Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 rons9x7

rons9x7

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 11 April 2010 - 03:40 PM

I am having the redirect issue as described in vivid detail so many times before....

Any help would be appreciated.

I have ran the following to no avail:
All programs were updated with the latest files as of 4/11/2010
MalwareBytes - Full Scan : states the computer is clean(report included)
CA - AntiVirus - Full Scan : states the computer is clean
rKill - Nothing found
ComboFix - Full Scan : report included ( required an uninstall of CA Antivirus...:|)

MalwareBytes Log************************************************************************

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3975

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/10/2010 3:09:22 PM
mbam-log-2010-04-10 (15-09-22).txt

Scan type: Full scan (C:\|)
Objects scanned: 195156
Time elapsed: 1 hour(s), 44 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

MalwareBytes Log************************************************************************


rKill Log********************************************************************************

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Ron on 04/11/2010 at 12:11:56.


Processes terminated by Rkill or while it was running:




Rkill completed on 04/11/2010 at 12:12:10.


rKill Log********************************************************************************

ComboFix Log***************************************************************************

ComboFix 10-04-10.02 - Ron 04/11/2010 12:55:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1667 [GMT -7:00]
Running from: c:\downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-08 22:54 . 2010-04-08 22:54 186368 --sha-w- c:\documents and settings\Ron\Local Settings\Application Data\2695612429.dll
2010-04-08 13:10 . 2010-04-08 13:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-05 18:28 . 2010-04-05 18:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-05 18:28 . 2010-04-05 18:28 152576 ----a-w- c:\documents and settings\Ron\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-03-25 20:39 . 2008-08-26 16:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-25 20:39 . 2010-03-25 20:39 -------- d-----w- c:\program files\PC Connectivity Solution
2010-03-25 20:33 . 2010-03-25 20:23 34642680 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\NokiaSoftwareUpdaterSetup_2.4.6EN.exe
2010-03-25 20:31 . 2010-03-27 23:11 -------- d-----w- c:\windows\SxsCaPendDel
2010-03-25 20:27 . 2010-03-25 20:27 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\msxml6Exec.exe
2010-03-25 20:27 . 2010-03-25 20:27 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\Sleep.exe
2010-03-25 20:27 . 2010-03-25 20:27 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\vcredistExec.exe
2010-03-14 18:35 . 2010-03-14 18:35 -------- d-----w- c:\program files\dcmsvc
2010-03-14 18:34 . 2010-03-14 18:34 -------- d-----w- c:\documents and settings\Ron\Application Data\com.warnerbros.DigitalCopyManager.449F66ACC381FDC604DC2AA255FEECEEBBBEE1E5.1
2010-03-14 18:34 . 2010-03-14 18:32 38784 ----a-w- c:\documents and settings\Ron\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-14 18:34 . 2010-03-14 18:34 -------- d-----w- c:\program files\Warner Bros. Digital Copy Manager
2010-03-14 18:34 . 2010-03-14 18:32 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-14 18:34 . 2010-03-14 18:34 -------- d-----w- c:\program files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 19:46 . 2006-09-26 20:19 -------- d-----w- c:\program files\CA
2010-04-11 19:44 . 2007-09-15 18:27 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-09 17:35 . 2008-11-22 17:25 -------- d-----w- c:\documents and settings\Ron\Application Data\Apple Computer
2010-04-08 21:38 . 2009-01-31 02:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 17:12 . 2008-11-22 18:00 1261576 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-07 17:11 . 2005-10-25 18:17 -------- d-----w- c:\program files\Trillian
2010-04-05 18:28 . 2006-05-19 22:58 -------- d-----w- c:\program files\Java
2010-04-04 02:01 . 2009-10-01 19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 02:01 . 2009-10-01 19:01 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-10-01 19:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-10-01 19:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 21:49 . 2010-03-26 21:49 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-03-26 21:49 . 2010-03-26 21:49 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-03-25 20:39 . 2008-10-15 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-03-25 20:39 . 2006-08-31 16:12 -------- d-----w- c:\program files\DIFX
2010-03-25 20:34 . 2006-08-31 16:02 -------- d-----w- c:\program files\Nokia
2010-03-25 20:33 . 2006-08-31 16:11 -------- d-----w- c:\program files\Common Files\Nokia
2010-03-25 20:18 . 2008-11-22 05:07 -------- d-----w- c:\documents and settings\Ron\Application Data\Nokia
2010-03-12 17:36 . 2010-02-12 07:36 -------- d-----w- c:\program files\Safari
2010-03-12 17:32 . 2010-03-12 17:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-12 00:25 . 2009-07-20 16:33 -------- d-----w- c:\program files\Stellar Phoenix Outlook PST Repair
2010-03-11 21:59 . 2010-03-11 21:52 -------- d-----w- c:\program files\Recover Data for OST to PST
2010-03-11 21:53 . 2010-03-11 16:43 -------- d-----w- c:\program files\Recover Data for OST to PST (Trial Version)
2010-03-11 03:37 . 2010-03-10 21:27 4 ----a-w- c:\windows\vx86036.dat
2010-03-11 03:17 . 2010-03-11 03:17 -------- d-----w- c:\documents and settings\Ron\Application Data\Kernel Ost to Pst (Evaluation Version)
2010-03-11 00:08 . 2010-03-10 21:27 -------- d-----w- c:\program files\Stellar Phoenix Windows Data Recovery
2010-03-10 21:41 . 2010-03-10 21:41 -------- d-----w- c:\program files\OfficeRecovery
2010-02-19 17:35 . 2010-02-19 17:35 -------- d-----w- c:\program files\Xvid
2010-02-19 17:31 . 2008-04-09 02:12 -------- d-----w- c:\program files\TurboTax
2010-02-15 19:54 . 2010-02-15 19:54 6 ----a-w- c:\windows\Fonts\wfonts.key
2010-02-12 07:34 . 2010-02-12 07:34 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-09_17.37.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-11 19:45 . 2010-04-11 19:45 16384 c:\windows\Temp\Perflib_Perfdata_180.dat
+ 2004-08-04 12:00 . 2010-04-11 19:49 91578 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-04-09 15:25 91578 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-04-11 19:49 494886 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-04-09 15:25 494886 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"dcmsvc"="c:\program files\dcmsvc\dcmsvc.exe" [2009-04-07 30440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-04-05 149280]

