Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log file: Multiple Infections: Win32/Virumonde, Win32., Torjan Horse


  • This topic is locked This topic is locked
21 replies to this topic

#1 Jval

Jval

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 25 March 2010 - 05:35 PM

I have recently contracted several various infections and tried to fix it myself through free antivirus software. Nothing has worked to date. The infections include: atapi.sys system file is infected, Trojan horse Generic 17.KRB, Trojan horse Downloader.Zlob.ARKY, Win32.Virtumonde C, Win32/Heur, Trojan horse Generic 13.CNLB, Tojan Horse Cryptic.BJ.

These are the ones I have listed currently in my virusvault. There were many other dll programs that appeared as infections. Attached is the latest Hijackthis log. I have no idea what pathway to take now to try to fix this. Thank you in advance for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:11 PM, on 3/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\CyberDefender\Registry Cleaner\CDregclean.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Jeanne\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {766e8e25-56cb-441c-bb04-85d749f72f3e} - fusizota.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\immuqohnt.dll - {A3BA40A2-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\immuqohnt.dll (file missing)
O4 - HKLM\..\Run: [lufukoruli] Rundll32.exe "niwebazi.dll",s
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [rakivuzuj] Rundll32.exe "c:\windows\system32\nipuwoku.dll",a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\Jeanne\LOCALS~1\Temp\Gd0.exe
O4 - HKCU\..\Run: [eventtriggersxp.exe] C:\DOCUME~1\Jeanne\LOCALS~1\Temp\eventtriggersxp.exe
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\immuqohnt.dll, HUI_proc
O4 - HKCU\..\Run: [Dr. Guard] "C:\Program Files\Dr. Guard\drguard.exe" -noscan
O4 - HKCU\..\Run: [CyberDefender Registry Cleaner] C:\Program Files\CyberDefender\Registry Cleaner\CDregclean.exe
O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\immuqohnt.dll, HUI_proc (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\immuqohnt.dll, HUI_proc (User 'Default user')
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6088B828-1643-4F99-915C-31DCDF89FF42}: NameServer = 217.23.14.75,4.2.2.1,150.108.4.11 150.108.2.11 150.108.153.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF6129F4-DDCA-41CC-B236-B8AE406EB03C}: NameServer = 217.23.14.75,4.2.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\fuweyofa.dll huzisopo.dll c:\windows\system32\sufetida.dll c:\windows\system32\fapavifa.dll c:\windows\system32\nipuwoku.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: fefozujus - {9f28404e-9655-4495-9fb7-5024dece8516} - c:\windows\system32\fuweyofa.dll (file missing)
O21 - SSODL: bazelaweh - {0698da3f-85a0-417b-a00c-9d526e99b5c1} - c:\windows\system32\sufetida.dll (file missing)
O21 - SSODL: mediwonon - {b9b56619-b761-4560-89f1-08ce0c07df71} - c:\windows\system32\fapavifa.dll (file missing)
O21 - SSODL: panodadaf - {24480308-62d9-410a-952d-5253e932c40d} - c:\windows\system32\nipuwoku.dll
O22 - SharedTaskScheduler: hs3t873tisghs837tgysu7 - {A3BA40A2-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\immuqohnt.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {9f28404e-9655-4495-9fb7-5024dece8516} - c:\windows\system32\fuweyofa.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {0698da3f-85a0-417b-a00c-9d526e99b5c1} - c:\windows\system32\sufetida.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {b9b56619-b761-4560-89f1-08ce0c07df71} - c:\windows\system32\fapavifa.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {24480308-62d9-410a-952d-5253e932c40d} - c:\windows\system32\nipuwoku.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Symantec SecurePort (SymSecurePort) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10390 bytes


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:47 AM

Posted 25 March 2010 - 07:03 PM

Hello Jval,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

3.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply:
Gmer log
Rkill log
Combofix.log
A new HiJackThis log
How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Jval

Jval
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 25 March 2010 - 08:13 PM

The defogger would not reboot my system. The program just started over once it was finished asking to "disable" or "renable",
this is the log:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:11 on 25/03/2010 (Jeanne)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:47 AM

Posted 25 March 2010 - 08:40 PM

Hello,

QUOTE
The defogger would not reboot my system. The program just started over once it was finished asking to "disable" or "renable",
this is the log:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:11 on 25/03/2010 (Jeanne)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


You want to disable.



" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Jval

Jval
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 26 March 2010 - 11:47 AM

GMER log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-26 10:57:02
Windows 4.0.950
Running: GMER.exe; Driver: C:\DOCUME~1\Jeanne\LOCALS~1\Temp\kfloapog.sys


