PDA

View Full Version : All Web Browsers and Programs Crash



THREE
2009-05-06, 01:55
This problem has been going on for a week or so now and I'm pretty sure it's some kind of virus or malware. All programs (most notably any/all web browsers) will run for about 2-4 minutes and then suddenly crash/close. I have run spybot (which now will crash before it can complete the scan too) and removed all infected files. So I am looking for any type of help. Here is the Hijack this log. BTW I have Windows XP Home Edition and the laptop is a dell inspiron 8600 (about 5 years old).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:53 AM, on 5/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\White Dawg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (no name) - {9f94314d-8a4f-45e9-afae-9244d93feb43} - C:\WINDOWS\system32\howibovu.dll
O2 - BHO: C:\WINDOWS\system32\jh9fgo4ksdgf.dll - {D7BF4552-94F1-42BD-F434-3604812C856D} - C:\WINDOWS\system32\jh9fgo4ksdgf.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinProx32_1] C:\Documents and Settings\LocalService\Application Data\psvrr.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [vepebizabo] Rundll32.exe "C:\WINDOWS\system32\laroheya.dll",s
O4 - HKLM\..\Run: [bc996a0a] rundll32.exe "C:\WINDOWS\system32\herutoho.dll",b
O4 - HKLM\..\Run: [CPMbfaa5996] Rundll32.exe "c:\windows\system32\juwefisi.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\NETWOR~1\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [WinProx32_1] C:\Documents and Settings\LocalService\Application Data\psvrr.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\WHITED~1\LOCALS~1\Temp\560441088.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\White Dawg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [vepebizabo] Rundll32.exe "C:\WINDOWS\system32\laroheya.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [vepebizabo] Rundll32.exe "C:\WINDOWS\system32\laroheya.dll",s (User '?')
O4 - HKUS\S-1-5-21-484763869-507921405-1343024091-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-484763869-507921405-1343024091-1004\..\Run: [Aim6] (User '?')
O4 - HKUS\S-1-5-21-484763869-507921405-1343024091-1004\..\Run: [Diagnostic Manager] C:\DOCUME~1\WHITED~1\LOCALS~1\Temp\560441088.exe (User '?')
O4 - HKUS\S-1-5-21-484763869-507921405-1343024091-1004\..\Run: [Google Update] "C:\Documents and Settings\White Dawg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User '?')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - S-1-5-21-484763869-507921405-1343024091-1004 Startup: ChkDisk.dll (User '?')
O4 - S-1-5-21-484763869-507921405-1343024091-1004 Startup: ChkDisk.lnk = ? (User '?')
O4 - S-1-5-18 Startup: ChkDisk.dll (User '?')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User '?')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: imdds.dll
O10 - Unknown file in Winsock LSP: imdds.dll
O10 - Unknown file in Winsock LSP: imdds.dll
O10 - Unknown file in Winsock LSP: imdds.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\fiwevoga.dll dlbrbh.dll vsowxz.dll kvgplw.dll c:\windows\system32\gaperume.dll c:\windows\system32\zojatuba.dll c:\windows\system32\yepogofa.dll xozbpx.dll c:\windows\system32\ C:\WINDOWS\system32\hikenile.dll c:\windows\system32\juwefisi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\juwefisi.dll
O22 - SharedTaskScheduler: sfdawtawgreage4tregrgae34 - {D7BF4552-94F1-42BD-F434-3604812C856D} - C:\WINDOWS\system32\jh9fgo4ksdgf.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\juwefisi.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Shaba
2009-05-06, 17:31
Hi THREE

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

THREE
2009-05-07, 03:17
ComboFix 09-05-06.02 - White Dawg 05/06/2009 19:59.1 - NTFSx86
Running from: c:\documents and settings\White Dawg\My Documents\Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 1
'PV' is not recognized as an internal or external command


