Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Monder.czox Trojan and probably more.


  • This topic is locked This topic is locked
16 replies to this topic

#1 01Blade10

01Blade10

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 27 February 2010 - 02:35 PM

Every time a new application runs, avira warns me that that virus is trying to gain access, it will not go away until I hit ignore, then the window opens. I also have a virus that when I go to a site, sometimes a new window with an ad in it will pop up. When I tried to run the GMER program, it was going fine... then my screen went black, and the computer restarted. So I don't really have the GMER log.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Theoxus at 13:39:03.75 on Sat 02/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1486 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\Program Files\WTouch\WTouchService.exe
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Nexon\Mabinogi\npkcmsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\WINDOWS\system32\Pen_Tablet.exe
E:\WINDOWS\system32\Pen_Tablet.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\taskmgr.exe
E:\Program Files\Unlocker\Unlocker.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\explorer.exe
E:\Program Files\TortoiseSVN\bin\TSVNCache.exe
E:\Documents and Settings\Theoxus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {51930d42-c560-4620-9b0a-09e17a557c27} - mulifadu.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - e:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - e:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - e:\program files\styler\tb\StylerTB.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [LClock] e:\program files\lclock\LClock.exe
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [Steam] "e:\program files\steam\steam.exe" -silent
uRun: [WMPNSCFG] e:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "e:\documents and settings\theoxus\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Pando Media Booster] e:\program files\pando networks\media booster\PMB.exe
mRun: [PWRISOVM.EXE] e:\program files\poweriso\PWRISOVM.EXE
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AppleSyncNotifier] e:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "e:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Livestream Procaster] "e:\program files\livestream procaster\Procaster.exe" -autorun
mRun: [kutotusifi] Rundll32.exe "e:\windows\temp\tmp11.dll",s
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [fiwudokef] Rundll32.exe "e:\windows\system32\yopopanu.dll",a
dRun: [LClock] e:\program files\lclock\LClock.exe
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: e:\docume~1\theoxus\startm~1\programs\startup\openof~1.lnk - e:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\flashp~1.lnk - e:\program files\smartdisk\flashpath\sdstat.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: harupeza.dll e:\windows\system32\hulawira.dll lotoyeyo.dll pozihibi.dll e:\windows\system32\yopopanu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\wpdshserviceobj.dll
SSODL: nejozeyur - {f216ff80-85c0-4232-94bf-3396ba443b51} - e:\windows\system32\hulawira.dll
SSODL: hamurosed - {b76606ca-188f-42d5-81bb-044cc103d798} - e:\windows\system32\yopopanu.dll
STS: mujuzedij: {f216ff80-85c0-4232-94bf-3396ba443b51} - e:\windows\system32\hulawira.dll
STS: tokatiluy: {b76606ca-188f-42d5-81bb-044cc103d798} - e:\windows\system32\yopopanu.dll
LSA: Notification Packages = scecli zeyoheko.dll lotoyeyo.dll e:\windows\temp\tmp11.dll layezefu.dll e:\windows\temp\tmp6E.dll
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\theoxus\applic~1\mozilla\firefox\profiles\ma48oc8e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://reeno166.deviantart.com/
FF - plugin: e:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: e:\documents and settings\theoxus\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;e:\program files\avira\antivir desktop\avgio.sys [2009-5-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\avira\antivir desktop\sched.exe [2009-5-11 108289]
R2 AntiVirService;Avira AntiVir Guard;e:\program files\avira\antivir desktop\avguard.exe [2009-5-11 185089]
R2 avgntflt;avgntflt;e:\windows\system32\drivers\avgntflt.sys [2009-5-11 56816]
R2 FlashNT;FlashNT;e:\windows\system32\drivers\FLASHNT.SYS [2009-8-8 72784]
R2 Sdselect;Sdselect;e:\windows\system32\drivers\sdselect.sys [2009-8-8 73296]
R2 TabletServicePen;TabletServicePen;e:\windows\system32\Pen_Tablet.exe [2010-1-31 4497704]
R2 WTouchService;WTouch Service;e:\program files\wtouch\WTouchService.exe [2010-1-31 113448]
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;e:\windows\system32\drivers\Ngrpci.sys [2009-4-11 32840]
R3 wacmoumonitor;Wacom Mode Helper;e:\windows\system32\drivers\wacmoumonitor.sys [2010-1-31 15144]
S3 ALSysIO;ALSysIO;\??\e:\docume~1\theoxus\locals~1\temp\alsysio.sys --> e:\docume~1\theoxus\locals~1\temp\ALSysIO.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;e:\program files\magix\common\database\bin\fbserver.exe [2009-1-26 1527900]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;e:\windows\system32\drivers\libusb0.sys [2009-4-11 28672]
S3 PsSdk41;PsSdk41;e:\windows\system32\drivers\pssdk41.sys [2009-3-12 36928]
S3 smrtdrv;SMART Technologies Inc. Mirror Driver;e:\windows\system32\drivers\smrtdrv.sys [2004-4-22 2432]