---- System - GMER 1.0.15 ----

SSDT 8618B170 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764D87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF764DBFE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF749C394]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[184] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[184] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[184] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[184] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[184] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[184] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[184] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[184] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[184] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[256] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[256] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[256] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[256] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[256] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[256] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[256] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[256] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[256] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[324] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[324] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[324] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[324] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[324] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[324] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[324] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[324] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[324] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\spoolsv.exe[648] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\spoolsv.exe[648] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\spoolsv.exe[648] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\spoolsv.exe[648] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\spoolsv.exe[648] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\spoolsv.exe[648] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\spoolsv.exe[648] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\spoolsv.exe[648] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\spoolsv.exe[648] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[820] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[820] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[820] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[820] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[820] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[820] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[820] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[820] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[820] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[912] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[912] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[912] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[912] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[912] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[912] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[912] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[912] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[912] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BA000C
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1336] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1336] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1336] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1336] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1336] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1336] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1336] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1336] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1336] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1348] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1348] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1348] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1348] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1348] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1348] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1348] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1348] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1348] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1356] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1356] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1356] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1356] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1356] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1356] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1356] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1356] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1356] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1504] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1504] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1504] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1504] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1504] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1504] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1504] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1504] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1504] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1736] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1736] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1736] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1736] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1736] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1736] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1736] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1736] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1736] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1864] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1864] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1864] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1864] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1864] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1864] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1864] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1864] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1864] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1880] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1880] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1880] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1880] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1880] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1880] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1880] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1880] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1880] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\bgsvcgen.exe[1936] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\bgsvcgen.exe[1936] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\bgsvcgen.exe[1936] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\bgsvcgen.exe[1936] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\bgsvcgen.exe[1936] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\bgsvcgen.exe[1936] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\bgsvcgen.exe[1936] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\bgsvcgen.exe[1936] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\bgsvcgen.exe[1936] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\Explorer.EXE[1992] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F3000A
.text C:\WINDOWS\Explorer.EXE[1992] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F4000A
.text C:\WINDOWS\Explorer.EXE[1992] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 001B000A
.text C:\WINDOWS\Explorer.EXE[1992] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[2184] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[2184] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[2184] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[2184] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[2184] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[2184] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[2184] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[2184] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[2184] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2236] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2236] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2236] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2236] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2236] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2236] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2236] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2236] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2236] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe[2656] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe[2656] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe[2656] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe[2656] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe[2656] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe[2656] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe[2656] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe[2656] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe[2656] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2716] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2716] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2716] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2716] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2716] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2716] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2716] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2716] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2716] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe[2956] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe[2956] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe[2956] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe[2956] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe[2956] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe[2956] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe[2956] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe[2956] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe[2956] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3068] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3068] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3068] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3068] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3068] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3068] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3068] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3068] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[3068] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wdfmgr.exe[3184] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wdfmgr.exe[3184] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wdfmgr.exe[3184] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wdfmgr.exe[3184] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wdfmgr.exe[3184] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wdfmgr.exe[3184] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wdfmgr.exe[3184] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wdfmgr.exe[3184] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\WINDOWS\system32\wdfmgr.exe[3184] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[3344] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[3344] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[3344] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[3344] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[3344] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[3344] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[3344] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[3344] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[3344] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll
.text C:\Documents and Settings\Jeanne\Desktop\GMER.exe[3552] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 10001C38 C:\WINDOWS\system32\huzisopo.dll
.text C:\Documents and Settings\Jeanne\Desktop\GMER.exe[3552] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 10001B62 C:\WINDOWS\system32\huzisopo.dll
.text C:\Documents and Settings\Jeanne\Desktop\GMER.exe[3552] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 10001BC8 C:\WINDOWS\system32\huzisopo.dll
.text C:\Documents and Settings\Jeanne\Desktop\GMER.exe[3552] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10001BDF C:\WINDOWS\system32\huzisopo.dll
.text C:\Documents and Settings\Jeanne\Desktop\GMER.exe[3552] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10001CC5 C:\WINDOWS\system32\huzisopo.dll
.text C:\Documents and Settings\Jeanne\Desktop\GMER.exe[3552] kernel32.dll!MoveFileExW 7C8356A3 5 Bytes JMP 10001D96 C:\WINDOWS\system32\huzisopo.dll
.text C:\Documents and Settings\Jeanne\Desktop\GMER.exe[3552] kernel32.dll!Module32FirstW 7C864397 5 Bytes JMP 10001C6F C:\WINDOWS\system32\huzisopo.dll
.text C:\Documents and Settings\Jeanne\Desktop\GMER.exe[3552] kernel32.dll!Module32NextW 7C864534 5 Bytes JMP 10001CAE C:\WINDOWS\system32\huzisopo.dll
.text C:\Documents and Settings\Jeanne\Desktop\GMER.exe[3552] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CFC C:\WINDOWS\system32\huzisopo.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 9E857C8A
Device InCDfs.SYS (InCD File System Driver/Nero AG)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86EB6CA1

