Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


NeXplore & Company will not go away

  • This topic is locked This topic is locked
5 replies to this topic

#1 Cybrjaz


  • Members
  • 11 posts
  • Local time:10:11 PM

Posted 05 February 2010 - 12:49 PM

Here' my DDS log file ...

DDS (Ver_09-12-01.01) - NTFSx86
Run by Rick at 12:34:23.65 on 02/05/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.280 [GMT -5:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Rick\Desktop\MalWare Tools\dds.pif

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - c:\progra~1\copern~1\COPERN~1.EXE
IE: {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - c:\progra~1\copern~1\COPERN~1.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - {4D459C49-EA39-4C99-8BBD-75EFB7D6759D} - c:\progra~1\copern~1\COPERN~1.DLL
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: intuit.com\ttlc
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143335048562
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: {92C0CA86-7491-45D5-9CBB-CA78D628CCFC} =,
TCP: {D467D6DC-BCA0-4273-BCEF-B57522201C32} =,,
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: igfxcui - igfxsrvc.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
AppInit_DLLs: c:\windows\system32\pogobiwu.dll veyomogo.dll c:\windows\system32\sedatomo.dll c:\windows\system32\todolaze.dll c:\windows\system32\sinahuti.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: jibemubig - {1c828e9a-664f-42a0-9e2b-b8f69bd73b78} - No File
SSODL: buhamiwoy - {4a743cda-e4fe-49af-89a9-0850b5a0d4d3} - No File
SSODL: yuruwizis - {7a40485a-bd8e-448b-b178-853a69f5bfcd} - No File
SSODL: jogekanis - {505ca51e-67bb-404e-a9a7-bdd55dfc9586} - No File
STS: {1c828e9a-664f-42a0-9e2b-b8f69bd73b78} - No File
STS: {4a743cda-e4fe-49af-89a9-0850b5a0d4d3} - No File
STS: {7a40485a-bd8e-448b-b178-853a69f5bfcd} - No File
STS: {505ca51e-67bb-404e-a9a7-bdd55dfc9586} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli dpmsigfy.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-30 64160]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2005-6-22 14336]
R2 EMP_UDSA;EMP_UDSA;c:\program files\epson projector\epson usb display v1.4\EMP_UDSA.exe [2010-1-20 98304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-3-21 72672]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\compact wireless-g usb network adapter with speedbooster\WLService.exe [2009-12-8 53307]
R3 eppvad_simple;EPSON Projector UD Audio Device;c:\windows\system32\drivers\EMP_UDAU.sys [2010-1-20 17664]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2006-2-4 24736]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-3 38224]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [2006-2-4 10368]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100129.006\NAVENG.sys [2010-1-30 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100129.006\NAVEX15.sys [2010-1-30 1323568]
S2 SprintPort;SprintPort Serial Driver;\??\c:\program files\novatel wireless\sprintport\winport.sys --> c:\program files\novatel wireless\sprintport\WINPORT.SYS [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2005-6-21 69692]
S3 Novatel;Novatel Wireless Network Adapter;c:\windows\system32\drivers\nwc201.sys [2006-5-25 40064]
S3 SocketQuadSerial;Novatel Wireless CDMA 1.9GHz Modem driver;c:\windows\system32\drivers\nvtlg2k.sys [2006-5-25 48556]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2010-02-05 17:15:26 0 d-----w- c:\program files\TrendMicro
2010-02-04 02:53:42 0 d-----w- c:\docume~1\rick\applic~1\Malwarebytes
2010-02-04 02:53:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 02:53:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-04 02:53:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-04 02:53:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 14:16:39 0 d-----w- c:\program files\PDF995
2010-02-03 00:30:18 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-30 17:35:46 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-30 17:16:01 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-30 17:05:06 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-01-27 22:40:23 0 d-----w- c:\docume~1\rick\applic~1\Intuit
2010-01-27 22:40:16 0 d-----w- c:\program files\common files\AnswerWorks 5.0
2010-01-27 22:34:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit
2010-01-27 22:01:44 0 d-----w- c:\program files\TurboTax
2010-01-24 20:31:21 0 d-----w- c:\program files\Spyware Doctor
2010-01-23 17:49:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-22 22:55:59 78464 -c--a-w- c:\windows\system32\dllcache\usbvideo.sys
2010-01-22 22:55:59 78464 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-01-22 22:55:59 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-01-22 22:55:59 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-01-22 22:55:59 43008 -c--a-w- c:\windows\system32\dllcache\ksxbar.ax
2010-01-22 22:55:59 43008 ----a-w- c:\windows\system32\ksxbar.ax
2010-01-22 22:55:59 20992 -c--a-w- c:\windows\system32\dllcache\dshowext.ax
2010-01-22 22:55:59 20992 ----a-w- c:\windows\system32\dshowext.ax
2010-01-20 18:08:05 17664 ----a-w- c:\windows\system32\drivers\EMP_UDAU.sys
2010-01-20 18:08:03 0 d-----w- c:\program files\EPSON Projector
2010-01-16 12:49:18 0 d--h--w- c:\windows\$hf_mig$
2010-01-14 01:23:35 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 18:35:58 0 d-----w- c:\program files\HRBlock2009
2010-01-09 13:45:23 19882 ----a-w- c:\windows\opomizufa.dll
2010-01-09 12:50:30 29922 ----a-w- c:\windows\apisuyan.dll