=============== Created Last 30 ================

2010-02-24 21:15:31 0 d-----w- E:\Soldat
2010-02-24 21:15:31 0 d-----w- e:\docume~1\theoxus\applic~1\Soldat
2010-02-23 21:17:27 0 d-----w- e:\docume~1\alluse~1\applic~1\WOP
2010-02-23 21:17:24 1974616 ----a-w- e:\windows\system32\D3DCompiler_42.dll
2010-02-23 21:17:23 5501792 ----a-w- e:\windows\system32\d3dcsx_42.dll
2010-02-23 21:17:04 0 d-----w- e:\windows\Logs
2010-02-23 21:00:29 0 d-----w- e:\program files\iPod
2010-02-23 21:00:23 0 d-----w- e:\program files\iTunes
2010-02-23 21:00:23 0 d-----w- e:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-22 21:29:49 1 --sh--w- e:\windows\system32\gezibaju.dll
2010-02-22 21:07:14 1 --sh--w- e:\windows\system32\zafufovi.dll
2010-02-18 02:54:55 118784 ----a-w- e:\windows\system32\MSSTDFMT.DLL
2010-02-18 02:54:55 1071088 ----a-w- e:\windows\system32\MSCOMCTL.OCX
2010-02-18 02:54:54 0 d-----w- e:\program files\SpywareBlaster
2010-02-18 01:31:44 0 d--h--w- e:\windows\system32\GroupPolicy
2010-02-17 03:42:06 0 d-----w- e:\docume~1\theoxus\applic~1\X-Chat 2
2010-02-17 03:41:32 0 d-----w- e:\program files\X-Chat 2
2010-02-16 22:34:35 798773 ----a-w- e:\windows\system32\MFCO42D.DLL
2010-02-16 02:28:42 0 d-----w- e:\program files\XBox 360 Controller for Windows Software
2010-01-31 22:35:57 0 d-----w- e:\docume~1\theoxus\applic~1\WTablet
2010-01-31 22:35:49 0 d-----w- e:\docume~1\theoxus\applic~1\WTouch
2010-01-31 22:35:47 245032 ----a-w- e:\windows\system32\Touch_Tablet.dll
2010-01-31 22:35:47 0 d-----w- e:\program files\WTouch
2010-01-31 22:35:40 0 d-----w- e:\program files\TabletPlugins
2010-01-31 22:35:39 6393640 ----a-w- e:\windows\system32\PenTablet.cpl
2010-01-31 22:35:39 1595175 ----a-w- e:\windows\system32\PenTablet.znc
2010-01-31 22:31:55 13736 ----a-w- e:\windows\system32\drivers\wacomvhid.sys
2010-01-31 22:31:55 11312 ----a-w- e:\windows\system32\drivers\wacommousefilter.sys
2010-01-31 22:31:40 15144 ----a-w- e:\windows\system32\drivers\wacmoumonitor.sys
2010-01-31 22:31:40 0 d-----w- e:\windows\system32\WTablet
2010-01-31 22:31:37 416040 ----a-w- e:\windows\system32\Pen_Tablet.dll
2010-01-31 22:31:37 284160 ----a-w- e:\windows\system32\Wintab32.dll
2010-01-31 22:31:36 4497704 ----a-w- e:\windows\system32\Pen_Tablet.exe
2010-01-31 22:31:33 0 d-----w- e:\program files\Tablet
2010-01-31 22:11:48 0 d-----w- e:\windows\Downloaded Installations
2010-01-31 22:10:44 0 d-----w- e:\program files\Livestream Procaster

==================== Find3M ====================

2010-02-19 04:16:26 6192548 ----a-w- e:\program files\Livestream Procaster.rar
2010-01-18 06:30:46 499712 ----a-w- e:\windows\system32\msvcp71.dll
2009-12-21 13:19:18 173056 ------w- e:\windows\system32\dllcache\ie4uinit.exe
2009-01-26 22:56:34 75 -csh--r- e:\windows\ICMET20.BIN
1601-01-01 00:03:52 55296 --sha-w- e:\windows\system32\gijiyeli.dll
1601-01-01 00:03:52 55296 --sha-w- e:\windows\system32\layezefu.dll
1601-01-01 00:03:28 41984 --sha-w- e:\windows\system32\lehebofi.dll
1601-01-01 00:03:28 1 --sha-w- e:\windows\system32\mekijoru.dll
1601-01-01 00:03:28 70144 --sha-w- e:\windows\system32\nojutoko.dll
1601-01-01 00:03:28 1 --sha-w- e:\windows\system32\vizalodu.dll
1601-01-01 00:03:52 55296 --sha-w- e:\windows\system32\zujawaro.dll
2008-12-04 01:11:02 32768 -csha-w- e:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120320081204\index.dat

============= FINISH: 13:40:09.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:46 PM

Posted 02 March 2010 - 03:06 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 01Blade10

01Blade10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 02 March 2010 - 09:18 PM

Same situation as above, every application I run, avira asks me if it is okay to let yopopanu.dll go, if I hit deny, it keeps coming back, if ignore, the window opens up. Whenever I browse the web, there is sometimes an ad that will pop up in a new window.

AND AGAIN, GMER CRASHED.




DDS (Ver_09-12-01.01) - NTFSx86
Run by Theoxus at 19:30:34.12 on Tue 03/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1487 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\Program Files\WTouch\WTouchService.exe
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
E:\Program Files\WTouch\WTouchUser.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\TortoiseSVN\bin\TSVNCache.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Nexon\Mabinogi\npkcmsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\WINDOWS\system32\Pen_Tablet.exe
E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
E:\WINDOWS\system32\Pen_Tablet.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Livestream Procaster\Procaster.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\LClock\LClock.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Pando Networks\Media Booster\PMB.exe
E:\Program Files\SmartDisk\FlashPath\sdstat.exe
E:\Program Files\OpenOffice.org 3\program\soffice.exe
E:\Program Files\OpenOffice.org 3\program\soffice.bin
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Theoxus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {51930d42-c560-4620-9b0a-09e17a557c27} - mulifadu.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - e:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - e:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - e:\program files\styler\tb\StylerTB.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [LClock] e:\program files\lclock\LClock.exe
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [Steam] "e:\program files\steam\steam.exe" -silent
uRun: [WMPNSCFG] e:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "e:\documents and settings\theoxus\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Pando Media Booster] e:\program files\pando networks\media booster\PMB.exe
uRunOnce: [FlashPlayerUpdate] e:\windows\system32\macromed\flash\FlashUtil10d.exe
mRun: [PWRISOVM.EXE] e:\program files\poweriso\PWRISOVM.EXE
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AppleSyncNotifier] e:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "e:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Livestream Procaster] "e:\program files\livestream procaster\Procaster.exe" -autorun
mRun: [kutotusifi] Rundll32.exe "e:\windows\temp\tmp11.dll",s
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [fiwudokef] Rundll32.exe "e:\windows\system32\yopopanu.dll",a
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [LClock] e:\program files\lclock\LClock.exe
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: e:\docume~1\theoxus\startm~1\programs\startup\openof~1.lnk - e:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\flashp~1.lnk - e:\program files\smartdisk\flashpath\sdstat.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: harupeza.dll e:\windows\system32\hulawira.dll lotoyeyo.dll pozihibi.dll e:\windows\system32\yopopanu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\wpdshserviceobj.dll
SSODL: nejozeyur - {f216ff80-85c0-4232-94bf-3396ba443b51} - e:\windows\system32\hulawira.dll
SSODL: hamurosed - {b76606ca-188f-42d5-81bb-044cc103d798} - e:\windows\system32\yopopanu.dll
STS: mujuzedij: {f216ff80-85c0-4232-94bf-3396ba443b51} - e:\windows\system32\hulawira.dll
STS: tokatiluy: {b76606ca-188f-42d5-81bb-044cc103d798} - e:\windows\system32\yopopanu.dll
LSA: Notification Packages = scecli zeyoheko.dll lotoyeyo.dll e:\windows\temp\tmp11.dll layezefu.dll e:\windows\temp\tmp6E.dll
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\theoxus\applic~1\mozilla\firefox\profiles\ma48oc8e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://reeno166.deviantart.com/
FF - plugin: e:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: e:\documents and settings\theoxus\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;e:\program files\avira\antivir desktop\avgio.sys [2009-5-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\avira\antivir desktop\sched.exe [2009-5-11 108289]
R2 AntiVirService;Avira AntiVir Guard;e:\program files\avira\antivir desktop\avguard.exe [2009-5-11 185089]
R2 avgntflt;avgntflt;e:\windows\system32\drivers\avgntflt.sys [2009-5-11 56816]
R2 FlashNT;FlashNT;e:\windows\system32\drivers\FLASHNT.SYS [2009-8-8 72784]
R2 Sdselect;Sdselect;e:\windows\system32\drivers\sdselect.sys [2009-8-8 73296]
R2 TabletServicePen;TabletServicePen;e:\windows\system32\Pen_Tablet.exe [2010-1-31 4497704]
R2 WTouchService;WTouch Service;e:\program files\wtouch\WTouchService.exe [2010-1-31 113448]
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;e:\windows\system32\drivers\Ngrpci.sys [2009-4-11 32840]
S3 ALSysIO;ALSysIO;\??\e:\docume~1\theoxus\locals~1\temp\alsysio.sys --> e:\docume~1\theoxus\locals~1\temp\ALSysIO.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;e:\program files\magix\common\database\bin\fbserver.exe [2009-1-26 1527900]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;e:\windows\system32\drivers\libusb0.sys [2009-4-11 28672]
S3 PsSdk41;PsSdk41;e:\windows\system32\drivers\pssdk41.sys [2009-3-12 36928]
S3 smrtdrv;SMART Technologies Inc. Mirror Driver;e:\windows\system32\drivers\smrtdrv.sys [2004-4-22 2432]
S3 wacmoumonitor;Wacom Mode Helper;e:\windows\system32\drivers\wacmoumonitor.sys [2010-1-31 15144]