---- Processes - GMER 1.0.15 ----

Process System Idle (*** hidden *** ) 0
Process System (*** hidden *** ) 4
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [184] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [256] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [324] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [648] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [792] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [820] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [888] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe [912] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [936] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [948] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1136] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1220] 0x10000000
Library C:\WINDOWS\System32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1264] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [1336] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgchsvx.exe [1348] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgrsx.exe [1356] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [1504] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [1736] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgnsx.exe [1864] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgwdsvc.exe [1880] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1892] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1920] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\bgsvcgen.exe [1936] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1992] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2052] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2116] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG9\avgtray.exe [2184] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2236] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [2408] 0x10000000
Library C:\WINDOWS\System32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2520] 0x10000000
Library C:\WINDOWS\System32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2632] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2656] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2716] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe [2956] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [3068] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3108] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\WINDOWS\system32\wdfmgr.exe [3184] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Program Files\Viewpoint\Common\ViewpointService.exe [3344] 0x10000000
Library C:\WINDOWS\system32\huzisopo.dll (*** hidden *** ) @ C:\Documents and Settings\Jeanne\Desktop\GMER.exe [3552] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDcbfkqpdjdj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDlstwxnjhyf.dll
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDcbfkqpdjdj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDbmnfdjtuin.dat
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDlglbkxyuff.dll
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDdwnkhogqyw.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@DevicePath %SystemDrive%;%SystemRoot%\inf;c:\drivers;c:\drivers\mouse;c:\drivers\mouse\onboard;c:\drivers\mouse\onboard\BP;c:\drivers\mouse\onboard\DK;c:\drivers\mouse\onboard\FI;c:\drivers\mouse\onboard\FR;c:\drivers\mouse\onboard\GR;c:\drivers\mouse\onboard\IT;c:\drivers\mouse\onboard\JP;c:\drivers\mouse\onboard\KR;c:\drivers\mouse\onboard\LS;c:\drivers\mouse\onboard\NL;c:\drivers\mouse\onboard\NO;c:\drivers\mouse\onboard\SC;c:\drivers\mouse\onboard\SE;c:\drivers\mouse\onboard\TC;c:\drivers\mouse\onboard\TH;c:\drivers\mouse\onboard\US;c:\drivers\network;c:\drivers\network\addon;c:\drivers\network\onboard;c:\drivers\video;c:\drivers\video\onboard;c:\drivers\system;c:\drivers\system\onboard;c:\drivers\system\onboard\SP;c:\drivers\pcmcia;c:\drivers\pcmcia\onboard;c:\drivers\pcmcia\onboard\MMC;c:\drivers\pcmcia\onboard\MS;c:\drivers\pcmcia\onboard\XD;c:\drivers\modem;c:\drivers\modem\onboard;c:\drivers\audio;c:\drivers\audio\onboard
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@MediaPathUnexpanded %SystemRoot%\Media
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@SM_GamesName Games
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@SM_ConfigureProgramsName Set Program Access and Defaults
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@ProgramFilesDir C:\Program Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@CommonFilesDir C:\Program Files\Common Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@ProductId 76477-OEM-0011903-00102
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@WallPaperDir %SystemRoot%\Web\Wallpaper
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@MediaPath C:\WINDOWS\Media
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@ProgramFilesPath %ProgramFiles%
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@SM_AccessoriesName Accessories
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@PF_AccessoriesName Accessories
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@OemReset_Silent 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\shellex\PropertySheetHandlers\LDVP Shell Extensions
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\shellex\PropertySheetHandlers\LDVP Shell Extensions@ {BDA77241-42F6-11d0-85E2-00AA001FE28C}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Special Paths\Cookies@Directory %USERPROFILE%\Cookies
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Special Paths\Cookies@CachePrefix Cookie:
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup@DriverCachePath %SystemRoot%\Driver Cache
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup@BootDir C:\
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup@Installation Sources C:?
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup@SourcePath C:\
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup@ServicePackSourcePath C:\
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup@CDInstall 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup@LogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup@ServicePackCachePath c:\windows\ServicePackFiles\ServicePackCache
Reg HKLM\SOFTWARE\Classes\Applications\wordpad.exe\shell\open\command@ "%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\CLSID\{c405d63e-b58e-4471-8138-05094f87e2f8}\InprocServer32@ c:\windows\system32\mebokewe.dll
Reg HKLM\SOFTWARE\Classes\rtffile\shell\open\command@ "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\rtffile\shell\print\command@ "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" /p "%1"
Reg HKLM\SOFTWARE\Classes\rtffile\shell\printto\command@ "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" /pt "%1" "%2" "%3" "%4"
Reg HKLM\SOFTWARE\Classes\Wordpad.Document.1\shell\open\command@ "%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\Wordpad.Document.1\shell\print\command@ "%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE" /p "%1"
Reg HKLM\SOFTWARE\Classes\Wordpad.Document.1\shell\printto\command@ "%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE" /pt "%1" "%2" "%3" "%4"
Reg HKLM\SOFTWARE\Classes\wrifile\shell\open\command@ "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\wrifile\shell\print\command@ "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" /p "%1"
Reg HKLM\SOFTWARE\Classes\wrifile\shell\printto\command@ "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" /pt "%1" "%2" "%3" "%4"
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer@NoDriveTypeAutoRun 255
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer@_NoDriveTypeAutoRun 157
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer@NoFolderOptions 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\huzisopo.dll 66560 bytes
File C:\WINDOWS\system32\niwebazi.dll 66560 bytes
File C:\WINDOWS\system32\pivimuyo 6456 bytes
File C:\WINDOWS\system32\fusizota.dll 66560 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

***rkill would not run a full scan. this was the log produced:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Jeanne on 03/26/2010 at 11:02:49.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Jeanne\Desktop\rkill.pif


Rkill completed on 03/26/2010 at 11:02:55.


here is the Combofix log:
ComboFix 10-03-25.04 - Jeanne 03/26/2010 11:15:37.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.481 [GMT -4:00]
Running from: c:\documents and settings\Jeanne\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll
c:\documents and settings\All Users\Application Data\fiosejgfse.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\All Users\Start Menu\Programs\CyberDefender
c:\documents and settings\All Users\Start Menu\Programs\CyberDefender\Registry Cleaner\CyberDefender Registry Cleaner.lnk
c:\documents and settings\All Users\Start Menu\Programs\CyberDefender\Registry Cleaner\Uninstall CyberDefender Registry Cleaner.lnk
c:\documents and settings\Jeanne\Application Data\CyberDefender
c:\documents and settings\Jeanne\Application Data\CyberDefender\Registry Cleaner\lastresults.cdr
c:\documents and settings\Jeanne\Local Settings\Application Data\Windows Server
c:\documents and settings\Jeanne\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Jeanne\Local Settings\Application Data\Windows Server\uses32.dat
c:\program files\CyberDefender
c:\program files\CyberDefender\Registry Cleaner\BeforeUninstall.exe
c:\program files\CyberDefender\Registry Cleaner\cdinstx.ini
c:\program files\CyberDefender\Registry Cleaner\CDRC.dll
c:\program files\CyberDefender\Registry Cleaner\CDregclean.exe
c:\program files\CyberDefender\Registry Cleaner\cdswx.exe
c:\program files\CyberDefender\Registry Cleaner\cduninstx.exe
c:\program files\CyberDefender\Registry Cleaner\KillCDRCProcesses.exe
c:\program files\CyberDefender\Registry Cleaner\startcdrc.exe
c:\program files\CyberDefender\Registry Cleaner\unins000.dat
c:\program files\CyberDefender\Registry Cleaner\unins000.exe
c:\program files\CyberDefender\Registry Cleaner\unins000.msg
c:\windows\_VOIDhtssibcorq
c:\windows\_VOIDhtssibcorq\_VOIDd.sys
c:\windows\system32\bewihafe.exe
c:\windows\system32\huzisopo.dll
c:\windows\system32\Iasex.dll
c:\windows\system32\isamgr.sys
c:\windows\system32\mebokewe.dll
c:\windows\system32\niwebazi.dll
c:\windows\system32\remofeko.dll
c:\windows\system32\Settings
c:\windows\system32\Settings\Settings.ini
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

