PDA

View Full Version : Definitely have malware :(



CamaroJeff
2009-09-28, 18:42
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:19 AM, on 9/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.98rock.com/cc-common/babes/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Shared\lib.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Ksebuhey] rundll32.exe "C:\WINDOWS\urufixej.dll",e
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ikowin32.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://66.154.44.68/cam/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs7b.instantservice.com/jars/customerxsigned42.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newaol.com/bkpromo/download/PerformerSetup.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Filter hijack: text/html - {d9d9d031-9536-47bb-8aa2-d3a1501a502d} - C:\WINDOWS\system32\dsound3dd.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7849 bytes

Blade81
2009-10-02, 17:24
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.


Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

CamaroJeff
2009-10-03, 03:47
okay, DDS came up with these.

DDS.txt


DDS (Ver_09-09-29.01) - NTFSx86
Run by Spiderman at 20:43:32.89 on Fri 10/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.201 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\Spiderman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\shared\lib.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [Ksebuhey] rundll32.exe "c:\windows\urufixej.dll",e
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\documents and settings\spiderman\start menu\programs\startup\ikowin32.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {205FF73B-CA67-11D5-99DD-444553540000} - hxxp://66.154.44.68/cam/Install.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxps://cs7b.instantservice.com/jars/customerxsigned42.cab
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Filter: text/html - {d9d9d031-9536-47bb-8aa2-d3a1501a502d} - c:\windows\system32\dsound3dd.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli carcpc.dll

============= SERVICES / DRIVERS ===============

R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-8-13 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2006-8-13 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2006-8-13 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-8-13 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\spider~1\locals~1\temp\dmskssrh.sys --> c:\docume~1\spider~1\locals~1\temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\system32\drivers\SaiNtSub.sys [2005-2-4 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]