c:\documents and settings\Ron\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1060284298-839522115-1314\Scripts\Logoff\0\0]
"Script"=\\share\log$\out.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1060284298-839522115-1314\Scripts\Logon\0\0]
"Script"=\\share\log$\in.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2/23/2005 3:56 PM 53248]
R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [7/21/2009 10:05 AM 6272]
R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [7/21/2009 10:05 AM 500608]
S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
S4 BMFTP-RELEASE;BlackMoon FTP Service; [x]
S4 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [3/23/2005 2:17 PM 126976]
S4 MSSQL$SCHEMALOGIC;MSSQL$SCHEMALOGIC;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sSCHEMALOGIC --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sSCHEMALOGIC [?]
S4 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe --> c:\program files\Spyware Doctor\svcntaux.exe [?]
S4 SQLAgent$SCHEMALOGIC;SQLAgent$SCHEMALOGIC;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i SCHEMALOGIC --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i SCHEMALOGIC [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
DPF: CabCCT - hxxps://www.bizatlarge.net/CCT/codebase/ActCtrl_Apptix.cab
FF - ProfilePath - c:\documents and settings\Ron\Application Data\Mozilla\Firefox\Profiles\iqu9cwts.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Sony\Reader\Data\bin\npebldetectmoz.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 13:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A3F1AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74827b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
ParseProcedure -> ntoskrnl.exe @ 0x8057c745
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
ParseProcedure -> ntoskrnl.exe @ 0x8057c745
NDIS: Broadcom 570x Gigabit Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf787fba0
PacketIndicateHandler -> NDIS.sys @ 0xf786ea0b
SendHandler -> NDIS.sys @ 0xf7882b31
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1540)
c:\windows\system32\hnetcfg.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-11 13:07:26
ComboFix-quarantined-files.txt 2010-04-11 20:07
ComboFix2.txt 2010-04-09 17:40

Pre-Run: 13,340,540,928 bytes free
Post-Run: 13,471,875,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1A0BCF4205D0AF747DA9BEFAB0CE0340

ComboFix Log***************************************************************************


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:23 PM

Posted 14 April 2010 - 03:01 PM

Hi,

ComboFix should be run only if trained helper advises to do so.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
  • --

    Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab, unselect "files" and then click scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

    Edited by Blade81, 14 April 2010 - 03:01 PM.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #3 rons9x7

    rons9x7
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:02:23 AM

    Posted 14 April 2010 - 03:53 PM

    Thanks for your help Blade81,
    Here are the text dumps from the DDS utility.