----- BITS: Possible infected sites -----

hxxp://85.12.18.120
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-26 04:45 . 2010-03-26 04:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-24 17:06 . 2010-03-24 17:06 -------- d-----w- c:\program files\Symantec
2010-03-22 04:34 . 2010-03-22 04:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-22 02:14 . 2010-03-22 02:14 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-22 01:21 . 2010-03-22 01:21 95744 --sh--w- c:\windows\system32\hilijizi.dll
2010-03-22 00:47 . 2010-03-22 00:47 -------- d-s---w- c:\documents and settings\Jeanne\UserData
2010-03-20 02:44 . 2010-03-20 02:44 -------- d-----w- C:\$AVG
2010-03-20 02:44 . 2010-03-22 04:34 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-20 02:44 . 2010-03-22 04:34 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-20 02:44 . 2010-03-22 04:34 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-20 02:43 . 2010-03-26 00:49 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-20 02:43 . 2010-03-20 02:43 -------- d-----w- c:\program files\AVG
2010-03-20 02:43 . 2010-03-20 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-17 00:20 . 2010-03-16 23:21 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-16 23:22 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-16 23:21 . 2010-03-16 23:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-16 23:20 . 2010-03-16 23:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-16 23:18 . 2010-03-16 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-16 03:12 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-16 03:12 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-03-10 19:29 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 06:22 . 2010-03-10 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-03-10 06:22 . 2010-03-10 06:28 -------- d-----w- c:\program files\RegCure
2010-03-10 06:16 . 2010-03-10 06:16 3154 ----a-w- C:\registory key.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 16:33 . 2009-07-24 02:49 -------- d-----w- c:\documents and settings\Jeanne\Application Data\Skype
2010-03-26 13:43 . 2009-07-24 02:12 -------- d-----w- c:\documents and settings\Jeanne\Application Data\skypePM
2010-03-25 06:30 . 2004-08-04 03:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-25 02:42 . 2004-08-10 17:51 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-22 04:35 . 2010-03-22 04:35 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-22 04:35 . 2010-03-22 04:35 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-22 04:35 . 2010-03-22 04:35 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-20 02:43 . 2010-03-22 04:32 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-20 02:43 . 2010-03-22 04:32 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-03-20 02:43 . 2010-03-22 04:32 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-03-20 02:43 . 2010-03-22 04:32 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-16 23:39 . 2007-06-07 21:28 -------- d-----w- c:\documents and settings\Jeanne\Application Data\Move Networks
2010-03-16 23:20 . 2006-06-23 22:45 -------- d-----w- c:\program files\Lavasoft
2010-03-16 05:06 . 2006-06-21 04:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-12 15:54 . 2009-12-29 22:02 -------- d-----w- c:\documents and settings\Jeanne\Application Data\HPAppData
2010-03-09 22:07 . 2007-04-23 18:16 -------- d-----w- c:\program files\FinePixViewer
2010-02-04 15:53 . 2010-03-16 23:20 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-01-07 20:45 . 2010-01-07 20:45 86016 -c--a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-31 16:14 . 2004-08-10 17:51 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 01:48 . 2009-12-29 01:24 186581 -c--a-w- c:\windows\hpwins23.dat
2004-10-01 19:00 . 2006-06-21 04:49 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\berateno.dll
1601-01-01 00:03 . 1601-01-01 00:03 95744 --sha-w- c:\windows\system32\desoyahi.dll
1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\system32\fusizota.dll
1601-01-01 00:03 . 1601-01-01 00:03 48640 --sha-w- c:\windows\system32\gudasene.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\hohebalo.dll
1601-01-01 00:03 . 1601-01-01 00:03 69632 --sha-w- c:\windows\system32\lafekopa.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\loganoye.dll
1601-01-01 00:03 . 1601-01-01 00:03 95744 --sha-w- c:\windows\system32\nipuwoku.dll
1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\system32\nubamiko.dll
1601-01-01 00:03 . 1601-01-01 00:03 95232 --sha-w- c:\windows\system32\pajurami.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\sebodawe.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\wadavuro.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\yasazaki.dll
1601-01-01 00:03 . 1601-01-01 00:03 48640 --sha-w- c:\windows\system32\zuhuvapo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{766e8e25-56cb-441c-bb04-85d749f72f3e}]
1601-01-01 00:03 66560 --sha-w- c:\windows\system32\fusizota.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rakivuzuj"="c:\windows\system32\desoyahi.dll" [1601-01-01 95744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-7 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1115fa80-d478-4a71-b529-26d22bd1b615}"= "c:\windows\system32\desoyahi.dll" [1601-01-01 95744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rovewojaf"= {1115fa80-d478-4a71-b529-26d22bd1b615} - c:\windows\system32\desoyahi.dll [1601-01-01 95744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-22 04:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
backupExtension=Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnkCommon Startup
backupExtension=Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
backupExtension=Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeanne^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Jeanne\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
backupExtension=Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-04-08 19:52 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
2007-06-07 18:01 155648 ------w- c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 -c----w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
2005-02-23 20:57 57344 ------w- c:\program files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 17:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
2004-11-10 19:36 290816 ----a-w- c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]
2007-11-13 21:46 135168 ----a-w- c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLBTCATS]
2004-11-09 21:41 69632 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\dlbttime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-02-22 17:00 49152 ----a-w- c:\dell\E-Center\GTB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2009-07-18 03:12 257440 ----a-r- c:\windows\system32\Macromed\Flash\FlashUtil10c.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 07:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 07:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 07:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2005-12-28 16:56 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2005-12-28 16:55 667718 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-06-13 05:23 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-05 02:32 53248 ------w- c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 21:35 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-01-09 09:33 417792 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-04-13 07:48 36975 ----a-w- c:\program files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 02:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\V0400Mon.exe]
2007-06-04 01:01 32768 ----a-r- c:\windows\V0400Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\explorer.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/16/2010 7:22 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/19/2010 10:44 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/19/2010 10:44 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/22/2010 12:34 AM 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1229232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/8/2007 12:19 AM 24652]
S3 kfloapog;kfloapog;\??\c:\docume~1\Jeanne\LOCALS~1\Temp\kfloapog.sys --> c:\docume~1\Jeanne\LOCALS~1\Temp\kfloapog.sys [?]
S3 SavRoam;SAVRoam;"c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [?]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\drivers\V0400Afx.sys [7/23/2009 9:52 PM 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\drivers\V0400Vfx.sys [7/23/2009 9:52 PM 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [7/23/2009 9:52 PM 166720]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [3/18/2005 11:02 AM 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 23:21]