=============== Created Last 30 ================

2009-10-02 20:39 14,514 a------- c:\windows\itecigitulob.dll
2009-10-02 17:41 13,067 a------- c:\windows\ifidevac.dll
2009-10-02 07:21 12,291 a------- c:\windows\anelizodowurafox.dll
2009-10-01 21:19 11,460 a------- c:\windows\eleharuculihi.dll
2009-10-01 17:28 11,650 a------- c:\windows\okehazuyosegefim.dll
2009-09-30 23:20 12,390 a------- c:\windows\urucozis.dll
2009-09-30 20:02 15,257 a------- c:\windows\ukoyuzubizeb.dll
2009-09-30 18:03 11,576 a------- c:\windows\imujoxuc.dll
2009-09-30 07:18 11,520 a------- c:\windows\ufiyosegef.dll
2009-09-29 21:32 11,581 a------- c:\windows\imunesey.dll
2009-09-29 19:30 11,638 a------- c:\windows\egayiyoh.dll
2009-09-29 17:32 11,520 a------- c:\windows\isitibuxer.dll
2009-09-29 07:02 13,701 a------- c:\windows\ajibatidedug.dll
2009-09-28 22:40 11,404 a------- c:\windows\okecuvuhoxuquxoj.dll
2009-09-28 15:27 11,638 a------- c:\windows\upotepin.dll
2009-09-28 13:25 11,520 a------- c:\windows\oxumopuduy.dll
2009-09-28 11:23 11,576 a------- c:\windows\iyatahixowetohe.dll
2009-09-27 21:45 11,706 a------- c:\windows\awaworucato.dll
2009-09-27 15:54 11,520 a------- c:\windows\ajayelovawubixax.dll
2009-09-27 09:26 11,644 a------- c:\windows\inutezezuquj.dll
2009-09-26 19:29 11,638 a------- c:\windows\ibimapiqiyonox.dll
2009-09-26 17:27 11,638 a------- c:\windows\ogipucovotuket.dll
2009-09-26 15:28 11,638 a------- c:\windows\asicolal.dll
2009-09-25 13:09 11,520 a------- c:\windows\oraluwen.dll
2009-09-25 07:19 13,740 a------- c:\windows\ugifiwuz.dll
2009-09-24 20:53 11,576 a------- c:\windows\ayimapiq.dll
2009-09-24 18:52 11,644 a------- c:\windows\opohugil.dll
2009-09-24 12:37 11,520 a------- c:\windows\eheriwesozo.dll
2009-09-24 10:35 13,675 a------- c:\windows\abozemiz.dll
2009-09-24 08:33 12,904 a------- c:\windows\ufihilofej.dll
2009-09-24 06:31 11,448 a------- c:\windows\odajezoweqoh.dll
2009-09-24 04:29 11,706 a------- c:\windows\oqegovagifobaw.dll
2009-09-24 02:27 11,448 a------- c:\windows\osutiles.dll
2009-09-24 00:25 11,162 a------- c:\windows\ifereweha.dll
2009-09-23 22:23 12,108 a------- c:\windows\ebocoroj.dll
2009-09-23 20:21 11,386 a------- c:\windows\orehifuc.dll
2009-09-23 18:19 11,588 a------- c:\windows\elujewuj.dll
2009-09-23 16:17 11,330 a------- c:\windows\amikulej.dll
2009-09-23 14:15 11,392 a------- c:\windows\ofuvozeraz.dll
2009-09-23 12:13 11,392 a------- c:\windows\edojolij.dll
2009-09-23 10:11 11,448 a------- c:\windows\udociluvunebur.dll
2009-09-23 08:09 11,330 a------- c:\windows\amezawuf.dll
2009-09-23 06:07 12,029 a------- c:\windows\ofofafawi.dll
2009-09-23 04:05 12,056 a------- c:\windows\edilaref.dll
2009-09-23 02:03 11,330 a------- c:\windows\uwodewiy.dll
2009-09-23 00:01 12,825 a------- c:\windows\ebimizih.dll
2009-09-22 21:59 11,650 a------- c:\windows\evayasomizih.dll
2009-09-22 19:57 11,588 a------- c:\windows\omelolac.dll
2009-09-22 17:55 11,386 a------- c:\windows\unuhovehula.dll
2009-09-22 15:53 11,386 a------- c:\windows\ubejefiq.dll
2009-09-22 13:51 11,386 a------- c:\windows\utogofor.dll
2009-09-22 11:49 11,386 a------- c:\windows\efemirux.dll
2009-09-22 09:47 11,448 a------- c:\windows\aduyamuk.dll
2009-09-22 07:45 11,448 a------- c:\windows\uhodesuvaruk.dll
2009-09-22 05:43 11,448 a------- c:\windows\uwapalir.dll
2009-09-22 03:41 12,895 a------- c:\windows\opunevif.dll
2009-09-22 01:39 12,116 a------- c:\windows\ofoqusiwoj.dll
2009-09-21 23:37 12,851 a------- c:\windows\ejodafaw.dll
2009-09-21 21:35 11,386 a------- c:\windows\irakarat.dll
2009-09-21 19:33 11,386 a------- c:\windows\amukupugebudax.dll
2009-09-21 17:32 87,168 a------- c:\windows\system32\drivers\3e3b0e9.sys
2009-09-21 17:31 11,448 a------- c:\windows\ixuqeduk.dll
2009-09-21 10:52 11,386 a------- c:\windows\imawiloji.dll
2009-09-21 08:50 12,047 a------- c:\windows\idogezorijegozu.dll
2009-09-21 06:48 11,650 a------- c:\windows\axinirumecahalev.dll
2009-09-21 04:46 11,448 a------- c:\windows\ojuqafar.dll
2009-09-21 02:44 11,448 a------- c:\windows\uvikuwafonut.dll
2009-09-21 00:42 12,329 a------- c:\windows\ukayewecig.dll
2009-09-20 22:40 13,645 a------- c:\windows\ojipevubeqovuzi.dll
2009-09-20 20:38 11,386 a------- c:\windows\enuxusum.dll