=============== Created Last 30 ================

2010-02-24 21:15:31 0 d-----w- E:\Soldat
2010-02-24 21:15:31 0 d-----w- e:\docume~1\theoxus\applic~1\Soldat
2010-02-23 21:17:27 0 d-----w- e:\docume~1\alluse~1\applic~1\WOP
2010-02-23 21:17:24 1974616 ----a-w- e:\windows\system32\D3DCompiler_42.dll
2010-02-23 21:17:23 5501792 ----a-w- e:\windows\system32\d3dcsx_42.dll
2010-02-23 21:17:04 0 d-----w- e:\windows\Logs
2010-02-23 21:00:29 0 d-----w- e:\program files\iPod
2010-02-23 21:00:23 0 d-----w- e:\program files\iTunes
2010-02-23 21:00:23 0 d-----w- e:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-22 21:29:49 1 --sh--w- e:\windows\system32\gezibaju.dll
2010-02-22 21:07:14 1 --sh--w- e:\windows\system32\zafufovi.dll
2010-02-18 02:54:55 118784 ----a-w- e:\windows\system32\MSSTDFMT.DLL
2010-02-18 02:54:55 1071088 ----a-w- e:\windows\system32\MSCOMCTL.OCX
2010-02-18 02:54:54 0 d-----w- e:\program files\SpywareBlaster
2010-02-18 01:31:44 0 d--h--w- e:\windows\system32\GroupPolicy
2010-02-17 03:42:06 0 d-----w- e:\docume~1\theoxus\applic~1\X-Chat 2
2010-02-17 03:41:32 0 d-----w- e:\program files\X-Chat 2
2010-02-16 22:34:35 798773 ----a-w- e:\windows\system32\MFCO42D.DLL
2010-02-16 02:28:42 0 d-----w- e:\program files\XBox 360 Controller for Windows Software

==================== Find3M ====================

2010-02-19 04:16:26 6192548 ----a-w- e:\program files\Livestream Procaster.rar
2010-01-18 06:30:46 499712 ----a-w- e:\windows\system32\msvcp71.dll
2009-12-21 13:19:18 173056 ------w- e:\windows\system32\dllcache\ie4uinit.exe
2009-01-26 22:56:34 75 -csh--r- e:\windows\ICMET20.BIN
1601-01-01 00:03:52 55296 --sha-w- e:\windows\system32\gijiyeli.dll
1601-01-01 00:03:52 55296 --sha-w- e:\windows\system32\layezefu.dll
1601-01-01 00:03:28 41984 --sha-w- e:\windows\system32\lehebofi.dll
1601-01-01 00:03:28 1 --sha-w- e:\windows\system32\mekijoru.dll
1601-01-01 00:03:28 70656 --sha-w- e:\windows\system32\tamuyiko.dll
1601-01-01 00:03:28 1 --sha-w- e:\windows\system32\vizalodu.dll
1601-01-01 00:03:52 55296 --sha-w- e:\windows\system32\zujawaro.dll
2008-12-04 01:11:02 32768 -csha-w- e:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120320081204\index.dat

============= FINISH: 19:31:04.15 ===============



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:46 PM

Posted 04 March 2010 - 02:53 PM

Hello 01Blade10 smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.












Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 01Blade10

01Blade10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 04 March 2010 - 03:31 PM

Here you go. Kind of seems like I got more viruses.