2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: {6088B828-1643-4F99-915C-31DCDF89FF42} = 217.23.14.75,4.2.2.1,150.108.4.11 150.108.2.11 150.108.153.11
TCP: {EF6129F4-DDCA-41CC-B236-B8AE406EB03C} = 217.23.14.75,4.2.2.1
FF - ProfilePath - c:\documents and settings\Jeanne\Application Data\Mozilla\Firefox\Profiles\ynivm718.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\Jeanne\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Jeanne\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js:pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PowerBar - (no file)
HKCU-Run-Remote System Protection - c:\windows\system32\immuqohnt.dll
HKCU-Run-Dr. Guard - c:\program files\Dr. Guard\drguard.exe
HKCU-Run-CyberDefender Registry Cleaner - c:\program files\CyberDefender\Registry Cleaner\CDregclean.exe
HKLM-Run-lufukoruli - niwebazi.dll
HKLM-Run-CyberDefender Registry Cleaner - (no file)
HKU-Default-Run-Remote System Protection - c:\windows\system32\immuqohnt.dll
SharedTaskScheduler-{9f28404e-9655-4495-9fb7-5024dece8516} - c:\windows\system32\fuweyofa.dll
SharedTaskScheduler-{0698da3f-85a0-417b-a00c-9d526e99b5c1} - c:\windows\system32\sufetida.dll
SharedTaskScheduler-{b9b56619-b761-4560-89f1-08ce0c07df71} - c:\windows\system32\fapavifa.dll
SharedTaskScheduler-{c405d63e-b58e-4471-8138-05094f87e2f8} - c:\windows\system32\mebokewe.dll
SSODL-fefozujus-{9f28404e-9655-4495-9fb7-5024dece8516} - c:\windows\system32\fuweyofa.dll
SSODL-bazelaweh-{0698da3f-85a0-417b-a00c-9d526e99b5c1} - c:\windows\system32\sufetida.dll
SSODL-mediwonon-{b9b56619-b761-4560-89f1-08ce0c07df71} - c:\windows\system32\fapavifa.dll
SSODL-muyakadah-{c405d63e-b58e-4471-8138-05094f87e2f8} - c:\windows\system32\mebokewe.dll
MSConfigStartUp-DMXLauncher - c:\program files\Dell\Media Experience\DMXLauncher.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
MSConfigStartUp-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 12:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ?W?????????????????????????????????????????????????????????????|p??|????m??|?`?w????????XW????@?8?@?????XW??c"?s???s??????@?????N'?sDU2?L|?s????????????u??s????????c"?s???s??????@?8?@?N'?s?U2??$@?8?@?8?@??????????U2??A2????s?@2??T2??@2??A2?0i?s????????PU2????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ *4*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(932)
c:\windows\system32\fusizota.dll
c:\windows\system32\desoyahi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-03-26 12:39:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-26 16:39

Pre-Run: 18,078,765,056 bytes free
Post-Run: 19,149,373,440 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BEA34619A93572AEBEC8827220E5CA63


and a new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:10 PM, on 3/26/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jeanne\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {766e8e25-56cb-441c-bb04-85d749f72f3e} - fusizota.dll (file missing)
O4 - HKLM\..\Run: [rakivuzuj] Rundll32.exe "c:\windows\system32\desoyahi.dll",a
O4 - HKLM\..\Run: [lufukoruli] Rundll32.exe "niwebazi.dll",s
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6088B828-1643-4F99-915C-31DCDF89FF42}: NameServer = 217.23.14.75,4.2.2.1,150.108.4.11 150.108.2.11 150.108.153.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF6129F4-DDCA-41CC-B236-B8AE406EB03C}: NameServer = 217.23.14.75,4.2.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\desoyahi.dll,huzisopo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: rovewojaf - {1115fa80-d478-4a71-b529-26d22bd1b615} - c:\windows\system32\desoyahi.dll
O22 - SharedTaskScheduler: jugezatag - {1115fa80-d478-4a71-b529-26d22bd1b615} - c:\windows\system32\desoyahi.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Symantec SecurePort (SymSecurePort) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8796 bytes

I couldn't find were Symantec is running on my computer and I am unable to uninstall it; it will not let me. My computer is still detecting programs. What should I do to get the rkill to run properly. Thank you again

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:47 AM

Posted 26 March 2010 - 11:51 PM

Hello,

Don't worry about Rkill. We will proceed with taking care of some of the leftovers.