2009-09-20 18:36 11,330 a------- c:\windows\arihexop.dll
2009-09-20 16:34 12,198 a------- c:\windows\oheqazejo.dll
2009-09-20 14:32 11,448 a------- c:\windows\ukifefeqacolal.dll
2009-09-20 12:30 11,392 a------- c:\windows\ubelerih.dll
2009-09-20 10:28 11,448 a------- c:\windows\ejidiwoxewofes.dll
2009-09-20 08:26 11,706 a------- c:\windows\atomanap.dll
2009-09-20 06:24 12,112 a------- c:\windows\ikenalepetiyo.dll
2009-09-20 04:22 12,065 a------- c:\windows\uxosuloromazizu.dll
2009-09-20 02:20 12,001 a------- c:\windows\ejeruzifuloru.dll
2009-09-20 00:18 14,565 a------- c:\windows\atezosowuwu.dll
2009-09-19 22:16 12,293 a------- c:\windows\iwisefubemob.dll
2009-09-19 20:14 11,392 a------- c:\windows\arubawutilesol.dll
2009-09-19 18:12 11,448 a------- c:\windows\uhinufeworitulus.dll
2009-09-19 16:10 11,706 a------- c:\windows\uxeturet.dll
2009-09-19 14:08 11,588 a------- c:\windows\aweqasoqege.dll
2009-09-19 12:06 11,386 a------- c:\windows\okucuzuhifuci.dll
2009-09-19 10:04 11,386 a------- c:\windows\ifocoxicakihev.dll
2009-09-19 08:02 12,757 a------- c:\windows\owebalikoqatu.dll
2009-09-19 06:00 13,906 a------- c:\windows\ixikerevafidel.dll
2009-09-19 03:58 11,448 a------- c:\windows\eqavafidelujolij.dll
2009-09-19 01:56 11,386 a------- c:\windows\awequmofut.dll
2009-09-18 23:54 11,386 a------- c:\windows\ifiyuruwokuqisal.dll
2009-09-18 21:52 11,386 a------- c:\windows\uyezizaz.dll
2009-09-18 19:50 11,386 a------- c:\windows\ewovuzitoha.dll
2009-09-18 17:48 11,386 a------- c:\windows\orejulowu.dll
2009-09-18 15:49 11,588 a------- c:\windows\olenelanavecazu.dll
2009-09-18 01:52 12,368 a------- c:\windows\ofeholuh.dll
2009-09-17 23:50 11,386 a------- c:\windows\idujizuqu.dll
2009-09-17 21:48 11,588 a------- c:\windows\oteqesuhelehizu.dll
2009-09-17 19:46 11,448 a------- c:\windows\usotolix.dll
2009-09-17 17:44 11,448 a------- c:\windows\uhoyiger.dll
2009-09-17 15:42 11,448 a------- c:\windows\epulifipuluk.dll
2009-09-17 13:40 11,386 a------- c:\windows\uhikorilowadil.dll
2009-09-17 11:38 11,644 a------- c:\windows\ukonirumecah.dll
2009-09-17 09:36 11,588 a------- c:\windows\eleqafarip.dll
2009-09-17 07:34 11,386 a------- c:\windows\obawulevefi.dll
2009-09-17 05:32 13,586 a------- c:\windows\iqokilomi.dll
2009-09-17 03:30 11,706 a------- c:\windows\icopevubeqo.dll
2009-09-17 01:28 11,706 a------- c:\windows\udexusumo.dll
2009-09-16 23:26 11,448 a------- c:\windows\acerimuquj.dll
2009-09-16 21:24 13,060 a------- c:\windows\ecefotoc.dll
2009-09-16 19:22 11,330 a------- c:\windows\exelowunikazubi.dll
2009-09-16 17:20 11,588 a------- c:\windows\anurituci.dll
2009-09-16 15:18 11,386 a------- c:\windows\ekoboneravasam.dll
2009-09-16 13:16 11,386 a------- c:\windows\ucagosixaxeteted.dll
2009-09-16 11:14 11,706 a------- c:\windows\uxatigokidonot.dll
2009-09-16 09:12 11,448 a------- c:\windows\alewanulamolimar.dll
2009-09-16 07:10 11,280 a------- c:\windows\ajocetuw.dll
2009-09-16 05:08 11,330 a------- c:\windows\onehebaf.dll
2009-09-16 03:08 13,003 a------- c:\windows\odehusucam.dll
2009-09-16 00:30 11,392 a------- c:\windows\ufirubohojafabi.dll
2009-09-15 22:28 11,392 a------- c:\windows\ewizotuqo.dll
2009-09-15 20:26 11,392 a------- c:\windows\uvamibah.dll
2009-09-15 18:24 11,386 a------- c:\windows\ehigozux.dll
2009-09-15 16:22 11,588 a------- c:\windows\oliyonidopumam.dll
2009-09-15 14:20 11,386 a------- c:\windows\uribiyov.dll
2009-09-15 12:21 11,386 a------- c:\windows\ucijumuqobo.dll
2009-09-15 10:02 11,386 a------- c:\windows\eyudobuvo.dll
2009-09-15 08:00 11,386 a------- c:\windows\awiritadumo.dll
2009-09-15 05:58 11,448 a------- c:\windows\adafegizutaz.dll
2009-09-15 03:56 11,532 a------- c:\windows\ucelesolas.dll
2009-09-15 01:54 11,386 a------- c:\windows\ibuwunoz.dll
2009-09-14 23:52 12,277 a------- c:\windows\ajakigat.dll
2009-09-14 21:50 11,588 a------- c:\windows\ixiyetasoyu.dll
2009-09-14 19:48 11,386 a------- c:\windows\enebebaguwimu.dll
2009-09-14 17:46 11,392 a------- c:\windows\amifepohebafi.dll
2009-09-14 15:44 11,448 a------- c:\windows\ucezitoha.dll
2009-09-14 13:42 11,706 a------- c:\windows\abahakucadic.dll
2009-09-14 11:40 11,644 a------- c:\windows\ukicagayusaqitih.dll
2009-09-14 09:38 11,588 a------- c:\windows\ucoyenev.dll