    ATTACH.TXT*********************************************************************


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/11/2005 10:36:11 PM
    System Uptime: 4/12/2010 8:44:43 AM (3 hours ago)

    Motherboard: Dell Inc. | | 0X1193
    Processor: Intel® Pentium® 4 CPU 3.40GHz | Microprocessor | 3391/200mhz
    Processor: Intel® Pentium® 4 CPU 3.40GHz | Microprocessor | 3391/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 56 GiB total, 12.545 GiB free.
    D: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: VMware Virtual Ethernet Adapter for VMnet1
    Device ID: ROOT\VMWARE\0000
    Manufacturer: VMware, Inc.
    Name: VMware Virtual Ethernet Adapter for VMnet1
    PNP Device ID: ROOT\VMWARE\0000
    Service: VMnetAdapter

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: VMware Virtual Ethernet Adapter for VMnet8
    Device ID: ROOT\VMWARE\0001
    Manufacturer: VMware, Inc.
    Name: VMware Virtual Ethernet Adapter for VMnet8
    PNP Device ID: ROOT\VMWARE\0001
    Service: VMnetAdapter

    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia E61
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: Nokia E61
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd

    ==== System Restore Points ===================

    RP1: 4/9/2010 10:20:38 AM - System Checkpoint
    RP2: 4/11/2010 11:03:36 AM - System Checkpoint
    RP3: 4/11/2010 12:36:50 PM - Removed Bonjour

    ==== Installed Programs ======================


    Adobe AIR
    Adobe Digital Editions
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0.8
    AnswerWorks 4.0 Runtime - English
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    BLOCKBUSTER Movielink
    Broadcom Gigabit Integrated Controller
    C-Major Audio
    Conexant D480 MDC V.92 Modem
    Creative Live! Cam Video IM Pro Driver (1.02.02.1018)
    Crystal Reports XI
    dcmsvc 1.0
    Dell Printer Software Uninstall
    Dell ResourceCD
    Dell Wireless WLAN Card
    Digital Camera Driver
    EditPlus 2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    hp officejet 6100 series
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    HP Photo and Imaging 2.0 - hp officejet 6100 series
    iTunes
    Java™ 6 Update 16
    Logitech Harmony Remote Software 7
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Live Meeting 2005
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Project Professional 2003
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Visio Professional 2003
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2000
    Microsoft SQL Server 2000 (SCHEMALOGIC)
    Microsoft SQL Server 2000 Driver for JDBC Service Pack 2
    Microsoft User-Mode Driver Framework Feature Pack 1.7
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Mozilla Firefox (3.6)
    MSVC80_x86
    MSXML 4.0 SP2 (KB936181)
    MSXML 6.0 Parser (KB933579)
    Nero 6 Ultra Edition
    Nokia Configuration Tool 2.1
    Nokia Connectivity Cable Driver
    Nokia PC Suite
    Nokia Software Updater
    PC Connectivity Solution
    Pdf995
    PRS-500 USB driver
    QuickTime
    Reader Library by Sony
    Recover Data for OST to PST
    Remote Control USB Driver
    Safari
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB958644)
    SnagIt 6
    System Commander
    Time Zone Data Update Tool for Microsoft Office Outlook
    Trillian
    TurboTax 2008
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wrapper
    TurboTax 2009
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax Premier 2007
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB951072-v2)
    VMware Workstation
    VoiceOver Kit
    Warner Bros. Digital Copy Manager
    WebEx
    WebFldrs XP
    Windows Driver Package - Nokia Modem (02/23/2009 7.01.0.2)
    Windows Driver Package - Nokia Modem (02/24/2009 4.0)
    Windows Driver Package - Nokia Modem (05/22/2008 3.8)
    Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Driver Package - Sony Corporation (PRSUSB) USB (08/08/2006 1.0.03.08080)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows XP Hotfix - KB884020
    WinRAR archiver
    WinZip
    Xvid 1.2.2 final uninstall
    Yahoo! Messenger

    ==== Event Viewer Messages From Past Week ========

    4/9/2010 11:24:02 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {943B6A75-BB5E-41A7-A6D3-A1A5E892B33B}
    4/9/2010 10:24:05 AM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
    4/9/2010 10:00:20 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
    4/8/2010 8:02:51 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
    4/8/2010 3:52:50 PM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
    4/8/2010 11:18:41 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    4/8/2010 1:57:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
    4/8/2010 1:57:17 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    4/8/2010 1:57:17 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    4/12/2010 9:06:26 AM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 2 time(s).
    4/12/2010 9:06:26 AM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 2 time(s).
    4/12/2010 9:06:26 AM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    4/12/2010 9:06:26 AM, error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/12/2010 8:13:15 AM, error: WPDMTPDriver [15300] - MTP WPD Driver has failed to start. Error 0x80070057.
    4/12/2010 10:30:39 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    4/11/2010 12:27:14 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
    4/11/2010 12:27:14 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
    4/11/2010 12:25:14 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}
    4/11/2010 12:24:30 PM, error: Service Control Manager [7001] - The VET Message Service service depends on the CAISafe service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    4/11/2010 12:24:30 PM, error: BTHUSB [17] - The local Bluetooth radio has failed in an undetermined manner and will be unloaded.
    4/11/2010 12:18:05 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    4/11/2010 12:16:48 PM, error: Service Control Manager [7034] - The CaCCProvSP service terminated unexpectedly. It has done this 2 time(s).
    4/11/2010 12:16:23 PM, error: Service Control Manager [7034] - The HIPS Event Manager service terminated unexpectedly. It has done this 1 time(s).
    4/11/2010 12:16:10 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    4/11/2010 12:15:59 PM, error: Service Control Manager [7031] - The CAISafe service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/11/2010 12:15:54 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    4/11/2010 12:03:54 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
    4/11/2010 12:00:56 PM, error: Service Control Manager [7034] - The CaCCProvSP service terminated unexpectedly. It has done this 1 time(s).