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\WHITED~1\LOCALS~1\Temp\575689904.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Application Data\psvr32.exe
c:\documents and settings\LocalService\Application Data\psvrr.exe
c:\documents and settings\LocalService\Local Settings\Application Data\minisvr4.exe
c:\documents and settings\LocalService\Local Settings\Application Data\zchMiB.exe
c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\minisvr4.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\part.exe
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\White Dawg\Application Data\Google\T-Scan
c:\documents and settings\White Dawg\Application Data\Google\T-Scan\n.gif
c:\documents and settings\White Dawg\Application Data\Google\T-Scan\t.gif
c:\documents and settings\White Dawg\Application Data\Google\T-Scan\y.gif
c:\documents and settings\White Dawg\Local Settings\Temp\575689904.exe
c:\documents and settings\White Dawg\protect.dll
c:\documents and settings\White Dawg\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\White Dawg\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\998.exe
c:\windows\system32\ak1.exe
c:\windows\system32\autochk.dll
c:\windows\system32\awetaziz.ini
c:\windows\system32\baliteta.dll
c:\windows\system32\barijatu.dll
c:\windows\system32\bezayedo.dll
c:\windows\system32\bipehozo.dll
c:\windows\system32\biwifasi.dll
c:\windows\system32\bofayoti.dll
c:\windows\system32\bozujeyi.dll
c:\windows\system32\cgobgw.dll
c:\windows\system32\chert5-998.exe
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\denufudu.exe
c:\windows\system32\diperede.dll
c:\windows\system32\divimuvo.dll
c:\windows\system32\diyobela.dll
c:\windows\system32\dkqayf.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekagnbvfklp.sys
c:\windows\system32\drivers\senekankfxjlki.sys
c:\windows\system32\drivers\senekaxkdhtvri.sys
c:\windows\system32\dsddlf.dll
c:\windows\system32\eyaqim.dll
c:\windows\system32\fawuruvo.dll
c:\windows\system32\fekiae.dll
c:\windows\system32\fesumuye.dll
c:\windows\system32\fofajivo.dll
c:\windows\system32\fvgnuw.dll
c:\windows\system32\gdxxfi.dll
c:\windows\system32\geheyani.dll
c:\windows\system32\genetoda.dll
c:\windows\system32\giwovumo.dll
c:\windows\system32\gizokoro.dll
c:\windows\system32\gizoroda.dll
c:\windows\system32\gofipina.dll
c:\windows\system32\grpgdz.dll
c:\windows\system32\gtsblb.dll
c:\windows\system32\guyubaha.exe
c:\windows\system32\hdzspl.dll
c:\windows\system32\herutoho.dll
c:\windows\system32\hgcmqs.dll
c:\windows\system32\hinirole.dll
c:\windows\system32\hobolaku.dll
c:\windows\system32\humoyofa.dll
c:\windows\system32\hupojoyu.dll
c:\windows\system32\hurasivi.dll
c:\windows\system32\huverego.dll
c:\windows\system32\ichbea.dll
c:\windows\system32\itihazon.ini
c:\windows\system32\itmtrn.dll
c:\windows\system32\iwajonod.ini
c:\windows\system32\jafijohe.dll
c:\windows\system32\jesuvaya.dll
c:\windows\system32\jewipaje.dll
c:\windows\system32\jh9fgo4ksdgf.dll
c:\windows\system32\jimaneno.dll
c:\windows\system32\jituwuwa.dll
c:\windows\system32\jorujedi.dll
c:\windows\system32\juhiruma.dll
c:\windows\system32\junetike.dll
c:\windows\system32\juwefisi.dll
c:\windows\system32\jyytvp.dll
c:\windows\system32\kihinuga.dll
c:\windows\system32\kinewego.dll
c:\windows\system32\kozafuli.dll
c:\windows\system32\kusitozo.dll
c:\windows\system32\kxocet.dll
c:\windows\system32\lazimiki.dll
c:\windows\system32\lesufuya.dll
c:\windows\system32\liseruka.dll
c:\windows\system32\log.exe
c:\windows\system32\lugesate.dll
c:\windows\system32\luravufa.dll
c:\windows\system32\lxkwhc.dll
c:\windows\system32\mibevilo.dll
c:\windows\system32\mirajehi.dll
c:\windows\system32\misahavu.dll
c:\windows\system32\nafugizu.exe
c:\windows\system32\najejifo.dll
c:\windows\system32\nalayafi.dll
c:\windows\system32\nbhwjf.dll
c:\windows\system32\nDler2.exe
c:\windows\system32\nefavega.dll
c:\windows\system32\noyahopi.exe
c:\windows\system32\nozahiti.dll
c:\windows\system32\nshnrr.dll
c:\windows\system32\nunoruzo.dll
c:\windows\system32\nutuhunu.dll
c:\windows\system32\nypbwu.dll
c:\windows\system32\ogurafuy.ini
c:\windows\system32\ohotureh.ini