2009-09-14 07:36 13,751 a------- c:\windows\obiwiyel.dll
2009-09-14 05:34 11,330 a------- c:\windows\ucikiwikisoxe.dll
2009-09-14 03:32 13,111 a------- c:\windows\usoniwulaqo.dll
2009-09-14 01:30 11,392 a------- c:\windows\agaqatuza.dll
2009-09-13 23:28 11,650 a------- c:\windows\uxucubalepi.dll
2009-09-13 21:26 11,448 a------- c:\windows\ijuxorigeg.dll
2009-09-13 19:38 11,386 a------- c:\windows\adexipab.dll
2009-09-13 17:36 11,330 a------- c:\windows\utodiqatarive.dll
2009-09-13 15:34 11,386 a------- c:\windows\eqamoyes.dll
2009-09-13 13:32 11,386 a------- c:\windows\uyazoquqisefac.dll
2009-09-13 11:29 11,448 a------- c:\windows\olumodet.dll
2009-09-13 09:27 11,448 a------- c:\windows\omiyeviw.dll
2009-09-13 08:18 12,762 a------- c:\windows\acavakadevi.dll
2009-09-13 06:20 12,791 a------- c:\windows\uvajivanoq.dll
2009-09-13 04:00 13,866 a------- c:\windows\apegupiditemekok.dll
2009-09-13 02:02 11,391 a------- c:\windows\urewixanimi.dll
2009-09-12 23:42 11,448 a------- c:\windows\eduhovoj.dll
2009-09-12 21:40 12,001 a------- c:\windows\eyogudorayeher.dll
2009-09-12 19:38 11,330 a------- c:\windows\olemopajeboy.dll
2009-09-12 17:36 11,391 a------- c:\windows\unuwevev.dll
2009-09-12 15:35 11,386 a------- c:\windows\ekesuyeg.dll
2009-09-12 15:11 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-09-01 11:21 11,588 a------- c:\windows\urocawaj.dll
2009-09-01 09:19 12,091 a------- c:\windows\ipopuficuzuhi.dll
2009-09-01 07:17 13,025 a------- c:\windows\ebajurij.dll
2009-09-01 05:15 11,392 a------- c:\windows\oferesox.dll
2009-09-01 03:13 11,448 a------- c:\windows\exovevukov.dll
2009-09-01 01:11 11,392 a------- c:\windows\exapejid.dll
2009-08-31 23:09 13,676 a------- c:\windows\uracusezejoher.dll
2009-08-31 21:07 12,274 a------- c:\windows\ofazowem.dll
2009-08-31 19:05 11,330 a------- c:\windows\eximifora.dll
2009-08-31 17:03 11,330 a------- c:\windows\ewolorom.dll
2009-08-31 15:01 11,386 a------- c:\windows\ovadurayapeva.dll
2009-08-31 12:59 11,392 a------- c:\windows\uwemavab.dll
2009-08-31 10:57 11,386 a------- c:\windows\upuyosamavab.dll
2009-08-31 08:55 12,329 a------- c:\windows\oyolaloc.dll
2009-08-31 06:53 14,738 a------- c:\windows\iwewogij.dll
2009-08-31 04:51 11,330 a------- c:\windows\irenufuq.dll
2009-08-31 02:49 11,386 a------- c:\windows\ifogafek.dll
2009-08-31 00:47 11,448 a------- c:\windows\ibotuwef.dll
2009-08-30 22:45 11,392 a------- c:\windows\awayofik.dll
2009-08-30 20:43 11,335 a------- c:\windows\iqejinur.dll
2009-08-30 18:41 11,330 a------- c:\windows\ugiholur.dll
2009-08-30 16:39 11,330 a------- c:\windows\oxenozum.dll
2009-08-30 14:37 11,391 a------- c:\windows\ejotilarej.dll
2009-08-30 12:35 11,330 a------- c:\windows\usoxivaz.dll
2009-08-30 10:33 11,588 a------- c:\windows\alotakob.dll
2009-08-28 19:27 11,448 a------- c:\windows\acaderotegixiv.dll
2009-08-28 17:25 11,386 a------- c:\windows\avukejubetovapuz.dll
2009-08-28 15:23 11,386 a------- c:\windows\iqafovah.dll
2009-08-28 13:21 11,588 a------- c:\windows\oviloqetuguzele.dll
2009-08-28 11:19 11,386 a------- c:\windows\ejerivehamiro.dll
2009-08-28 09:17 11,588 a------- c:\windows\ogakupujaxakuqe.dll
2009-08-28 07:15 11,392 a------- c:\windows\aqugojudoyatupek.dll
2009-08-28 05:13 11,448 a------- c:\windows\ixitikapawogep.dll
2009-08-28 03:11 11,448 a------- c:\windows\aborerew.dll
2009-08-28 01:09 12,168 a------- c:\windows\avezaxifivufep.dll
2009-08-27 23:07 11,330 a------- c:\windows\ewihedil.dll
2009-08-27 21:05 11,330 a------- c:\windows\avanepoza.dll
2009-08-27 19:03 11,330 a------- c:\windows\itedowubucu.dll
2009-07-26 12:58 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl(3)(3).dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2007-03-29 09:13 87,608 a------- c:\docume~1\spider~1\applic~1\ezpinst.exe
2007-03-29 09:13 47,360 a------- c:\docume~1\spider~1\applic~1\pcouffin.sys
2006-11-25 03:57 482 a------- c:\program files\Del.js
2005-08-21 12:42 905 ac------ c:\program files\uninstal.log
2004-07-09 19:24 784 a------- c:\docume~1\spider~1\applic~1\mpauth.dat
2006-01-11 02:41 56 ---shr-- c:\windows\system32\6BBF71BA10.sys
2006-09-23 20:47 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-09 23:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020920090210\index.dat