    ==== End Of File ===========================

    ATTACH.TXT

    DDS.TXT*************************************************************************


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Ron at 11:33:10.10 on Mon 04/12/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1450 [GMT -7:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe -k bthsvcs
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\V0230Mon.exe
    C:\Program Files\dcmsvc\dcmsvc.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Java\jre6\bin\jqsnotify.exe
    C:\Documents and Settings\Ron\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: {af7ab554-dcee-4f4c-a4ba-3e800d238101} - janilaje.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
    mRun: [dcmsvc] c:\program files\dcmsvc\dcmsvc.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [wegayihon] Rundll32.exe "c:\windows\system32\tipigola.dll",a
    mRun: [podevofefa] Rundll32.exe "sevikuji.dll",s
    StartupFolder: c:\docume~1\ron\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    DPF: CabCCT - hxxps://www.bizatlarge.net/CCT/codebase/ActCtrl_Apptix.cab
    DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    AppInit_DLLs: c:\windows\system32\tipigola.dll,lewowesa.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SSODL: zefeforof - {33c7be52-5df3-4176-a1f0-ef347e389dc6} - c:\windows\system32\tipigola.dll
    STS: mujuzedij: {33c7be52-5df3-4176-a1f0-ef347e389dc6} - c:\windows\system32\tipigola.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    LSA: Notification Packages = scecli lewowesa.dll
    IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
    IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
    IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
    IFEO: msseces.exe - c:\windows\system32\svchost.exe

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\ron\applic~1\mozilla\firefox\profiles\iqu9cwts.default\
    FF - prefs.js: browser.startup.homepage -
    FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
    FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R2 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2005-2-23 53248]
    R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2009-7-21 6272]
    R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2009-7-21 500608]
    S1 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys --> c:\windows\system32\drivers\ikfileflt.sys [?]
    S1 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys --> c:\windows\system32\drivers\ikfilesec.sys [?]
    S1 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys --> c:\windows\system32\drivers\iksysflt.sys [?]
    S1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys --> c:\windows\system32\drivers\iksyssec.sys [?]
    S3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys --> c:\windows\system32\drivers\net6im51.sys [?]
    S4 BMFTP-RELEASE;BlackMoon FTP Service; [x]
    S4 CA_LIC_CLNT;CA License Client;c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe [2005-3-23 126976]
    S4 MSSQL$SCHEMALOGIC;MSSQL$SCHEMALOGIC;c:\progra~1\mi6841~1\mssql$~1\binn\sqlservr.exe -sschemalogic --> c:\progra~1\mi6841~1\mssql$~1\binn\sqlservr.exe -sSCHEMALOGIC [?]
    S4 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe --> c:\program files\spyware doctor\svcntaux.exe [?]
    S4 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe --> c:\program files\spyware doctor\swdsvc.exe [?]
    S4 SQLAgent$SCHEMALOGIC;SQLAgent$SCHEMALOGIC;c:\progra~1\mi6841~1\mssql$~1\binn\sqlagent.exe -i schemalogic --> c:\progra~1\mi6841~1\mssql$~1\binn\sqlagent.exe -i SCHEMALOGIC [?]

    =============== Created Last 30 ================

    2010-04-12 17:19:48 94720 --sh--w- c:\windows\system32\tipigola.dll
    2010-04-12 17:19:48 65024 --sh--w- c:\windows\system32\dujujewo.dll
    2010-04-12 17:19:48 64512 --sh--w- c:\windows\system32\deyagehu.dll
    2010-04-12 15:36:57 94720 ---ha-w- c:\windows\system32\BIT9F.tmp
    2010-04-11 22:47:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
    2010-04-11 19:52:53 0 d-sha-r- C:\cmdcons
    2010-04-09 17:20:41 77312 ----a-w- c:\windows\MBR.exe
    2010-04-09 17:20:41 261632 ----a-w- c:\windows\PEV.exe
    2010-04-09 17:20:41 161792 ----a-w- c:\windows\SWREG.exe
    2010-04-09 17:20:40 98816 ----a-w- c:\windows\sed.exe
    2010-04-05 18:28:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-04-05 18:28:59 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-03-26 21:49:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
    2010-03-26 21:49:38 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
    2010-03-25 20:39:55 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2010-03-25 20:39:46 0 d-----w- c:\program files\PC Connectivity Solution
    2010-03-25 20:31:45 0 d-----w- c:\windows\SxsCaPendDel
    2010-03-14 18:35:21 0 d-----w- c:\program files\dcmsvc
    2010-03-14 18:34:46 0 d-----w- c:\docume~1\ron\applic~1\com.warnerbros.DigitalCopyManager.449F66ACC381FDC604DC2AA255FEECEEBBBEE1E5.1
    2010-03-14 18:34:34 0 d-----w- c:\program files\Warner Bros. Digital Copy Manager