ComboFix 10-03-04.01 - Theoxus 03/04/2010 15:18:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1364 [GMT -5:00]
Running from: e:\documents and settings\Theoxus\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\$recycle.bin\S-1-5-21-3761304829-1015992143-3558892887-1001
e:\$recycle.bin\S-1-5-21-3761304829-1015992143-3558892887-1003
e:\documents and settings\Default User\Application Data\Desktopicon
e:\documents and settings\Default User\Application Data\Desktopicon\eBayShortcuts.exe
e:\documents and settings\Theoxus\Application Data\Desktopicon
e:\documents and settings\Theoxus\Application Data\Desktopicon\eBayShortcuts.exe
E:\Documents
e:\windows\RegGenieOnUninstall.exe
e:\windows\system32\bobajitu.dll
e:\windows\system32\config\systemprofile\Application Data\Desktopicon
e:\windows\system32\config\systemprofile\Application Data\Desktopicon\eBayShortcuts.exe
e:\windows\system32\gezibaju.dll
e:\windows\system32\layezefu.dll
e:\windows\system32\lehebofi.dll
e:\windows\system32\mekijoru.dll
e:\windows\system32\tuyalaze.dll
e:\windows\system32\vizalodu.dll
e:\windows\system32\zafufovi.dll
e:\windows\Tasks\rndgagun.job
e:\windows\TEMP\tmp6E.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-04 20:23 . 2010-03-04 20:23 -------- d-----w- e:\windows\system32\xircom
2010-03-04 20:23 . 2010-03-04 20:23 -------- d-----w- e:\windows\system32\wbem\snmp
2010-03-04 20:23 . 2010-03-04 20:23 -------- d-----w- e:\program files\microsoft frontpage
2010-02-24 21:26 . 2010-02-24 21:37 114688 ----a-w- e:\documents and settings\Theoxus\Application Data\Soldat\Battleye\BEClient.dll
2010-02-24 21:26 . 2009-03-29 00:52 94208 ----a-w- e:\documents and settings\Theoxus\Application Data\Soldat\Battleye\BEServer.dll
2010-02-24 21:15 . 2010-02-24 21:16 -------- d-----w- E:\Soldat
2010-02-24 21:15 . 2010-02-24 21:15 -------- d-----w- e:\documents and settings\Theoxus\Application Data\Soldat
2010-02-23 21:18 . 2010-02-23 21:18 -------- d-----w- e:\documents and settings\Theoxus\Local Settings\Application Data\Wings of Prey
2010-02-23 21:17 . 2010-02-23 21:17 -------- d-----w- e:\documents and settings\Theoxus\Local Settings\Application Data\WOP
2010-02-23 21:17 . 2010-02-23 21:17 -------- d-----w- e:\documents and settings\All Users\Application Data\WOP
2010-02-23 21:17 . 2009-09-04 22:29 1974616 ----a-w- e:\windows\system32\D3DCompiler_42.dll
2010-02-23 21:17 . 2009-09-04 22:29 5501792 ----a-w- e:\windows\system32\d3dcsx_42.dll
2010-02-23 21:17 . 2010-02-23 21:17 -------- d-----w- e:\windows\Logs
2010-02-23 21:00 . 2010-02-23 21:00 -------- d-----w- e:\program files\iPod
2010-02-23 21:00 . 2010-02-23 21:01 -------- d-----w- e:\program files\iTunes
2010-02-23 21:00 . 2010-02-23 21:01 -------- d-----w- e:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-23 20:47 . 2010-02-23 20:47 72488 ----a-w- e:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-18 02:54 . 2005-08-26 00:18 118784 ----a-w- e:\windows\system32\MSSTDFMT.DLL
2010-02-18 02:54 . 2010-02-18 03:00 -------- d-----w- e:\program files\SpywareBlaster
2010-02-18 01:31 . 2010-02-18 01:31 -------- d--h--w- e:\windows\system32\GroupPolicy
2010-02-17 20:40 . 2010-02-17 20:40 45056 ----a-r- e:\documents and settings\Theoxus\Application Data\Microsoft\Installer\{B5EDB5CB-3F59-46DC-A14B-A12274127FB1}\MapleStory.exe1_FC1F22196DEC4370AC4298298F2A87C3.exe
2010-02-17 20:40 . 2010-02-17 20:40 45056 ----a-r- e:\documents and settings\Theoxus\Application Data\Microsoft\Installer\{B5EDB5CB-3F59-46DC-A14B-A12274127FB1}\MapleStory.exe_FC1F22196DEC4370AC4298298F2A87C3.exe
2010-02-17 20:40 . 2010-02-17 20:40 10134 ----a-r- e:\documents and settings\Theoxus\Application Data\Microsoft\Installer\{B5EDB5CB-3F59-46DC-A14B-A12274127FB1}\ARPPRODUCTICON.exe
2010-02-17 03:42 . 2010-02-24 23:54 -------- d-----w- e:\documents and settings\Theoxus\Application Data\X-Chat 2
2010-02-17 03:41 . 2010-02-17 03:41 -------- d-----w- e:\program files\X-Chat 2
2010-02-16 22:34 . 1998-06-17 05:00 798773 ----a-w- e:\windows\system32\MFCO42D.DLL
2010-02-16 02:28 . 2010-02-16 02:28 -------- d-----w- e:\program files\XBox 360 Controller for Windows Software
2010-02-11 00:42 . 2010-02-27 19:02 -------- d-----w- e:\documents and settings\NetworkService\Application Data\WTablet
2010-02-10 21:56 . 2010-02-27 15:00 -------- d-----w- e:\documents and settings\Theoxus\Local Settings\Application Data\Temp
2010-02-10 21:55 . 2010-02-10 21:56 -------- d-----w- e:\documents and settings\Theoxus\Local Settings\Application Data\Google
2010-02-10 20:33 . 2010-02-10 20:33 1924744 ----a-w- e:\documents and settings\Theoxus\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-02-09 21:02 . 2010-02-09 21:02 -------- d-sh--w- e:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 20:27 . 2008-12-04 01:20 -------- d-----w- e:\program files\Steam
2010-03-04 20:24 . 2010-01-31 22:35 -------- d-----w- e:\documents and settings\Theoxus\Application Data\WTablet
2010-02-27 14:40 . 2009-03-26 20:22 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2010-02-24 21:00 . 2009-01-03 01:13 -------- d-----w- e:\documents and settings\Theoxus\Application Data\Apple Computer
2010-02-23 21:00 . 2009-01-03 01:11 -------- d-----w- e:\program files\Common Files\Apple
2010-02-23 20:58 . 2009-06-08 23:59 -------- d-----w- e:\program files\QuickTime
2010-02-23 20:11 . 2008-12-04 22:14 -------- d-----w- e:\program files\SpeedFan
2010-02-19 04:16 . 2010-02-19 04:16 6192548 ----a-w- e:\program files\Livestream Procaster.rar
2010-02-19 03:35 . 2009-12-11 23:32 79488 ----a-w- e:\documents and settings\Theoxus\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-17 19:37 . 2009-04-28 18:58 -------- d-----w- e:\documents and settings\All Users\Application Data\PMB Files
2010-02-17 17:14 . 2008-12-04 01:50 36008 ----a-w- e:\documents and settings\Theoxus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-16 22:52 . 2008-12-04 01:47 -------- d--h--w- e:\program files\InstallShield Installation Information
2010-01-31 22:35 . 2010-01-31 22:35 -------- d-----w- e:\documents and settings\Theoxus\Application Data\WTouch
2010-01-31 22:35 . 2010-01-31 22:35 -------- d-----w- e:\program files\WTouch
2010-01-31 22:35 . 2010-01-31 22:35 -------- d-----w- e:\program files\TabletPlugins
2010-01-31 22:35 . 2010-01-31 22:31 -------- d-----w- e:\program files\Tablet
2010-01-31 22:25 . 2009-02-25 01:24 -------- d-----w- e:\program files\Common Files\Macromedia
2010-01-31 22:24 . 2009-02-25 01:23 -------- d-----w- e:\program files\Macromedia
2010-01-31 22:18 . 2010-01-31 22:18 45056 ----a-r- e:\documents and settings\Theoxus\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
2010-01-31 22:10 . 2010-01-31 22:10 -------- d-----w- e:\program files\Livestream Procaster
2010-01-23 04:18 . 2010-01-23 04:18 -------- d-----w- e:\documents and settings\Theoxus\Application Data\TortoiseSVN
2010-01-23 04:08 . 2010-01-23 04:08 -------- d-----w- e:\documents and settings\Theoxus\Application Data\Subversion
2010-01-23 03:56 . 2010-01-23 03:56 -------- d-----w- e:\program files\TortoiseSVN
2010-01-23 03:56 . 2010-01-23 03:56 -------- d-----w- e:\program files\Common Files\TortoiseOverlays
2010-01-23 03:33 . 2008-12-17 03:16 -------- d-----w- e:\program files\Common Files\Blizzard Entertainment
2010-01-23 02:30 . 2008-12-10 02:36 -------- d-----w- e:\program files\Windows Live
2010-01-23 00:34 . 2009-01-26 20:34 -------- d-----w- e:\program files\Microsoft Silverlight
2010-01-22 04:11 . 2009-01-26 22:39 -------- d-----w- e:\program files\MAGIX
2010-01-22 04:09 . 2009-04-28 19:18 393216 ----a-w- e:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-01-22 04:03 . 2008-12-04 01:12 -------- d-----w- e:\documents and settings\Theoxus\Application Data\uTorrent
2010-01-18 06:30 . 2010-01-18 06:30 499712 ----a-w- e:\windows\system32\msvcp71.dll
2009-12-21 19:14 . 2008-04-27 08:05 916480 ----a-w- e:\windows\system32\wininet.dll
2009-12-11 23:28 . 2009-05-11 22:52 56816 ----a-w- e:\windows\system32\drivers\avgntflt.sys
2009-01-26 22:56 . 2009-01-26 22:56 75 -csh--r- e:\windows\ICMET20.BIN
1601-01-01 00:03 . 1601-01-01 00:03 71168 --sha-w- e:\windows\system32\bapuzotu.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- e:\windows\system32\gijiyeli.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- e:\windows\system32\zujawaro.dll
.