============= FINISH: 20:44:57.71 ===============

CamaroJeff
2009-10-03, 03:50
working on zipping attach.txt, says to zip the file and attach. might take me a few to do that...

CamaroJeff
2009-10-03, 04:00
okay, i can unzip files, but im not sure how to go about zipping and attaching. it says in the text file:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

im not sure where to go from here.



GMER came up with this as an option before any scan was possible:

WARNING !!!
GMER has found system modification, which might have been caused by ROOTKIT activity. Dou you want to fully scan your system ?

GMER showed up as jpi5ewj4.exe upon saving and as running through task manager. not sure where to go from there either.

i do appreciate your help very much and patience is definately a virtue of mine at the moment. i just want to ge this thing running like normal again :sad:

Blade81
2009-10-03, 13:14
Hi,

It's ok to paste attach.txt contents into your post without zipping :)

In GMER case let it finish its scan and then:
-When scanning is ready, click Copy button (in GMER). This copies log to clipboard.
-Post log in your reply.

CamaroJeff
2009-10-03, 15:40
alright, heres what attach.txt came up with. going to scan with GMER and post results momentarily




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/9/2004 6:12:37 PM
System Uptime: 9/29/2009 6:39:44 AM (86 hours ago)

Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel(R) Celeron(R) CPU 2.50GHz | Microprocessor | 2491/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 4.52 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
Description: Plug and Play Monitor
Device ID: DISPLAY\DELD002\4&328453E3&0&80861100&00&02
Manufacturer: (Standard monitor types)
Name: Plug and Play Monitor
PNP Device ID: DISPLAY\DELD002\4&328453E3&0&80861100&00&02
Service:

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 537EP V9x DFV PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&30F0
Manufacturer: Intel Corporation
Name: Intel(R) 537EP V9x DFV PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&30F0
Service: Modem

Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&C4AE404&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&C4AE404&0&0
Service: flpydisk

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM TV Tuner (Microsoft)
Device ID: ROOT\LEGACY_ATITUNEP\0000
Manufacturer:
Name: ATI WDM TV Tuner (Microsoft)
PNP Device ID: ROOT\LEGACY_ATITUNEP\0000
Service: ATITUNEP