c:\windows\system32\orasrv.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\pekuveme.dll
c:\windows\system32\pic.jpg
c:\windows\system32\pidagimu.exe
c:\windows\system32\pilipeho.dll
c:\windows\system32\poviwumi.exe
c:\windows\system32\qohmog.dll
c:\windows\system32\rahurite.dll
c:\windows\system32\ramuzovi.dll
c:\windows\system32\razadupe.dll
c:\windows\system32\refemope.dll
c:\windows\system32\remebeyi.dll
c:\windows\system32\remowoka.dll
c:\windows\system32\rilalelu.dll
c:\windows\system32\rivesogo.dll
c:\windows\system32\ruzoew.dll
c:\windows\system32\sakalimo.dll
c:\windows\system32\sanidayi.dll
c:\windows\system32\sedehobi.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekaqjwbmqrd.dll
c:\windows\system32\senekarprrwbym.dll
c:\windows\system32\senekaxdpkpykd.dll
c:\windows\system32\sf87wuijndoio43j.dll
c:\windows\system32\sfjrhe.dll
c:\windows\system32\siyadoro.dll
c:\windows\system32\sizugomu.dll
c:\windows\system32\sudijaji.dll
c:\windows\system32\tarekalu.dll
c:\windows\system32\tb.dr
c:\windows\system32\tesawuzo.dll
c:\windows\system32\test.ttt
c:\windows\system32\tidadegi.dll
c:\windows\system32\tipigawi.dll
c:\windows\system32\togemobo.dll
c:\windows\system32\toluboli.dll
c:\windows\system32\tujumape.dll
c:\windows\system32\tuviloko.dll
c:\windows\system32\udwzjx.dll
c:\windows\system32\uedgrz.dll
c:\windows\system32\uiagrq.dll
c:\windows\system32\ulakerat.ini
c:\windows\system32\vabazaja.dll
c:\windows\system32\valavuja.dll
c:\windows\system32\veregofu.dll
c:\windows\system32\vhkppl.dll
c:\windows\system32\vihegawu.dll
c:\windows\system32\vikezisi.dll
c:\windows\system32\viniyibo.dll
c:\windows\system32\voginuhu.dll
c:\windows\system32\vqwjqn.dll
c:\windows\system32\vuzofafu.dll
c:\windows\system32\wahewuvu.dll
c:\windows\system32\wijuhalu.dll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\Winset20.exe
c:\windows\system32\wopowupa.dll
c:\windows\system32\wurajobi.dll
c:\windows\system32\wuwogola.dll
c:\windows\system32\wzvrnj.dll
c:\windows\system32\xozbpx.dll
c:\windows\system32\yadihoni.dll
c:\windows\system32\yatewefa.dll
c:\windows\system32\yejedufi.dll
c:\windows\system32\ykvmgm.dll
c:\windows\system32\yufarugo.dll
c:\windows\system32\yupujufo.dll
c:\windows\system32\zadowebi.dll
c:\windows\system32\zezesuhe.dll
c:\windows\system32\zgbhea.dll
c:\windows\system32\zizatewa.dll
c:\windows\system32\zjqlni.dll
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFC
-------\Legacy_TDSSSERV.SYS
-------\Service_seneka
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-07 00:09 . 2009-05-07 00:09 -------- d-----w c:\windows\LastGood
2009-05-01 09:55 . 2009-05-01 09:55 -------- d-----w c:\program files\Trend Micro
2009-04-21 10:34 . 2009-04-21 10:34 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-21 10:34 . 2009-04-21 10:34 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 01:12 . 2008-08-20 17:58 9072 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-04-16 01:12 . 2008-08-20 17:58 44944 ------w c:\windows\system32\drivers\PxHelp20.sys
2009-04-16 01:12 . 2008-08-20 17:58 9200 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-04-16 01:12 . 2008-08-20 17:58 129520 ------w c:\windows\system32\pxafs.dll
2009-04-16 01:12 . 2009-04-16 01:14 -------- d-----w c:\documents and settings\White Dawg\Application Data\Winamp
2009-04-16 01:12 . 2009-04-16 01:14 -------- d-----w c:\program files\Winamp
2009-04-15 00:17 . 2009-04-15 00:17 -------- d-----w c:\windows\system32\Adobe
2009-04-14 00:05 . 2009-04-14 00:05 74240 ----a-w c:\windows\system32\zlib.dll
2009-04-08 10:04 . 2009-04-08 10:04 838644 ----a-w c:\windows\system32\winsetuprup.exe
2009-04-08 01:47 . 2009-04-08 01:47 83456 ----a-w c:\windows\system32\krbclick1.exe
2009-04-07 21:56 . 2009-04-08 10:19 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-07 21:56 . 2009-04-08 10:19 84045 ----a-w c:\windows\system32\ftp_non_crp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 22:41 . 2009-01-13 22:41 64000 --sha-w c:\windows\system32\gipofosi.exe
2009-04-13 10:40 . 2009-01-13 10:40 63488 --sha-w c:\windows\system32\nufifini.exe
2009-04-12 16:39 . 2009-01-12 16:39 64000 --sha-w c:\windows\system32\yimazitu.exe
2009-04-11 15:45 . 2009-01-11 15:45 110080 --sha-w c:\windows\system32\rewikupe.dll.vir