We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

File::
c:\windows\system32\berateno.dll
c:\windows\system32\desoyahi.dll
c:\windows\system32\fusizota.dll
c:\windows\system32\gudasene.dll
c:\windows\system32\hohebalo.dll
c:\windows\system32\lafekopa.dll
c:\windows\system32\loganoye.dll
c:\windows\system32\nipuwoku.dll
c:\windows\system32\nubamiko.dll
c:\windows\system32\pajurami.dll
c:\windows\system32\sebodawe.dll
c:\windows\system32\wadavuro.dll
c:\windows\system32\yasazaki.dll
c:\windows\system32\zuhuvapo.dll
c:\windows\system32\hilijizi.dll
c:\windows\system32\desoyahi.dll
c:\docume~1\Jeanne\LOCALS~1\Temp\kfloapog.sys
c:\windows\system32\niwebazi.dll

Folder::
c:\program files\RegCure
c:\documents and settings\All Users\Application Data\RegCure

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{766e8e25-56cb-441c-bb04-85d749f72f3e}]
[-HKEY_CLASSES_ROOT\CLSID\{766e8e25-56cb-441c-bb04-85d749f72f3e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rakivuzuj"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lufukoruli"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rovewojaf"=-
[-HKEY_CLASSES_ROOT\CLSID\{1115fa80-d478-4a71-b529-26d22bd1b615}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-

Driver::
kfloapog


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes Anti-Malware (v1.43) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Things to include in your next reply:
Combofix.txt
MBAM log
A new HiJackThis log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Jval

Jval
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 27 March 2010 - 10:40 AM

ComboFix log:

ComboFix 10-03-25.04 - Jeanne 03/27/2010 10:13:16.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.479 [GMT -4:00]
Running from: c:\documents and settings\Jeanne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeanne\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