==================== Find3M ====================

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-05 00:43:19 20363 ----a-w- c:\windows\aruzuzesesuzu.dll
2010-01-02 13:02:55 31422 ----a-w- c:\windows\ehanoduse.dll
2010-01-01 21:20:58 30665 ----a-w- c:\windows\ibaheseheguc.dll
2009-12-31 23:28:09 11527 ----a-w- c:\windows\okepucusezejoh.dll
2009-12-29 23:52:27 11465 ----a-w- c:\windows\iruhobiqobac.dll
2009-12-17 00:22:01 11405 ----a-w- c:\windows\orisawegu.dll
2009-12-13 16:33:36 11465 ----a-w- c:\windows\odareqono.dll
2009-12-13 15:51:02 11465 ----a-w- c:\windows\iqetuxun.dll
2009-12-12 17:53:30 11465 ----a-w- c:\windows\afijekum.dll
2009-12-09 02:55:19 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-12-07 01:40:28 11465 ----a-w- c:\windows\atokumib.dll
2009-12-06 15:34:14 12201 ----a-w- c:\windows\ofesevihegozavo.dll
2009-12-02 04:21:17 12914 ----a-w- c:\windows\ucacohuvilit.dll
2009-12-02 00:09:29 12204 ----a-w- c:\windows\upacafofoceq.dll
2009-11-30 04:12:24 11527 ----a-w- c:\windows\iwobasus.dll
2009-11-30 02:10:09 11527 ----a-w- c:\windows\oxequfir.dll
2009-11-30 00:08:13 11465 ----a-w- c:\windows\aduritadumo.dll
2009-11-29 22:06:10 11465 ----a-w- c:\windows\ecusubukaqibiyov.dll
2009-11-29 20:04:13 11465 ----a-w- c:\windows\okenezud.dll
2009-11-29 18:02:12 11465 ----a-w- c:\windows\etifamanapoxu.dll
2009-11-28 15:18:04 11465 ----a-w- c:\windows\ufokajomowapupiy.dll
2009-11-28 01:53:34 12132 ----a-w- c:\windows\idulamufoyem.dll
2009-11-27 02:16:11 11527 ----a-w- c:\windows\ivuluxocac.dll
2009-11-25 15:43:38 11527 ----a-w- c:\windows\esacedofibu.dll
2009-11-25 07:22:18 12195 ----a-w- c:\windows\ihirimuqujuzes.dll
2009-11-25 05:18:08 11465 ----a-w- c:\windows\eyelolel.dll
2009-11-24 03:36:31 11241 ----a-w- c:\windows\odivinasowovone.dll
2009-11-24 00:42:23 11527 ----a-w- c:\windows\adebuxidetayol.dll
2009-11-23 22:42:46 11465 ----a-w- c:\windows\eliyeviw.dll
2009-11-23 01:43:36 11527 ----a-w- c:\windows\efabadebirita.dll
2009-11-22 06:36:51 12173 ----a-w- c:\windows\ekisawan.dll
2009-11-22 04:34:51 12207 ----a-w- c:\windows\uqoyuruwokuqisal.dll
2009-11-21 03:53:16 12869 ----a-w- c:\windows\igopikebeg.dll
2009-11-21 01:52:39 11465 ----a-w- c:\windows\uhabojebuqagetey.dll
2009-11-20 23:21:18 11405 ----a-w- c:\windows\akeboxagijo.dll
2009-11-18 00:53:14 11465 ----a-w- c:\windows\uvahevatepinuk.dll
2009-11-15 23:07:30 11465 ----a-w- c:\windows\osuxezoy.dll
2009-11-15 04:06:57 12217 ----a-w- c:\windows\ovucolay.dll
2009-11-15 02:04:57 12146 ----a-w- c:\windows\umaqazejowedi.dll
2009-11-15 00:02:59 11465 ----a-w- c:\windows\okunilecolayiza.dll
2009-11-14 03:19:21 12964 ----a-w- c:\windows\asacimaf.dll
2009-11-13 04:32:54 16385 ----a-w- c:\windows\egeyeguw.dll
2009-11-13 02:30:59 11527 ----a-w- c:\windows\umidolequfirawax.dll
2009-11-12 03:36:18 11465 ----a-w- c:\windows\ohiwosaf.dll
2009-11-08 16:18:58 13332 ----a-w- c:\windows\ogasivol.dll
2009-11-08 15:07:27 13187 ----a-w- c:\windows\uvusiziw.dll
2009-11-07 18:43:09 11527 ----a-w- c:\windows\igowatebicog.dll
2008-03-15 01:15:27 774144 ----a-w- c:\program files\RngInterstitial.dll
1601-01-01 00:03:28 51720 --sha-w- c:\windows\system32\fejekina.exe
2007-08-24 13:29:53 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-19 18:07:36 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 12:35:24.71 ===============