    ==================== Find3M ====================

    2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-12 17:21:19 65024 --sha-w- c:\windows\system32\janilaje.dll
    2010-01-12 02:16:08 94208 --sha-w- c:\windows\system32\maligoha.dll
    2010-01-12 02:16:08 41472 --sha-w- c:\windows\system32\merenugu.dll
    2010-01-12 17:21:19 65024 --sha-w- c:\windows\system32\sevikuji.dll

    ============= FINISH: 11:34:41.85 ===============

    DDS.TXT************************************************************************



    #4 rons9x7

    rons9x7
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:02:23 AM

    Posted 14 April 2010 - 04:24 PM

    Here is the GMER log...

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-14 14:10:29
    Windows 5.1.2600 Service Pack 2
    Running: t81r0x0d.exe; Driver: C:\DOCUME~1\Ron\LOCALS~1\Temp\kwriiuow.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xF79D3C14]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!GetFileAttributesW 7C80B74C 3 Bytes JMP 010C1BEC C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!GetFileAttributesW + 4 7C80B750 1 Byte [84]
    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!FindFirstFileExW 7C80EA7D 3 Bytes JMP 010C1B16 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!FindFirstFileExW + 4 7C80EA81 1 Byte [84]
    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 010C1B7C C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!CreateFileW 7C810760 3 Bytes JMP 010C1B93 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!CreateFileW + 4 7C810764 1 Byte [84]
    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 010C1C79 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 010C1D4A C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 010C1C23 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\V0230Mon.exe[232] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 010C1C62 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\V0230Mon.exe[232] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 010C1CB0 C:\WINDOWS\system32\lewowesa.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] kernel32.dll!GetFileAttributesW 7C80B74C 5 Bytes JMP 10001BEC C:\WINDOWS\system32\sevikuji.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] kernel32.dll!FindFirstFileExW 7C80EA7D 5 Bytes JMP 10001B16 C:\WINDOWS\system32\sevikuji.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 10001B7C C:\WINDOWS\system32\sevikuji.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B93 C:\WINDOWS\system32\sevikuji.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001C79 C:\WINDOWS\system32\sevikuji.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001D4A C:\WINDOWS\system32\sevikuji.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 10001C23 C:\WINDOWS\system32\sevikuji.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 10001C62 C:\WINDOWS\system32\sevikuji.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\ctfmon.exe[344] kernel32.dll!GetFileAttributesW 7C80B74C 5 Bytes JMP 00D91BEC C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\ctfmon.exe[344] kernel32.dll!FindFirstFileExW 7C80EA7D 5 Bytes JMP 00D91B16 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\ctfmon.exe[344] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 00D91B7C C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\ctfmon.exe[344] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00D91B93 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\ctfmon.exe[344] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 00D91C79 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\ctfmon.exe[344] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 00D91D4A C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\ctfmon.exe[344] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 00D91C23 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\ctfmon.exe[344] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 00D91C62 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\ctfmon.exe[344] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 00D91CB0 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[372] kernel32.dll!GetFileAttributesW 7C80B74C 5 Bytes JMP 008F1BEC C:\WINDOWS\System32\lewowesa.dll
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[372] kernel32.dll!FindFirstFileExW 7C80EA7D 5 Bytes JMP 008F1B16 C:\WINDOWS\System32\lewowesa.dll
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[372] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 008F1B7C C:\WINDOWS\System32\lewowesa.dll
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[372] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008F1B93 C:\WINDOWS\System32\lewowesa.dll
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[372] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 008F1C79 C:\WINDOWS\System32\lewowesa.dll
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[372] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 008F1D4A C:\WINDOWS\System32\lewowesa.dll
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[372] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 008F1C23 C:\WINDOWS\System32\lewowesa.dll
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[372] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 008F1C62 C:\WINDOWS\System32\lewowesa.dll
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[372] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 008F1CB0 C:\WINDOWS\System32\lewowesa.dll
    .text C:\WINDOWS\Explorer.EXE[460] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 03ED000A
    .text C:\WINDOWS\Explorer.EXE[460] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 04B0000A
    .text C:\WINDOWS\Explorer.EXE[460] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 03EC000A
    .text C:\Program Files\Java\jre6\bin\jqs.exe[856] kernel32.dll!GetFileAttributesW 7C80B74C 5 Bytes JMP 00691BEC C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[856] kernel32.dll!FindFirstFileExW 7C80EA7D 5 Bytes JMP 00691B16 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[856] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 00691B7C C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[856] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00691B93 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[856] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 00691C79 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[856] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 00691D4A C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[856] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 00691C23 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[856] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 00691C62 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[856] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 00691CB0 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe[1212] kernel32.dll!GetFileAttributesW 7C80B74C 5 Bytes JMP 10001BEC C:\WINDOWS\system32\lewowesa.dll
    .text C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe[1212] kernel32.dll!FindFirstFileExW 7C80EA7D 5 Bytes JMP 10001B16 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe[1212] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 10001B7C C:\WINDOWS\system32\lewowesa.dll
    .text C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe[1212] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B93 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe[1212] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001C79 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe[1212] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001D4A C:\WINDOWS\system32\lewowesa.dll