------- Sigcheck -------

[-] 2008-04-27 07:20 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . e:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51930d42-c560-4620-9b0a-09e17a557c27}]
1601-01-01 00:03 55296 --sha-w- e:\windows\system32\gijiyeli.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="e:\program files\LClock\LClock.exe" [2004-09-19 65536]
"Steam"="e:\program files\steam\steam.exe" [2010-02-22 1217872]
"WMPNSCFG"="e:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Google Update"="e:\documents and settings\Theoxus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-10 135664]
"Pando Media Booster"="e:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-17 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="e:\program files\PowerISO\PWRISOVM.EXE" [2008-01-20 217088]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-01-19 136600]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"AppleSyncNotifier"="e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"Livestream Procaster"="e:\program files\Livestream Procaster\Procaster.exe" [2009-12-17 6477088]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LClock"="e:\program files\LClock\LClock.exe" [2004-09-19 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]

e:\documents and settings\Theoxus\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - e:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
FlashPath Monitor.lnk - e:\program files\SmartDisk\FlashPath\sdstat.exe [2009-8-8 184320]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\UrbanTerror\\ioUrbanTerror.exe"=
"e:\\Program Files\\Steam\\Steam.exe"=
"e:\\Program Files\\Steam\\steamapps\\shicat\\garrysmod\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\shicat\\counter-strike source\\hl2.exe"=
"e:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"e:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"e:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\WINDOWS\\system32\\Pen_Tablet.exe"=
"e:\\Program Files\\X-Chat 2\\xchat.exe"=
"e:\\Program Files\\Steam\\steamapps\\01blade10\\counter-strike source\\hl2.exe"=
"e:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"e:\\Program Files\\Steam\\steamapps\\01blade10\\team fortress 2\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\01blade10\\garrysmod\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\common\\wings of prey demo\\launcher.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Steam\\steamapps\\common\\wings of prey demo\\acess.exe"=
"e:\\Soldat\\Soldat.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57700:TCP"= 57700:TCP:Pando Media Booster
"57700:UDP"= 57700:UDP:Pando Media Booster
"56759:TCP"= 56759:TCP:Pando Media Booster
"56759:UDP"= 56759:UDP:Pando Media Booster

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [5/11/2009 5:52 PM 108289]
R2 FlashNT;FlashNT;e:\windows\system32\drivers\FLASHNT.SYS [8/8/2009 1:42 PM 72784]
R2 Sdselect;Sdselect;e:\windows\system32\drivers\sdselect.sys [8/8/2009 1:42 PM 73296]
R2 TabletServicePen;TabletServicePen;e:\windows\system32\Pen_Tablet.exe [1/31/2010 5:31 PM 4497704]
R2 WTouchService;WTouch Service;e:\program files\WTouch\WTouchService.exe [1/31/2010 5:35 PM 113448]
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;e:\windows\system32\drivers\Ngrpci.sys [4/11/2009 12:16 PM 32840]
S3 ALSysIO;ALSysIO;\??\e:\docume~1\Theoxus\LOCALS~1\Temp\ALSysIO.sys --> e:\docume~1\Theoxus\LOCALS~1\Temp\ALSysIO.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;e:\program files\MAGIX\Common\Database\bin\fbserver.exe [1/26/2009 5:44 PM 1527900]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;e:\windows\system32\drivers\libusb0.sys [4/11/2009 9:44 PM 28672]
S3 PsSdk41;PsSdk41;e:\windows\system32\drivers\pssdk41.sys [3/12/2009 8:51 PM 36928]
S3 smrtdrv;SMART Technologies Inc. Mirror Driver;e:\windows\system32\drivers\smrtdrv.sys [4/22/2004 10:38 AM 2432]
S3 wacmoumonitor;Wacom Mode Helper;e:\windows\system32\drivers\wacmoumonitor.sys [1/31/2010 5:31 PM 15144]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 08:32 128512 ----a-w- e:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-22 e:\windows\Tasks\Backup.job
- e:\windows\system32\ntbackup.exe [2008-04-14 04:42]

2010-02-27 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1326574676-1417001333-1004Core.job
- e:\documents and settings\Theoxus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-10 21:55]

