15 November 2009 - 06:08 AM

The malware is interfering. Let's run ComfoFix once more.
  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/270182/can-someone-please-help-me/
    
    Collect::[4]
    c:\documents and settings\All Users\Application Data\operybem.bin
    c:\windows\paquc.sys
    c:\windows\anuv.pif
    c:\program files\Common Files\kekexaj.dl
    c:\documents and settings\All Users\Application Data\ysaxiq.scr
    c:\documents and settings\HP_Administrator\Application Data\lekuryb.pif
    c:\program files\Common Files\kecopiv._sy
    c:\windows\system32\tysive.com
    c:\documents and settings\HP_Administrator\Application Data\saha.exe
    c:\program files\Common Files\ladibob.exe
    c:\program files\Common Files\fahiq.ban
    c:\windows\system32\atofotiqan.bin
    c:\windows\asoj.sys
    c:\program files\Common Files\gikyh.dat
    c:\program files\Common Files\erinaca.dat
    c:\documents and settings\HP_Administrator\Application Data\dorunas.bin
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\iquxupoq.exe
    c:\documents and settings\All Users\Application Data\juda.dat
    c:\windows\oweryqica.sys
    c:\windows\wimyf.bin
    c:\windows\odomehuvu.bin
    c:\windows\system32\leheliyo.dll
    c:\windows\system32\pogewaso.dll
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69092540-e9e7-4165-b6cf-c96a6ea72220}]

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.


#12 chadt

chadt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 15 November 2009 - 01:52 PM

ComboFix 09-11-16.01 - HP_Administrator 11/15/2009 10:24..2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.249 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\documents and settings\All Users\Application Data\juda.dat
file zipped: c:\documents and settings\All Users\Application Data\operybem.bin
file zipped: c:\documents and settings\All Users\Application Data\ysaxiq.scr
file zipped: c:\documents and settings\HP_Administrator\Application Data\dorunas.bin
file zipped: c:\documents and settings\HP_Administrator\Application Data\lekuryb.pif
file zipped: c:\documents and settings\HP_Administrator\Application Data\saha.exe
file zipped: c:\documents and settings\HP_Administrator\Local Settings\Application Data\iquxupoq.exe
file zipped: c:\program files\Common Files\erinaca.dat
file zipped: c:\program files\Common Files\fahiq.ban
file zipped: c:\program files\Common Files\gikyh.dat
file zipped: c:\program files\Common Files\kecopiv._sy
file zipped: c:\program files\Common Files\kekexaj.dl
file zipped: c:\program files\Common Files\ladibob.exe
file zipped: c:\windows\anuv.pif
file zipped: c:\windows\asoj.sys
file zipped: c:\windows\odomehuvu.bin
file zipped: c:\windows\oweryqica.sys
file zipped: c:\windows\paquc.sys
file zipped: c:\windows\system32\atofotiqan.bin
file zipped: c:\windows\system32\leheliyo.dll
file zipped: c:\windows\system32\pogewaso.dll
file zipped: c:\windows\system32\tysive.com
file zipped: c:\windows\wimyf.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\juda.dat
c:\documents and settings\All Users\Application Data\operybem.bin
c:\documents and settings\All Users\Application Data\ysaxiq.scr
c:\documents and settings\HP_Administrator\Application Data\dorunas.bin
c:\documents and settings\HP_Administrator\Application Data\lekuryb.pif
c:\documents and settings\HP_Administrator\Application Data\saha.exe
c:\documents and settings\HP_Administrator\Local Settings\Application Data\iquxupoq.exe
c:\program files\Common Files\erinaca.dat
c:\program files\Common Files\fahiq.ban
c:\program files\Common Files\gikyh.dat
c:\program files\Common Files\kecopiv._sy
c:\program files\Common Files\kekexaj.dl
c:\program files\Common Files\ladibob.exe
c:\windows\anuv.pif
c:\windows\asoj.sys
c:\windows\odomehuvu.bin
c:\windows\oweryqica.sys
c:\windows\paquc.sys
c:\windows\system32\atofotiqan.bin
c:\windows\system32\dewuyode.dll
c:\windows\system32\leheliyo.dll
c:\windows\system32\mosisuze.dll
c:\windows\system32\pogewaso.dll
c:\windows\system32\tysive.com
c:\windows\wimyf.bin

.
((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.