    .text C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe[1212] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 10001C23 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe[1212] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 10001C62 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe[1212] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\System32\svchost.exe[1340] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 009A000A
    .text C:\WINDOWS\System32\svchost.exe[1340] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 009B000A
    .text C:\WINDOWS\System32\svchost.exe[1340] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0099000C
    .text C:\WINDOWS\System32\svchost.exe[1340] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0115000A
    .text C:\WINDOWS\System32\svchost.exe[1340] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 0109000A
    .text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[1456] kernel32.dll!GetFileAttributesW 7C80B74C 5 Bytes JMP 009F1BEC C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[1456] kernel32.dll!FindFirstFileExW 7C80EA7D 5 Bytes JMP 009F1B16 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[1456] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 009F1B7C C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[1456] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009F1B93 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[1456] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 009F1C79 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[1456] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 009F1D4A C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[1456] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 009F1C23 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[1456] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 009F1C62 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[1456] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 009F1CB0 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\system32\WLTRAY.exe[1980] kernel32.dll!GetFileAttributesW 7C80B74C 5 Bytes JMP 01261BEC C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\WLTRAY.exe[1980] kernel32.dll!FindFirstFileExW 7C80EA7D 5 Bytes JMP 01261B16 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\WLTRAY.exe[1980] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 01261B7C C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\WLTRAY.exe[1980] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01261B93 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\WLTRAY.exe[1980] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 01261C79 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\WLTRAY.exe[1980] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 01261D4A C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\WLTRAY.exe[1980] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 01261C23 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\WLTRAY.exe[1980] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 01261C62 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\WLTRAY.exe[1980] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 01261CB0 C:\WINDOWS\system32\sevikuji.dll
    .text C:\WINDOWS\system32\NOTEPAD.EXE[2280] kernel32.dll!GetFileAttributesW 7C80B74C 5 Bytes JMP 10001BEC C:\WINDOWS\system32\janilaje.dll
    .text C:\WINDOWS\system32\NOTEPAD.EXE[2280] kernel32.dll!FindFirstFileExW 7C80EA7D 5 Bytes JMP 10001B16 C:\WINDOWS\system32\janilaje.dll
    .text C:\WINDOWS\system32\NOTEPAD.EXE[2280] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 10001B7C C:\WINDOWS\system32\janilaje.dll
    .text C:\WINDOWS\system32\NOTEPAD.EXE[2280] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B93 C:\WINDOWS\system32\janilaje.dll
    .text C:\WINDOWS\system32\NOTEPAD.EXE[2280] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001C79 C:\WINDOWS\system32\janilaje.dll
    .text C:\WINDOWS\system32\NOTEPAD.EXE[2280] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001D4A C:\WINDOWS\system32\janilaje.dll
    .text C:\WINDOWS\system32\NOTEPAD.EXE[2280] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 10001C23 C:\WINDOWS\system32\janilaje.dll
    .text C:\WINDOWS\system32\NOTEPAD.EXE[2280] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 10001C62 C:\WINDOWS\system32\janilaje.dll
    .text C:\WINDOWS\system32\NOTEPAD.EXE[2280] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\janilaje.dll
    .text C:\WINDOWS\system32\SNDVOL32.EXE[2720] kernel32.dll!GetFileAttributesW 7C80B74C 5 Bytes JMP 00D61BEC C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\system32\SNDVOL32.EXE[2720] kernel32.dll!FindFirstFileExW 7C80EA7D 5 Bytes JMP 00D61B16 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\system32\SNDVOL32.EXE[2720] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 00D61B7C C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\system32\SNDVOL32.EXE[2720] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00D61B93 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\system32\SNDVOL32.EXE[2720] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 00D61C79 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\system32\SNDVOL32.EXE[2720] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 00D61D4A C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\system32\SNDVOL32.EXE[2720] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 00D61C23 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\system32\SNDVOL32.EXE[2720] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 00D61C62 C:\WINDOWS\system32\lewowesa.dll
    .text C:\WINDOWS\system32\SNDVOL32.EXE[2720] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 00D61CB0 C:\WINDOWS\system32\lewowesa.dll
    .text C:\Program Files\Java\jre6\bin\jucheck.exe[3720] kernel32.dll!GetFileAttributesW 7C80B74C 5 Bytes JMP 10001BEC C:\WINDOWS\system32\sevikuji.dll
    .text C:\Program Files\Java\jre6\bin\jucheck.exe[3720] kernel32.dll!FindFirstFileExW 7C80EA7D 5 Bytes JMP 10001B16 C:\WINDOWS\system32\sevikuji.dll
    .text C:\Program Files\Java\jre6\bin\jucheck.exe[3720] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 10001B7C C:\WINDOWS\system32\sevikuji.dll
    .text C:\Program Files\Java\jre6\bin\jucheck.exe[3720] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B93 C:\WINDOWS\system32\sevikuji.dll
    .text C:\Program Files\Java\jre6\bin\jucheck.exe[3720] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001C79 C:\WINDOWS\system32\sevikuji.dll
    .text C:\Program Files\Java\jre6\bin\jucheck.exe[3720] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001D4A C:\WINDOWS\system32\sevikuji.dll
    .text C:\Program Files\Java\jre6\bin\jucheck.exe[3720] kernel32.dll!Module32FirstW 7C864177 5 Bytes JMP 10001C23 C:\WINDOWS\system32\sevikuji.dll
    .text C:\Program Files\Java\jre6\bin\jucheck.exe[3720] kernel32.dll!Module32NextW 7C864314 5 Bytes JMP 10001C62 C:\WINDOWS\system32\sevikuji.dll
    .text C:\Program Files\Java\jre6\bin\jucheck.exe[3720] PSAPI.DLL!EnumProcessModules 76BF1F1C 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\sevikuji.dll
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3844] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 018A000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3844] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 018B000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3844] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0189000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139856] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[336] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [61139C3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
    ---- Processes - GMER 1.0.15 ----