2009-04-11 15:45 . 2009-01-11 15:45 62464 --sha-w c:\windows\system32\zanowapu.exe
2009-04-10 20:46 . 2009-01-10 20:46 63488 --sha-w c:\windows\system32\tepufepu.exe
2009-04-09 23:05 . 2009-01-09 23:05 61952 --sha-w c:\windows\system32\kojofaba.exe
2009-04-09 23:05 . 2009-01-09 23:05 107008 --sha-w c:\windows\system32\pufuyada.dll.vir
2009-04-06 23:04 . 2009-01-06 23:03 61440 --sha-w c:\windows\system32\gipidiwu.exe
2009-04-05 20:01 . 2009-04-05 20:13 10027 ----a-w c:\documents and settings\NetworkService\Local Settings\Application Data\~tempinfo.dat
2009-04-05 20:01 . 2009-04-05 20:13 10027 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\~tempinfo.dat
2009-04-05 16:33 . 2009-01-05 16:33 61440 --sha-w c:\windows\system32\zehekilo.exe
2009-04-03 10:41 . 2009-01-03 10:41 103936 --sha-w c:\windows\system32\tipajile.dll.vir
2009-04-03 10:41 . 2009-01-03 10:41 61440 --sha-w c:\windows\system32\yamadeko.exe
2009-04-02 22:41 . 2009-01-02 22:41 61440 --sha-w c:\windows\system32\zumidiba.exe
2009-04-01 10:40 . 2009-01-01 10:40 61440 --sha-w c:\windows\system32\sirifiwi.exe
2009-03-31 22:40 . 1601-01-01 00:12 61440 --sha-w c:\windows\system32\hiyoluge.exe
2009-03-30 23:43 . 1601-01-01 00:12 61440 --sha-w c:\windows\system32\ledanozo.exe
2009-03-27 00:08 . 1601-01-01 00:12 61440 --sha-w c:\windows\system32\najejifo.exe
2009-03-24 00:04 . 2009-03-24 00:03 -------- d-----w c:\program files\iTunes
2009-03-24 00:03 . 2009-03-24 00:03 -------- d-----w c:\program files\iPod
2009-03-24 00:03 . 2007-11-24 15:15 -------- d-----w c:\program files\Common Files\Apple
2009-03-24 00:01 . 2009-03-24 00:01 -------- d-----w c:\program files\Bonjour
2009-03-24 00:00 . 2009-03-23 23:59 -------- d-----w c:\program files\QuickTime
2009-03-21 13:36 . 2009-03-21 13:36 33792 ----a-w c:\windows\system32\leeppcsetup.exe
2009-03-21 13:12 . 2009-03-21 13:12 35840 ----a-w c:\windows\system32\gldx.exe
2009-03-19 10:33 . 1601-01-01 00:12 108032 --sha-w c:\windows\system32\yepogofa.dll.vir
2009-03-19 09:47 . 2009-03-19 09:47 40448 ----a-w c:\windows\system32\KuzSmall.exe
2009-03-19 03:20 . 2009-03-19 03:20 42496 ----a-w c:\windows\system32\kuzSniper.exe
2009-03-17 22:34 . 1601-01-01 00:12 107008 --sha-w c:\windows\system32\zojatuba.dll.vir
2009-03-13 10:16 . 2009-03-13 10:16 75264 ----a-w c:\windows\system32\MPh.exe
2009-03-12 21:48 . 2009-03-11 10:06 36864 ----a-w c:\windows\system32\nDler.exe
2009-03-12 21:35 . 2009-03-09 22:43 10240 ----a-w c:\windows\instsp1.exe
2009-03-12 21:35 . 1601-01-01 00:12 100864 --sha-w c:\windows\system32\makezimu.dll
2009-03-11 22:42 . 1601-01-01 00:12 107520 --sha-w c:\windows\system32\nobajanu.dll.vir
2009-03-11 10:26 . 2009-03-11 10:26 0 ----a-w c:\windows\TEMPsBanned.dat
2009-03-11 10:26 . 2009-03-11 10:26 295687 ----a-w c:\windows\TEMPmSrv.exe
2009-03-10 22:42 . 1601-01-01 00:12 102400 --sha-w c:\windows\system32\viwafinu.dll
2009-03-10 00:20 . 2009-04-25 14:49 144322 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-03-09 22:42 . 1601-01-01 00:12 105984 --sha-w c:\windows\system32\gaperume.dll.vir
2009-03-06 10:55 . 2009-03-05 23:15 44032 ----a-w c:\windows\system32\kmsvc32.dll
2009-03-06 10:55 . 2009-03-06 10:55 54784 ----a-w c:\windows\system32\Dr.exe
2009-03-06 03:59 . 2009-03-23 23:57 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2007-11-24 15:16 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 23:34 . 2009-03-05 23:34 11264 ----a-w c:\windows\system32\imdds.dll
2009-02-12 00:34 . 2009-02-12 00:19 46080 ------w c:\windows\system32\clickfile.exe
2007-11-15 22:47 . 2007-11-15 22:46 12132024 ----a-w c:\program files\Install_AIM.exe
2007-11-15 22:43 . 2007-11-15 22:43 50982768 ----a-w c:\program files\R115321.EXE
2009-01-27 22:33 . 2009-01-27 22:33 67584 --sha-w c:\windows\system32\hikenile.dll.tmp
2009-01-27 22:33 . 2009-01-27 22:33 67584 --sha-w c:\windows\system32\howibovu.dll.tmp
2009-01-08 22:59 . 2009-01-08 22:59 70144 --sha-w c:\windows\system32\kopurege.dll.vir
2009-01-27 22:33 . 2009-01-27 22:33 67584 --sha-w c:\windows\system32\laroheya.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 61440 --sha-w c:\windows\system32\zelayira.exe
.