2010-02-27 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1326574676-1417001333-1004UA.job
- e:\documents and settings\Theoxus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-10 21:55]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - e:\documents and settings\Theoxus\Application Data\Mozilla\Firefox\Profiles\ma48oc8e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://reeno166.deviantart.com/
FF - plugin: e:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: e:\documents and settings\Theoxus\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\TabletPlugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-kutotusifi - layezefu.dll
HKLM-Run-fiwudokef - e:\windows\system32\tuyalaze.dll
SharedTaskScheduler-{f216ff80-85c0-4232-94bf-3396ba443b51} - e:\windows\system32\hulawira.dll
SharedTaskScheduler-{9707d396-28a8-424d-b02d-751a0b685381} - e:\windows\system32\tuyalaze.dll
SSODL-nejozeyur-{f216ff80-85c0-4232-94bf-3396ba443b51} - e:\windows\system32\hulawira.dll
SSODL-jekozazit-{9707d396-28a8-424d-b02d-751a0b685381} - e:\windows\system32\tuyalaze.dll
Notify-AtiExtEvent - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 15:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,07,79,a2,13,26,c4,4a,a5,a1,dd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,07,79,a2,13,26,c4,4a,a5,a1,dd,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{81ACBB45-06B6-AC1D-98EF-D6ECE7754907}\InProcServer32*]
"jabjhlfinlaeedbeehda"=hex:6a,61,66,61,64,6f,61,6f,6e,6d,68,6f,69,6e,69,68,61,
64,6e,66,00,fa
"iabjnjpdmjongamdek"=hex:69,61,6f,61,67,62,70,6f,62,6f,65,64,6f,6c,61,6d,70,6d,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2352)
e:\windows\system32\WININET.dll
e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
e:\program files\TortoiseSVN\bin\TortoiseStub.dll
e:\program files\TortoiseSVN\bin\TortoiseSVN.dll
e:\program files\TortoiseSVN\bin\intl3_tsvn.dll
e:\program files\iTunes\iTunesMiniPlayer.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
e:\program files\Stardock\Object Desktop\IconPackager\shellext.dll
e:\windows\system32\ieframe.dll
e:\program files\LClock\LC.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\wpdshserviceobj.dll
e:\windows\system32\portabledevicetypes.dll
e:\windows\system32\portabledeviceapi.dll
e:\program files\Styler\TB\StylerTB.dll
e:\windows\system32\gijiyeli.dll
e:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
e:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\WTouch\WTouchUser.exe
e:\windows\system32\WgaTray.exe
e:\program files\Avira\AntiVir Desktop\avguard.exe
e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\nexon\Mabinogi\npkcmsvc.exe
e:\windows\system32\nvsvc32.exe
e:\windows\system32\locator.exe
e:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
e:\program files\Windows Media Player\WMPNetwk.exe
e:\windows\system32\WTablet\Pen_TabletUser.exe
e:\program files\TortoiseSVN\bin\TSVNCache.exe
e:\windows\SOUNDMAN.EXE
e:\windows\system32\RUNDLL32.EXE
e:\program files\OpenOffice.org 3\program\soffice.exe
e:\program files\OpenOffice.org 3\program\soffice.bin
e:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-04 15:32:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 20:32

Pre-Run: 296,988,966,912 bytes free
Post-Run: 319,998,500,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT /NOEXECUTE=ALWAYSOFF

- - End Of File - - C8A85BBEEE7DD5BD07296D49E3B80E2E


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:46 PM

Posted 04 March 2010 - 04:44 PM

You do have some infections but we should be able to clean them all up.


Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Collect::
e:\windows\system32\bapuzotu.dll
e:\windows\system32\gijiyeli.dll
e:\windows\system32\zujawaro.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51930d42-c560-4620-9b0a-09e17a557c27}]
Regnull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{81ACBB45-06B6-AC1D-98EF-D6ECE7754907}\InProcServer32*]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 01Blade10

01Blade10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 04 March 2010 - 06:29 PM

I won't be able to access the computer until either Saturday or Monday, so, it'll have to wait.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:46 PM

Posted 04 March 2010 - 07:31 PM

OK, just post it when you can.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 01Blade10

01Blade10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 08 March 2010 - 05:05 PM

There you go.