FILE ::
"c:\docume~1\Jeanne\LOCALS~1\Temp\kfloapog.sys"
"c:\windows\system32\berateno.dll"
"c:\windows\system32\desoyahi.dll"
"c:\windows\system32\fusizota.dll"
"c:\windows\system32\gudasene.dll"
"c:\windows\system32\hilijizi.dll"
"c:\windows\system32\hohebalo.dll"
"c:\windows\system32\lafekopa.dll"
"c:\windows\system32\loganoye.dll"
"c:\windows\system32\nipuwoku.dll"
"c:\windows\system32\niwebazi.dll"
"c:\windows\system32\nubamiko.dll"
"c:\windows\system32\pajurami.dll"
"c:\windows\system32\sebodawe.dll"
"c:\windows\system32\wadavuro.dll"
"c:\windows\system32\yasazaki.dll"
"c:\windows\system32\zuhuvapo.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\RegCure
c:\documents and settings\All Users\Application Data\RegCure\multipledetection.dat
c:\documents and settings\All Users\Application Data\RegCure\whitelist.dat
c:\program files\RegCure
c:\program files\RegCure\0_days.htm
c:\program files\RegCure\1_days.htm
c:\program files\RegCure\15_days.htm
c:\program files\RegCure\2_days.htm
c:\program files\RegCure\30_days.htm
c:\program files\RegCure\5_days.htm
c:\program files\RegCure\Animated-Bar.gif
c:\program files\RegCure\AutoUpdate.dll
c:\program files\RegCure\Backup\RegCureBak_March_10_10_01_28_48.reg
c:\program files\RegCure\blue_duo.jpg
c:\program files\RegCure\buttonfill.jpg
c:\program files\RegCure\buttonfill_expire.jpg
c:\program files\RegCure\buttonfill_mo.jpg
c:\program files\RegCure\buttonfill_mo_expire.jpg
c:\program files\RegCure\BuyNags.htm
c:\program files\RegCure\center_gradient.jpg
c:\program files\RegCure\container_content_bkimg.gif
c:\program files\RegCure\container_content_leftimg.gif
c:\program files\RegCure\container_content_rightimg.gif
c:\program files\RegCure\contentwrapper.gif
c:\program files\RegCure\email.htm
c:\program files\RegCure\expire.css
c:\program files\RegCure\footerbar.gif
c:\program files\RegCure\green_duo.jpg
c:\program files\RegCure\info_bubble.jpg
c:\program files\RegCure\left_gradient.jpg
c:\program files\RegCure\logo.jpg
c:\program files\RegCure\Logs\RegCure-10-03-10-01-28-48.zip
c:\program files\RegCure\Logs\SystemInfo.zip
c:\program files\RegCure\LogSettings.xml
c:\program files\RegCure\main.css
c:\program files\RegCure\main_nag.css
c:\program files\RegCure\main_showstats.css
c:\program files\RegCure\package_titlebar_bkimg.jpg
c:\program files\RegCure\process-animation.gif
c:\program files\RegCure\RegCure.exe
c:\program files\RegCure\regcure.gif
c:\program files\RegCure\right_gradient.jpg
c:\program files\RegCure\settings.xml
c:\program files\RegCure\showstats.htm
c:\program files\RegCure\small_vbxregcure.jpg
c:\program files\RegCure\special_offer.jpg
c:\program files\RegCure\special_offer_nag.jpg
c:\program files\RegCure\subtitlebar.gif
c:\program files\RegCure\tile_titlebar.jpg
c:\program files\RegCure\titlebar_left.jpg
c:\program files\RegCure\titlebar_right.jpg
c:\program files\RegCure\tp.css
c:\program files\RegCure\TrialPay.htm
c:\program files\RegCure\underline.gif
c:\program files\RegCure\uninst.exe
c:\program files\RegCure\zlibwapi.dll
c:\windows\system32\berateno.dll
c:\windows\system32\desoyahi.dll
c:\windows\system32\fusizota.dll
c:\windows\system32\gitoreda.dll
c:\windows\system32\gudasene.dll
c:\windows\system32\hilijizi.dll
c:\windows\system32\hohebalo.dll
c:\windows\system32\lafekopa.dll
c:\windows\system32\loganoye.dll
c:\windows\system32\nipuwoku.dll
c:\windows\system32\nubamiko.dll
c:\windows\system32\pajurami.dll
c:\windows\system32\sebodawe.dll
c:\windows\system32\wadavuro.dll
c:\windows\system32\yasazaki.dll
c:\windows\system32\zuhuvapo.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-26 04:45 . 2010-03-26 04:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-24 17:06 . 2010-03-24 17:06 -------- d-----w- c:\program files\Symantec
2010-03-22 04:34 . 2010-03-22 04:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-22 02:14 . 2010-03-22 02:14 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-22 00:47 . 2010-03-22 00:47 -------- d-s---w- c:\documents and settings\Jeanne\UserData
2010-03-20 02:44 . 2010-03-20 02:44 -------- d-----w- C:\$AVG
2010-03-20 02:44 . 2010-03-22 04:34 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-20 02:44 . 2010-03-22 04:34 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-20 02:44 . 2010-03-22 04:34 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-20 02:43 . 2010-03-27 13:50 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-20 02:43 . 2010-03-20 02:43 -------- d-----w- c:\program files\AVG
2010-03-20 02:43 . 2010-03-20 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-17 00:20 . 2010-03-16 23:21 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-16 23:22 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-16 23:21 . 2010-03-16 23:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-16 23:20 . 2010-03-16 23:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-16 23:18 . 2010-03-16 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-16 03:12 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-16 03:12 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-03-10 19:29 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 06:16 . 2010-03-10 06:16 3154 ----a-w- C:\registory key.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 14:26 . 2009-07-24 02:49 -------- d-----w- c:\documents and settings\Jeanne\Application Data\Skype
2010-03-27 14:25 . 2009-07-24 02:12 -------- d-----w- c:\documents and settings\Jeanne\Application Data\skypePM
2010-03-27 00:54 . 2006-08-05 04:01 30296 -c--a-w- c:\documents and settings\Jeanne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 06:30 . 2004-08-04 03:59 95360 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-25 02:42 . 2004-08-10 17:51 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-22 04:35 . 2010-03-22 04:35 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-22 04:35 . 2010-03-22 04:35 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-22 04:35 . 2010-03-22 04:35 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-20 02:43 . 2010-03-22 04:32 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-20 02:43 . 2010-03-22 04:32 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-03-20 02:43 . 2010-03-22 04:32 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-03-20 02:43 . 2010-03-22 04:32 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-16 23:39 . 2007-06-07 21:28 -------- d-----w- c:\documents and settings\Jeanne\Application Data\Move Networks
2010-03-16 23:20 . 2006-06-23 22:45 -------- d-----w- c:\program files\Lavasoft
2010-03-16 05:06 . 2006-06-21 04:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-12 15:54 . 2009-12-29 22:02 -------- d-----w- c:\documents and settings\Jeanne\Application Data\HPAppData
2010-03-09 22:07 . 2007-04-23 18:16 -------- d-----w- c:\program files\FinePixViewer
2010-02-04 15:53 . 2010-03-16 23:20 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-01-07 20:45 . 2010-01-07 20:45 86016 -c--a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-31 16:14 . 2004-08-10 17:51 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 01:48 . 2009-12-29 01:24 186581 -c--a-w- c:\windows\hpwins23.dat
2004-10-01 19:00 . 2006-06-21 04:49 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\surefuta.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-7 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-22 04:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
backupExtension=Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnkCommon Startup
backupExtension=Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
backupExtension=Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeanne^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Jeanne\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
backupExtension=Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-04-08 19:52 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
2007-06-07 18:01 155648 ------w- c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 -c----w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
2005-02-23 20:57 57344 ------w- c:\program files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 17:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
2004-11-10 19:36 290816 ----a-w- c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]
2007-11-13 21:46 135168 ----a-w- c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLBTCATS]
2004-11-09 21:41 69632 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\dlbttime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-02-22 17:00 49152 ----a-w- c:\dell\E-Center\GTB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2009-07-18 03:12 257440 ----a-r- c:\windows\system32\Macromed\Flash\FlashUtil10c.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 07:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 07:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 07:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2005-12-28 16:56 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2005-12-28 16:55 667718 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-06-13 05:23 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-05 02:32 53248 ------w- c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 21:35 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-01-09 09:33 417792 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-04-13 07:48 36975 ----a-w- c:\program files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 02:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\V0400Mon.exe]
2007-06-04 01:01 32768 ----a-r- c:\windows\V0400Mon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/16/2010 7:22 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/19/2010 10:44 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/19/2010 10:44 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/22/2010 12:34 AM 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1229232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/8/2007 12:19 AM 24652]
S3 kfloapog;kfloapog;\??\c:\docume~1\Jeanne\LOCALS~1\Temp\kfloapog.sys --> c:\docume~1\Jeanne\LOCALS~1\Temp\kfloapog.sys [?]
S3 SavRoam;SAVRoam;"c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [?]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\drivers\V0400Afx.sys [7/23/2009 9:52 PM 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\drivers\V0400Vfx.sys [7/23/2009 9:52 PM 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [7/23/2009 9:52 PM 166720]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [3/18/2005 11:02 AM 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 23:21]

2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: {6088B828-1643-4F99-915C-31DCDF89FF42} = 217.23.14.75,4.2.2.1,150.108.4.11 150.108.2.11 150.108.153.11
TCP: {EF6129F4-DDCA-41CC-B236-B8AE406EB03C} = 217.23.14.75,4.2.2.1
FF - ProfilePath - c:\documents and settings\Jeanne\Application Data\Mozilla\Firefox\Profiles\ynivm718.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\Jeanne\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Jeanne\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js:pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{948a0915-e92a-4f74-b924-ddb784ada97c} - c:\windows\system32\gitoreda.dll
SSODL-derusumur-{948a0915-e92a-4f74-b924-ddb784ada97c} - c:\windows\system32\gitoreda.dll
AddRemove-RegCure - c:\program files\RegCure\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 10:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ *4*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-27 10:32:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-27 14:32
ComboFix2.txt 2010-03-26 16:39