And now the MalWareBytes log file ... despite what it all says, I'm pretty sure nothing has changed and it's still there - thanks for the help ....

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

02/03/2010 10:34:03 PM
mbam-log-2010-02-03 (22-34-03).txt

Scan type: Quick Scan
Objects scanned: 142477
Time elapsed: 12 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 7
Folders Infected: 1
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bitaloyo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\jebuhike.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sajeradi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\veyomogo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\yemibumi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1b49b087-15c4-4905-b8d3-3505bbdb71c3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{56213cb3-909e-4293-b94a-f587c0914a16} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yibulakaj (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{1b49b087-15c4-4905-b8d3-3505bbdb71c3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pomaremef (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{56213cb3-909e-4293-b94a-f587c0914a16} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sajeradi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jebuhike.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\jebuhike.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\bitaloyo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\diwuzito.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dowosiki.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dubojoba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hoyolajo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jebuhike.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jojekode.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mafakomu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sajeradi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sebasale.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sofofuhi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tinohofa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\veyomogo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wolunebu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wuholove.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yemibumi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\WINDOWS\PictureViewerEXE.scr (Backdoor.Bot) -> Quarantined and deleted successfully.

oh yeah - and before you guys ask ... I cannot download latest version of HiJackThis ... I keep getting redirected to the default IE "this file doesn't exist" page ... it was all I could do to get the programs that I got in order to get the log files you guys need ... if I need ComboFix then I'm really screwed because I can't get that anywhere ... yet ... lOL

Let me know

Merged 3 posts. ~ OB

Edited by Orange Blossom, 05 February 2010 - 03:22 PM.

BC AdBot (Login to Remove)


#2 Cybrjaz

  • Topic Starter

  • Members
  • 11 posts
  • Local time:10:11 PM

Posted 11 February 2010 - 10:12 AM

Checking back in to see if I can get any help on this issue - please advise



While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 11 February 2010 - 12:51 PM.

#3 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:11 AM

Posted 12 February 2010 - 03:27 PM


My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.

Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log



#4 Cybrjaz

  • Topic Starter

  • Members
  • 11 posts
  • Local time:10:11 PM

Posted 16 February 2010 - 02:33 PM

I cannot download the RSIT file - do you have an alternate?

#5 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:11 AM

Posted 16 February 2010 - 05:59 PM

Try this tool instead.
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


#6 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:11 AM

Posted 22 February 2010 - 11:32 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users