ComboFix 10-03-08.01 - Theoxus 03/08/2010 16:51:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1472 [GMT -5:00]
Running from: e:\documents and settings\Theoxus\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\Theoxus\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: e:\windows\system32\bapuzotu.dll
file zipped: e:\windows\system32\gijiyeli.dll
file zipped: e:\windows\system32\zujawaro.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\windows\system32\bapuzotu.dll
e:\windows\system32\gijiyeli.dll
e:\windows\system32\zujawaro.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-04 20:23 . 2010-03-04 20:23 -------- d-----w- e:\windows\system32\xircom
2010-03-04 20:23 . 2010-03-04 20:23 -------- d-----w- e:\windows\system32\wbem\snmp
2010-03-04 20:23 . 2010-03-04 20:23 -------- d-----w- e:\program files\microsoft frontpage
2010-02-24 21:26 . 2010-02-24 21:37 114688 ----a-w- e:\documents and settings\Theoxus\Application Data\Soldat\Battleye\BEClient.dll
2010-02-24 21:26 . 2009-03-29 00:52 94208 ----a-w- e:\documents and settings\Theoxus\Application Data\Soldat\Battleye\BEServer.dll
2010-02-24 21:15 . 2010-02-24 21:16 -------- d-----w- E:\Soldat
2010-02-24 21:15 . 2010-02-24 21:15 -------- d-----w- e:\documents and settings\Theoxus\Application Data\Soldat
2010-02-23 21:18 . 2010-02-23 21:18 -------- d-----w- e:\documents and settings\Theoxus\Local Settings\Application Data\Wings of Prey
2010-02-23 21:17 . 2010-02-23 21:17 -------- d-----w- e:\documents and settings\Theoxus\Local Settings\Application Data\WOP
2010-02-23 21:17 . 2010-02-23 21:17 -------- d-----w- e:\documents and settings\All Users\Application Data\WOP
2010-02-23 21:17 . 2009-09-04 22:29 1974616 ----a-w- e:\windows\system32\D3DCompiler_42.dll
2010-02-23 21:17 . 2009-09-04 22:29 5501792 ----a-w- e:\windows\system32\d3dcsx_42.dll
2010-02-23 21:17 . 2010-02-23 21:17 -------- d-----w- e:\windows\Logs
2010-02-23 21:00 . 2010-02-23 21:00 -------- d-----w- e:\program files\iPod
2010-02-23 21:00 . 2010-02-23 21:01 -------- d-----w- e:\program files\iTunes
2010-02-23 21:00 . 2010-02-23 21:01 -------- d-----w- e:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-23 20:47 . 2010-02-23 20:47 72488 ----a-w- e:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-18 02:54 . 2005-08-26 00:18 118784 ----a-w- e:\windows\system32\MSSTDFMT.DLL
2010-02-18 02:54 . 2010-02-18 03:00 -------- d-----w- e:\program files\SpywareBlaster
2010-02-18 01:31 . 2010-02-18 01:31 -------- d--h--w- e:\windows\system32\GroupPolicy
2010-02-17 20:40 . 2010-02-17 20:40 45056 ----a-r- e:\documents and settings\Theoxus\Application Data\Microsoft\Installer\{B5EDB5CB-3F59-46DC-A14B-A12274127FB1}\MapleStory.exe1_FC1F22196DEC4370AC4298298F2A87C3.exe
2010-02-17 20:40 . 2010-02-17 20:40 45056 ----a-r- e:\documents and settings\Theoxus\Application Data\Microsoft\Installer\{B5EDB5CB-3F59-46DC-A14B-A12274127FB1}\MapleStory.exe_FC1F22196DEC4370AC4298298F2A87C3.exe
2010-02-17 20:40 . 2010-02-17 20:40 10134 ----a-r- e:\documents and settings\Theoxus\Application Data\Microsoft\Installer\{B5EDB5CB-3F59-46DC-A14B-A12274127FB1}\ARPPRODUCTICON.exe
2010-02-17 03:42 . 2010-02-24 23:54 -------- d-----w- e:\documents and settings\Theoxus\Application Data\X-Chat 2
2010-02-17 03:41 . 2010-02-17 03:41 -------- d-----w- e:\program files\X-Chat 2
2010-02-16 22:34 . 1998-06-17 05:00 798773 ----a-w- e:\windows\system32\MFCO42D.DLL
2010-02-16 02:28 . 2010-02-16 02:28 -------- d-----w- e:\program files\XBox 360 Controller for Windows Software
2010-02-11 00:42 . 2010-02-27 19:02 -------- d-----w- e:\documents and settings\NetworkService\Application Data\WTablet
2010-02-10 21:56 . 2010-02-27 15:00 -------- d-----w- e:\documents and settings\Theoxus\Local Settings\Application Data\Temp
2010-02-10 21:55 . 2010-02-10 21:56 -------- d-----w- e:\documents and settings\Theoxus\Local Settings\Application Data\Google
2010-02-10 20:33 . 2010-02-10 20:33 1924744 ----a-w- e:\documents and settings\Theoxus\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-02-09 21:02 . 2010-02-09 21:02 -------- d-sh--w- e:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 22:04 . 2008-12-04 01:20 -------- d-----w- e:\program files\Steam
2010-03-08 22:02 . 2010-01-31 22:35 -------- d-----w- e:\documents and settings\Theoxus\Application Data\WTablet
2010-02-27 14:40 . 2009-03-26 20:22 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2010-02-24 21:00 . 2009-01-03 01:13 -------- d-----w- e:\documents and settings\Theoxus\Application Data\Apple Computer
2010-02-23 21:00 . 2009-01-03 01:11 -------- d-----w- e:\program files\Common Files\Apple
2010-02-23 20:58 . 2009-06-08 23:59 -------- d-----w- e:\program files\QuickTime
2010-02-23 20:11 . 2008-12-04 22:14 -------- d-----w- e:\program files\SpeedFan
2010-02-19 04:16 . 2010-02-19 04:16 6192548 ----a-w- e:\program files\Livestream Procaster.rar
2010-02-19 03:35 . 2009-12-11 23:32 79488 ----a-w- e:\documents and settings\Theoxus\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-17 19:37 . 2009-04-28 18:58 -------- d-----w- e:\documents and settings\All Users\Application Data\PMB Files
2010-02-17 17:14 . 2008-12-04 01:50 36008 ----a-w- e:\documents and settings\Theoxus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-16 22:52 . 2008-12-04 01:47 -------- d--h--w- e:\program files\InstallShield Installation Information
2010-01-31 22:35 . 2010-01-31 22:35 -------- d-----w- e:\documents and settings\Theoxus\Application Data\WTouch
2010-01-31 22:35 . 2010-01-31 22:35 -------- d-----w- e:\program files\WTouch
2010-01-31 22:35 . 2010-01-31 22:35 -------- d-----w- e:\program files\TabletPlugins
2010-01-31 22:35 . 2010-01-31 22:31 -------- d-----w- e:\program files\Tablet
2010-01-31 22:25 . 2009-02-25 01:24 -------- d-----w- e:\program files\Common Files\Macromedia
2010-01-31 22:24 . 2009-02-25 01:23 -------- d-----w- e:\program files\Macromedia
2010-01-31 22:18 . 2010-01-31 22:18 45056 ----a-r- e:\documents and settings\Theoxus\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
2010-01-31 22:10 . 2010-01-31 22:10 -------- d-----w- e:\program files\Livestream Procaster
2010-01-23 04:18 . 2010-01-23 04:18 -------- d-----w- e:\documents and settings\Theoxus\Application Data\TortoiseSVN
2010-01-23 04:08 . 2010-01-23 04:08 -------- d-----w- e:\documents and settings\Theoxus\Application Data\Subversion
2010-01-23 03:56 . 2010-01-23 03:56 -------- d-----w- e:\program files\TortoiseSVN
2010-01-23 03:56 . 2010-01-23 03:56 -------- d-----w- e:\program files\Common Files\TortoiseOverlays
2010-01-23 03:33 . 2008-12-17 03:16 -------- d-----w- e:\program files\Common Files\Blizzard Entertainment
2010-01-23 02:30 . 2008-12-10 02:36 -------- d-----w- e:\program files\Windows Live
2010-01-23 00:34 . 2009-01-26 20:34 -------- d-----w- e:\program files\Microsoft Silverlight
2010-01-22 04:11 . 2009-01-26 22:39 -------- d-----w- e:\program files\MAGIX
2010-01-22 04:09 . 2009-04-28 19:18 393216 ----a-w- e:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-01-22 04:03 . 2008-12-04 01:12 -------- d-----w- e:\documents and settings\Theoxus\Application Data\uTorrent
2010-01-18 06:30 . 2010-01-18 06:30 499712 ----a-w- e:\windows\system32\msvcp71.dll
2009-12-21 19:14 . 2008-04-27 08:05 916480 ------w- e:\windows\system32\wininet.dll
2009-12-11 23:28 . 2009-05-11 22:52 56816 ----a-w- e:\windows\system32\drivers\avgntflt.sys
2009-01-26 22:56 . 2009-01-26 22:56 75 -csh--r- e:\windows\ICMET20.BIN
.