    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\WINDOWS\V0230Mon.exe [232] 0x010C0000
    Library C:\WINDOWS\system32\sevikuji.dll (*** hidden *** ) @ C:\WINDOWS\V0230Mon.exe [232] 0x01220000
    Library C:\WINDOWS\system32\sevikuji.dll (*** hidden *** ) @ C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [336] 0x10000000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [336] 0x01960000
    Library C:\WINDOWS\system32\janilaje.dll (*** hidden *** ) @ C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [336] 0x01230000
    Library C:\WINDOWS\system32\sevikuji.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [344] 0x00D90000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [344] 0x00E20000
    Library C:\WINDOWS\system32\janilaje.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [344] 0x01200000
    Library C:\WINDOWS\System32\lewowesa.dll (*** hidden *** ) @ C:\WINDOWS\System32\WLTRYSVC.EXE [372] 0x008F0000
    Library C:\WINDOWS\system32\sevikuji.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [460] 0x033E0000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [460] 0x03CD0000
    Library C:\WINDOWS\system32\janilaje.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [460] 0x04730000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [856] 0x00690000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [932] 0x004B0000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [984] 0x00600000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [996] 0x10000000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe [1212] 0x10000000
    Library C:\WINDOWS\system32\sevikuji.dll (*** hidden *** ) @ C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe [1212] 0x01110000
    Library C:\WINDOWS\system32\janilaje.dll (*** hidden *** ) @ C:\Documents and Settings\Ron\My Documents\Downloads\t81r0x0d.exe [1212] 0x01380000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [1456] 0x009F0000
    Library C:\WINDOWS\system32\sevikuji.dll (*** hidden *** ) @ C:\WINDOWS\system32\WLTRAY.exe [1980] 0x01260000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\WINDOWS\system32\WLTRAY.exe [1980] 0x013D0000
    Library C:\WINDOWS\system32\janilaje.dll (*** hidden *** ) @ C:\WINDOWS\system32\NOTEPAD.EXE [2280] 0x10000000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\WINDOWS\system32\NOTEPAD.EXE [2280] 0x00D90000
    Library C:\WINDOWS\system32\sevikuji.dll (*** hidden *** ) @ C:\WINDOWS\system32\NOTEPAD.EXE [2280] 0x00E20000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\WINDOWS\system32\SNDVOL32.EXE [2720] 0x00D60000
    Library C:\WINDOWS\system32\sevikuji.dll (*** hidden *** ) @ C:\WINDOWS\system32\SNDVOL32.EXE [2720] 0x00DF0000
    Library C:\WINDOWS\system32\sevikuji.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jucheck.exe [3720] 0x10000000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jucheck.exe [3720] 0x00DD0000
    Library C:\WINDOWS\system32\sevikuji.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3844] 0x017E0000
    Library C:\WINDOWS\system32\lewowesa.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3844] 0x01950000
    Library C:\WINDOWS\system32\janilaje.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3844] 0x01B70000