------- Sigcheck -------

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2009-01-14 11:31 111616 BE9F5DA369DDDC22224C053BBB27C64E c:\windows\system32\userinit.exe
[-] 2009-01-14 11:31 111616 BE9F5DA369DDDC22224C053BBB27C64E c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\White Dawg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-28 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-10-30 335872]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

R0 iatxphq;iatxphq;c:\windows\system32\drivers\txlr.sys [x]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CCALib8
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - FreeAgentGoNext Service
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - IntelIde
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - OMCI
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RimVSerPort
*Deregistered* - ROOTMODEM
*Deregistered* - Roxio Upnp Server 9
*Deregistered* - RoxLiveShare9
*Deregistered* - RoxWatch9
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - Viewpoint Manager Service
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wltrysvc
*Deregistered* - WS2IFSL
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-507921405-1343024091-1004.job
- c:\documents and settings\White Dawg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-28 10:13]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9f94314d-8a4f-45e9-afae-9244d93feb43} - c:\windows\system32\wijuhalu.dll
Toolbar-SITEguard - (no file)
HKCU-Run-Aim6 - (no file)
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
HKU-Default-Run-InetChk - c:\windows\TEMP\ms1239155248.exe
HKU-Default-Run-WinProx32_1 - c:\documents and settings\LocalService\Application Data\psvrr.exe
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\z2m04kf16.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\3212838144.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: imdds.dll
FF - ProfilePath - c:\documents and settings\White Dawg\Application Data\Mozilla\Firefox\Profiles\58q15rd9.default\
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=chrff-brandt_off&type=000107X001US&p=
FF - plugin: c:\documents and settings\White Dawg\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 20:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-05-07 20:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 00:14

Pre-Run: 27,261,890,560 bytes free
Post-Run: 27,781,730,304 bytes free

506 --- E O F --- 2008-12-25 14:54



HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:19 PM, on 5/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\White Dawg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\White Dawg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\White Dawg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\White Dawg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\White Dawg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [vepebizabo] Rundll32.exe "C:\WINDOWS\system32\nunoruzo.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [vepebizabo] Rundll32.exe "C:\WINDOWS\system32\nunoruzo.dll",s (User '?')
O4 - HKUS\S-1-5-21-484763869-507921405-1343024091-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: imdds.dll
O10 - Unknown file in Winsock LSP: imdds.dll
O10 - Unknown file in Winsock LSP: imdds.dll
O10 - Unknown file in Winsock LSP: imdds.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7465 bytes

Shaba
2009-05-07, 07:15
Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
c:\windows\system32\userinit.exe
c:\windows\system32\dllcache\userinit.exe


Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Shaba
2009-05-12, 07:10
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.