Pre-Run: 19,115,126,784 bytes free
Post-Run: 19,045,937,152 bytes free

- - End Of File - - 031F108A8B163F021DA1C245B3A04349


mbam log:

Malwarebytes' Anti-Malware 1.44
Database version: 3921
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/27/2010 11:27:59 AM
mbam-log-2010-03-27 (11-27-59).txt

Scan type: Quick Scan
Objects scanned: 138020
Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6088b828-1643-4f99-915c-31dcdf89ff42}\NameServer (Trojan.DNSChanger) -> Data: 217.23.14.75,4.2.2.1,150.108.4.11 150.108.2.11 150.108.153.11 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ef6129f4-ddca-41cc-b236-b8ae406eb03c}\NameServer (Trojan.DNSChanger) -> Data: 217.23.14.75,4.2.2.1 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\surefuta.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeanne\Application Data\Microsoft\Internet Explorer\Quick Launch\Dr. Guard.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully.

and the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:36 AM, on 3/27/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jeanne\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Symantec SecurePort (SymSecurePort) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7751 bytes



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:47 AM

Posted 27 March 2010 - 05:51 PM

Hello,

How is your machine running?Any Redirects or signs of Malware?

1.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Norton.

Uninstall AVG 32 bit


You should be able to remove AVG Anti-Virus via Start > Control Panel > Add or Remove Programs.
If you need instructions on how to do so, please consult: How To Remove An Installed Program From Your Computer

The following instructions can be used to uninstall the program if the uninstall via Add/remove does not work:
  • Download the latest installation file of AVG from their website.
  • After downloading, run the file and choose the Uninstall Product option in the Select Setup Type dialogue.
  • Finish the uninstallation process and restart your computer.

If this fails as well, you can try to use AVGremover:
  • Download avgremover.exe and save it to your Desktop
  • Run the file avgremover.exe
  • Confirm that you want to uninstall.
  • Wait until the program confirms the removal.
  • Restart your computer.
AVG should now be removed from your PC.


Original instructions here:
http://www.avg.com/faq.num-1119#faq_1119

Uninstall Norton


The following removal utility can be used to uninstall the program if the uninstall via Add/remove does not work:
  • Download the Norton Removal Tool to your desktop.
  • On the Windows desktop, double-click the Norton Removal Tool icon.
  • Follow the on-screen instructions.
    Note:Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts
Norton should now be removed from your PC.


For illustrated instructions please refer to here:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

2.
Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

3.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    kfloapog.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 Jval

Jval
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 27 March 2010 - 06:45 PM

Hello,

When attempting to uninstall Norton, the uninstall tool would not work prompting me to go to add/drop programs and remove the Symantec Client Security first before the program could begin. When I attempt to remove the program, it gets to the end of removal and the load bar goes backwards finally closing out of itself. Then a window is prompted saying "a fatal error occurred during installation." This program has given me problems in the past and some files are missing. I attempted to repair it, but it says its cannot locate the install file. Is there another way around this so I can delete everything from Norton off of my computer?

I followed the rest of the steps and this was the SystemLook log produced:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:37 on 27/03/2010 by Jeanne (Administrator - Elevation successful)

========== filefind ==========

Searching for "kfloapog.sys"
No files found.

-=End Of File=-

#10 Jval

Jval
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 27 March 2010 - 06:49 PM

Also, my computer seems to be improved by running faster than usual and staying connected to the internet.

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:47 AM

Posted 27 March 2010 - 06:52 PM

Hello,

How is your machine running other than the Norton Removal problem? Any redirects or signs of Malware?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 Jval

Jval
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 27 March 2010 - 09:34 PM

Other than the Norton issue, it seems to be running well. The only difference I can note is that there seems to be a lot of processes still running on my computer when I look in task manager. There are many svchost.exe running...should I be concerned about that? or the amount of unusual memory usage being consumed? Thank you again for all your help.

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:47 AM

Posted 27 March 2010 - 10:08 PM

Hello Jval,


QUOTE
Other than the Norton issue, it seems to be running well. The only difference I can note is that there seems to be a lot of processes still running on my computer when I look in task manager. There are many svchost.exe running...should I be concerned about that? or the amount of unusual memory usage being consumed? Thank you again for all your help.


I have 8 svchost.exe's running on my machine. so I wouldn't worry unless your machine is running very slow.

Lets have one more run of MBAM and a new DDS log


1.
Please update a run a Full Scan of MalwareBytes-AntiMalware.

2.
Please post a new DDS log and any remaining problem or concerns.







" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 Jval

Jval
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 27 March 2010 - 11:19 PM

Here is the new Malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3921
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/28/2010 12:16:34 AM
mbam-log-2010-03-28 (00-16-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 204134
Time elapsed: 42 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Jeanne\Application Data\Move Networks\MoveMediaPlayer_07103010.exe (Backdoor.Bot) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\huzisopo.dll.vir (Malware.Packer) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gitoreda.dll.vir (Malware.Packer) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Iasex.dll.vir (Backdoor.Bot) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\isamgr.sys.vir (Rootkit.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mebokewe.dll.vir (Malware.Packer) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\niwebazi.dll.vir (Malware.Packer) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\remofeko.dll.vir (Malware.Packer) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\_VOIDhtssibcorq\_VOIDd.sys.vir (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000102.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000103.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000104.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000105.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000106.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000107.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000108.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000110.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000111.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000112.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000113.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000114.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000115.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000116.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000117.dll (Malware.Packer) -> No action taken.


Should I delete all of these items? Also, by DDS log...you mean follow up with another HJT log?

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:47 AM

Posted 28 March 2010 - 02:29 AM

Hello Jval,

QUOTE
Should I delete all of these items? Also, by DDS log...you mean follow up with another HJT log?


Yes Delete those.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Things to include in your next reply:
DDS.txt
Attach.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users