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000b0d605681 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000b0d605681@0012d173a800 0x00 0x57 0xE4 0x26 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000b0d605681@001e750e3993 0xDA 0x26 0x98 0x24 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d605681
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d605681@0012d173a800 0xA1 0x06 0xFB 0x8D ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d605681@001e750e3993 0x7B 0x9F 0x14 0x2B ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d605681@0025e5fe418a 0x81 0x8F 0xDD 0x05 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b0d605681 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b0d605681@0012d173a800 0xA1 0x06 0xFB 0x8D ...
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b0d605681@001e750e3993 0x7B 0x9F 0x14 0x2B ...
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b0d605681@0025e5fe418a 0x81 0x8F 0xDD 0x05 ...
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@wegayihon Rundll32.exe "c:\windows\system32\tipigola.dll",a
    Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\67\Shell@Vid {0057D0E0-3573-11CF-AE69-08002B2E1262}
    Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\67\Shell@WinPos1280x1024(1).left 228
    Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\67\Shell@WinPos1280x1024(1).top 110
    Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\67\Shell@WinPos1280x1024(1).right 1028
    Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\67\Shell@WinPos1280x1024(1).bottom 764

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\System32\DRIVERS\RDPCDD.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----


    #5 rons9x7

    rons9x7
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:02:23 AM

    Posted 14 April 2010 - 04:26 PM

    here is the gmer log life.

    Attached Files



    #6 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:12:23 PM

    Posted 15 April 2010 - 10:45 AM

    Hi,

    Delete your old copy of ComboFix and then download a fresh one to your desktop from one of these links:
    Link 1
    Link 2

    Disable protection software, run ComboFix and post back its log & fresh dds log.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #7 rons9x7

    rons9x7
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:02:23 AM

    Posted 15 April 2010 - 03:39 PM

    here is my combofix log

    Attached Files



    #8 rons9x7

    rons9x7
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:02:23 AM

    Posted 15 April 2010 - 03:44 PM

    DDS Logs...

    Attached Files



    #9 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:12:23 PM

    Posted 15 April 2010 - 03:47 PM

    Please post fresh dds log too.

    EDIT: Seems that you posted while I was replying.


    Open notepad and copy/paste the text in the quotebox below into it:

    CODE
    TDL::
    C:\WINDOWS\System32\DRIVERS\RDPCDD.sys



    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows, disable protection and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log & fresh dds log.

    Edited by Blade81, 15 April 2010 - 03:49 PM.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #10 rons9x7

    rons9x7
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:02:23 AM

    Posted 15 April 2010 - 05:50 PM

    ComboFix & DDS logs post TDL...

    Attached Files



    #11 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:12:23 PM

    Posted 16 April 2010 - 12:32 AM

    Hi again,

    Upload these files to http://www.virustotal.com and post back the results:
    c:\windows\system32\drivers\ATAPI.SYS
    c:\windows\system32\drivers\NDIS.SYS
    c:\program files\dcmsvc\dcmsvc.exe

    Seems that dds log wasn't fresh one. Please run DDS again to get new log.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #12 rons9x7

    rons9x7
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:02:23 AM

    Posted 16 April 2010 - 03:07 AM

    ATAPI.SYS came up with Winroot rootkit virus on Esafe only.
    All other files were clean

    Attached Files

    • Attached File  DDS.txt   15.01KB   7 downloads


    #13 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:12:23 PM

    Posted 16 April 2010 - 08:53 AM

    Hi again,

    We can ignore that Esafe finding.

    Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

    Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



    Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

    Post back its report & a fresh dds.txt log. Are there still symptoms left?


    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #14 rons9x7

    rons9x7
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:02:23 AM

    Posted 20 April 2010 - 11:01 AM

    There are no symptoms but I did have some file corruption and had to run chkdsk.
    Here are my log files, looks like I still have a few...

    Attached Files



    #15 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:12:23 PM

    Posted 20 April 2010 - 12:00 PM

    Hi,

    Those in system restore will be cleaned in the final stage.

    Show hidden files
    -----------------
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

    Delete C:\Documents and Settings\Ron\Application Data\Sun\Java\Deployment\cache\6.0\4\25677bc4-5084c49e file if found.

    If you access email messages in those post archives that Kaspersky detected, delete suspicious looking ones.

    How's the system running now?

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users