2009-11-15 01:52 . 2009-11-15 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware99999999999999999999
2009-11-15 01:44 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-15 01:44 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 18:00 . 2009-11-10 16:28 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-13 18:00 . 2009-11-10 16:28 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-13 18:00 . 2009-11-10 16:28 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-13 18:00 . 2009-11-09 06:02 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-13 18:00 . 2009-11-10 16:28 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-13 18:00 . 2009-11-09 06:02 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-10 16:29 . 2009-11-09 06:02 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 16:27 . 2009-11-09 06:02 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-10 16:27 . 2009-11-09 06:02 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 16:37 . 2009-11-14 12:55 49236 ------w- c:\documents and settings\All Users\Application Data\AppRanger\system\WebDOMFilter.dll
2009-11-09 16:37 . 2009-11-09 16:37 446538 ------w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\nrbitfyi.default\extensions\{d0c29249-27c7-4192-aec8-6c84436aeb80}\components\TSBoxFF.dll
2009-11-09 16:37 . 2009-11-14 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\AppRanger
2009-11-09 16:37 . 2009-11-09 16:37 -------- d-----w- c:\windows\logs
2009-11-09 16:36 . 2009-11-14 22:48 -------- d-----w- c:\program files\AppRanger
2009-11-09 07:26 . 2009-11-09 07:26 -------- d-----w- C:\VundoFix Backups
2009-11-09 06:02 . 2009-11-09 06:02 -------- d-----w- C:\$AVG
2009-11-09 06:02 . 2009-11-10 16:28 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-09 06:02 . 2009-11-09 06:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-09 06:02 . 2009-11-09 06:02 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-09 06:02 . 2009-11-09 06:02 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-09 06:02 . 2009-11-15 17:11 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-09 06:02 . 2009-11-09 06:02 -------- d-----w- c:\program files\AVG
2009-11-09 06:02 . 2009-11-14 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-09 04:53 . 2009-11-09 05:03 114 ---ha-w- C:\aaw7boot.cmd
2009-11-09 02:08 . 2009-10-03 08:15 2924848 -c----w- c:\documents and settings\All Users\Application Data\~0\Ad-AwareInstallation.exe
2009-11-09 02:08 . 2009-11-09 05:34 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-11-09 02:08 . 2009-11-09 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-09 01:50 . 2009-11-09 01:50 -------- d-----w- c:\program files\Trend Micro
2009-11-08 22:34 . 2009-11-08 22:34 -------- d-----w- c:\documents and settings\Mariah\Local Settings\Application Data\Yahoo
2009-11-08 22:34 . 2009-11-08 22:34 -------- d-----w- c:\documents and settings\Mariah\Application Data\Yahoo!
2009-11-08 18:05 . 2004-08-04 07:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-08 18:05 . 2004-08-04 07:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-08 05:00 . 2009-11-08 05:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-11-06 19:49 . 2009-11-06 19:49 126970 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\uninstall.exe
2009-11-06 19:49 . 2009-11-07 01:25 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-11-04 05:31 . 2009-11-04 05:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-10-22 21:00 . 2009-10-22 21:23 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Deployment
2009-10-22 20:55 . 2009-10-22 20:55 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-22 20:55 . 2009-10-22 20:55 -------- d-----w- c:\program files\MSBuild
2009-10-22 20:54 . 2009-10-22 20:54 -------- d-----w- c:\program files\Reference Assemblies
2009-10-22 20:53 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-22 20:53 . 2009-10-22 20:54 -------- d-----w- C:\2c430fce765b31212abe928efc
2009-10-22 20:53 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-22 20:53 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-22 20:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-22 20:53 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-22 20:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-22 20:53 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-22 20:46 . 2009-10-22 20:46 -------- d-----w- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 01:48 . 2009-09-08 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 05:54 . 2004-09-03 09:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-09 05:51 . 2004-09-03 09:31 -------- d-----w- c:\program files\Symantec
2009-11-09 05:51 . 2004-09-03 09:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-09 05:35 . 2009-07-13 20:00 -------- d-----w- c:\program files\Google
2009-11-08 18:09 . 2009-07-01 02:20 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2009-11-07 17:03 . 2004-09-03 07:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-07 17:02 . 2004-09-03 07:42 -------- d-----w- c:\program files\Easy Internet signup
2009-11-06 19:49 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-22 21:00 . 2009-07-02 05:03 46200 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 10:32 . 2009-07-09 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-16 01:42 . 2009-07-06 02:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-10-14 10:11 . 2004-09-03 07:14 -------- d-----w- c:\program files\Microsoft Works
2009-09-22 10:06 . 2009-09-22 10:06 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-09-22 00:11 . 2009-09-22 00:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:33 . 2004-09-10 23:16 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-09-10 23:15 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-09-10 23:18 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-09-10 23:15 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-09-10 23:14 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2004-09-10 23:17 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 16:19 . 2009-08-25 16:19 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-11-14_23.03.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-01 10:00 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2009-07-01 10:00 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2004-09-10 23:18 . 2009-08-14 12:19 1850112 c:\windows\system32\win32k.sys
+ 2004-09-10 23:18 . 2009-08-14 12:19 1850112 c:\windows\system32\dllcache\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-09-03 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-09-03 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-27 339968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-13 2020120]
"reluzovew"="c:\windows\system32\mosisuze.dll" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-02 73728]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-07-06 2550272]
"lemasifoso"="safodaru.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-09 06:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgtray.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/8/2009 10:02 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/8/2009 10:02 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/8/2009 10:02 PM 285392]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\nrbitfyi.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\HP_Administrator\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{f06e1f55-727a-4189-a8eb-ba6096015331} - c:\windows\system32\mosisuze.dll
SSODL-relerawib-{f06e1f55-727a-4189-a8eb-ba6096015331} - c:\windows\system32\mosisuze.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-15 10:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2009-11-15 10:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-15 18:51
ComboFix2.txt 2009-11-14 23:24

Pre-Run: 155,374,399,488 bytes free
Post-Run: 155,244,064,768 bytes free

- - End Of File - - CA1F38672E05D6E7BE226AB2A38977D5

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:26 AM

Posted 15 November 2009 - 02:02 PM

Do you have any idea why the following folder is made?:

c:\program files\Malwarebytes' Anti-Malware99999999999999999999

Go to start => Run, copy and paste the following and click OK:

"c:\program files"

The program files folder opens up, inside it remove the folder named above.
Uninstall Malwarebytes and follow the instruction give previously to install and run it.

#14 chadt

chadt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 15 November 2009 - 03:31 PM

Malwarebytes' Anti-Malware 1.41
Database version: 3176
Windows 5.1.2600 Service Pack 2

11/15/2009 12:31:23 PM
mbam-log-2009-11-15 (12-31-23).txt

Scan type: Quick Scan
Objects scanned: 122334
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reluzovew (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lemasifoso (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:26 AM

Posted 15 November 2009 - 04:35 PM

We are almost there. I would like to have a full system check now.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users