------- Sigcheck -------

[-] 2008-04-27 07:20 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . e:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-04_20.28.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-08 21:04 . 2010-03-08 21:04 16384 e:\windows\Temp\Perflib_Perfdata_684.dat
+ 2010-03-08 22:02 . 2010-03-08 22:02 16384 e:\windows\Temp\Perflib_Perfdata_4e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 00:12 86280 ----a-w- e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="e:\program files\LClock\LClock.exe" [2004-09-19 65536]
"Steam"="e:\program files\steam\steam.exe" [2010-02-22 1217872]
"WMPNSCFG"="e:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Google Update"="e:\documents and settings\Theoxus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-10 135664]
"Pando Media Booster"="e:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-17 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="e:\program files\PowerISO\PWRISOVM.EXE" [2008-01-20 217088]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-01-19 136600]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"AppleSyncNotifier"="e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"Livestream Procaster"="e:\program files\Livestream Procaster\Procaster.exe" [2009-12-17 6477088]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LClock"="e:\program files\LClock\LClock.exe" [2004-09-19 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]

e:\documents and settings\Theoxus\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - e:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
FlashPath Monitor.lnk - e:\program files\SmartDisk\FlashPath\sdstat.exe [2009-8-8 184320]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\UrbanTerror\\ioUrbanTerror.exe"=
"e:\\Program Files\\Steam\\Steam.exe"=
"e:\\Program Files\\Steam\\steamapps\\shicat\\garrysmod\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\shicat\\counter-strike source\\hl2.exe"=
"e:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"e:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"e:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\WINDOWS\\system32\\Pen_Tablet.exe"=
"e:\\Program Files\\X-Chat 2\\xchat.exe"=
"e:\\Program Files\\Steam\\steamapps\\01blade10\\counter-strike source\\hl2.exe"=
"e:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"e:\\Program Files\\Steam\\steamapps\\01blade10\\team fortress 2\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\01blade10\\garrysmod\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\common\\wings of prey demo\\launcher.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Steam\\steamapps\\common\\wings of prey demo\\acess.exe"=
"e:\\Soldat\\Soldat.exe"=
"e:\\Program Files\\TortoiseSVN\\bin\\TSVNCache.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57700:TCP"= 57700:TCP:Pando Media Booster
"57700:UDP"= 57700:UDP:Pando Media Booster
"56759:TCP"= 56759:TCP:Pando Media Booster
"56759:UDP"= 56759:UDP:Pando Media Booster

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [5/11/2009 5:52 PM 108289]
R2 FlashNT;FlashNT;e:\windows\system32\drivers\FLASHNT.SYS [8/8/2009 1:42 PM 72784]
R2 Sdselect;Sdselect;e:\windows\system32\drivers\sdselect.sys [8/8/2009 1:42 PM 73296]
R2 TabletServicePen;TabletServicePen;e:\windows\system32\Pen_Tablet.exe [1/31/2010 5:31 PM 4497704]
R2 WTouchService;WTouch Service;e:\program files\WTouch\WTouchService.exe [1/31/2010 5:35 PM 113448]
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;e:\windows\system32\drivers\Ngrpci.sys [4/11/2009 12:16 PM 32840]
S3 ALSysIO;ALSysIO;\??\e:\docume~1\Theoxus\LOCALS~1\Temp\ALSysIO.sys --> e:\docume~1\Theoxus\LOCALS~1\Temp\ALSysIO.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;e:\program files\MAGIX\Common\Database\bin\fbserver.exe [1/26/2009 5:44 PM 1527900]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;e:\windows\system32\drivers\libusb0.sys [4/11/2009 9:44 PM 28672]
S3 PsSdk41;PsSdk41;e:\windows\system32\drivers\pssdk41.sys [3/12/2009 8:51 PM 36928]
S3 smrtdrv;SMART Technologies Inc. Mirror Driver;e:\windows\system32\drivers\smrtdrv.sys [4/22/2004 10:38 AM 2432]
S3 wacmoumonitor;Wacom Mode Helper;e:\windows\system32\drivers\wacmoumonitor.sys [1/31/2010 5:31 PM 15144]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 08:32 128512 ----a-w- e:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-22 e:\windows\Tasks\Backup.job
- e:\windows\system32\ntbackup.exe [2008-04-14 04:42]

2010-02-27 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1326574676-1417001333-1004Core.job
- e:\documents and settings\Theoxus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-10 21:55]

2010-03-08 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1326574676-1417001333-1004UA.job
- e:\documents and settings\Theoxus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-10 21:55]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - e:\documents and settings\Theoxus\Application Data\Mozilla\Firefox\Profiles\ma48oc8e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://reeno166.deviantart.com/
FF - plugin: e:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: e:\documents and settings\Theoxus\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\TabletPlugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 17:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,07,79,a2,13,26,c4,4a,a5,a1,dd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,07,79,a2,13,26,c4,4a,a5,a1,dd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3796)
e:\windows\system32\WININET.dll
e:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
e:\program files\TortoiseSVN\bin\TortoiseStub.dll
e:\program files\TortoiseSVN\bin\TortoiseSVN.dll
e:\program files\TortoiseSVN\bin\intl3_tsvn.dll
e:\program files\iTunes\iTunesMiniPlayer.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
e:\program files\Stardock\Object Desktop\IconPackager\shellext.dll
e:\windows\system32\ieframe.dll
e:\program files\LClock\LC.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\wpdshserviceobj.dll
e:\windows\system32\portabledevicetypes.dll
e:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Avira\AntiVir Desktop\avguard.exe
e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\nexon\Mabinogi\npkcmsvc.exe
e:\windows\system32\nvsvc32.exe
e:\windows\system32\locator.exe
e:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
e:\windows\system32\WgaTray.exe
e:\program files\WTouch\WTouchUser.exe
e:\windows\system32\WTablet\Pen_TabletUser.exe
e:\program files\Windows Media Player\WMPNetwk.exe
e:\windows\system32\wscntfy.exe
e:\program files\TortoiseSVN\bin\TSVNCache.exe
e:\windows\SOUNDMAN.EXE
e:\windows\system32\RUNDLL32.EXE
e:\program files\OpenOffice.org 3\program\soffice.exe
e:\program files\OpenOffice.org 3\program\soffice.bin
e:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-08 17:06:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 22:06

Pre-Run: 319,955,750,912 bytes free
Post-Run: 319,908,601,856 bytes free

- - End Of File - - 3BB33E77440A6C443F5EEA740BF32995


#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:46 PM

Posted 08 March 2010 - 05:32 PM

Making progress.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.





Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 01Blade10

01Blade10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 09 March 2010 - 02:54 PM

Blah blah.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/9/2010 3:04:17 PM
mbam-log-2010-03-09 (15-04-17).txt

Scan type: Quick Scan
Objects scanned: 102520
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\system32\yopopanu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Edited by 01Blade10, 09 March 2010 - 03:01 PM.


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:46 PM

Posted 09 March 2010 - 03:56 PM

Just the one thing so it looks pretty good. How is it running?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 01Blade10

01Blade10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 09 March 2010 - 05:44 PM

Everything seems in order, thanks a bunch! laugh.gif

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:46 PM

Posted 09 March 2010 - 06:42 PM

You're welcome!

It's important that we uninstall ComboFix and I have a few suggestions which may help you in the future.


Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

  • The following will implement some very important cleanup procedures as well as reset System Restore points.




You can also go ahead and delete GMER and DDS if they are still on your Desktop.



Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  2. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  3. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  4. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date




If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. smile.gif


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 01Blade10

01Blade10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 10 March 2010 - 01:42 PM

I use mozilla Firefox, how do I make that more secure?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users