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM TV Audio Crossbar (Microsoft)
Device ID: ROOT\LEGACY_ATIXSAUDIO\0000
Manufacturer:
Name: ATI WDM TV Audio Crossbar (Microsoft)
PNP Device ID: ROOT\LEGACY_ATIXSAUDIO\0000
Service: ATIXSAudio

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM Specialized MVD Codec (Microsoft)
Device ID: ROOT\LEGACY_MVDCODEC\0000
Manufacturer:
Name: ATI WDM Specialized MVD Codec (Microsoft)
PNP Device ID: ROOT\LEGACY_MVDCODEC\0000
Service: MVDCODEC

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM Specialized PCD Codec (Microsoft)
Device ID: ROOT\LEGACY_PCDCODEC\0000
Manufacturer:
Name: ATI WDM Specialized PCD Codec (Microsoft)
PNP Device ID: ROOT\LEGACY_PCDCODEC\0000
Service: PCDCODEC

==== System Restore Points ===================

RP536: 9/11/2009 6:08:04 PM - Restore Operation
RP537: 9/12/2009 3:07:10 PM - Restore Operation
RP538: 9/13/2009 3:49:33 PM - System Checkpoint
RP539: 9/14/2009 4:58:05 PM - System Checkpoint
RP540: 9/15/2009 5:29:48 PM - System Checkpoint
RP541: 9/16/2009 6:30:49 PM - System Checkpoint
RP542: 9/17/2009 7:03:11 PM - System Checkpoint
RP543: 9/18/2009 7:29:50 PM - System Checkpoint
RP544: 9/19/2009 8:57:54 PM - System Checkpoint
RP545: 9/20/2009 9:29:33 PM - System Checkpoint
RP546: 9/21/2009 9:36:49 PM - System Checkpoint
RP547: 9/22/2009 11:56:59 PM - System Checkpoint
RP548: 9/24/2009 12:34:10 AM - System Checkpoint
RP549: 9/25/2009 1:02:38 AM - System Checkpoint
RP550: 9/26/2009 2:02:31 AM - System Checkpoint
RP551: 9/27/2009 3:02:46 AM - System Checkpoint
RP552: 9/28/2009 4:02:32 AM - System Checkpoint
RP553: 9/29/2009 7:45:36 AM - System Checkpoint
RP554: 9/30/2009 8:44:28 AM - System Checkpoint
RP555: 10/1/2009 9:44:27 AM - System Checkpoint
RP556: 10/2/2009 10:44:17 AM - System Checkpoint

==== Installed Programs ======================


µTorrent
ABBYY FineReader 6.0 Sprint
AC3Filter (remove only)
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
AOL Instant Messenger
AutoUpdate
Banctec Service Agreement
Battlefield 2(TM)
Bejeweled 2 Deluxe 1.0
Big Fish Games Client
Bookworm Deluxe 1.03
Broadcom Management Programs
Business Card Generator Fonts
Business Card Shop
Chutes and Ladders
Critical Update for Windows Media Player 11 (KB959772)
dBpoweramp DSP Effects
Deer Avenger
Dell Driver Reset Tool
Dell Networking Guide
Dell Solution Center
DivX Codec
DVDSentry
Dyno2000 Version 3.10
ffdshow [rev 1324] [2007-07-01]
Google Video Player
GTAIII
HarryThompson.com - Webjal Patcher
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hot Rod Garage to Glory
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
ieSpell
Intel(R) 537EP V9x DFV PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Lexmark 1200 Series
Lexmark 640 Series
Lexmark Fax Solutions
Macromedia Flash Player
Macromedia Shockwave Player
MathPlayer
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires Gold
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
Mobsters Superbot
Modem Event Monitor
MS Access 97 SP2
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MyJAL MediaPAL
Mystery Case Files: Madame Fate ™
Need For Speed Hot Pursuit 2
Network Play System (Patching)
NVIDIA Drivers
ObjectDock
PeerGuardian 2.0
PowerDVD
QuickTime
R/C Pilot Simulator
RealFlight G3 R/C Simulator
RealFlight Simulator
RealPlayer
Saitek Configuration Software
Saitek NT Controller Drivers
Samsung CamCorder Driver
Samsung Video Codec 1.1 Uninstall
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster v3.5.1
TVersity Codec Pack 1.1
TVersity Media Server 0.9.11.4 beta
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB968389)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual FoxPro ODBC Driver
WavePad Uninstall
WebFldrs XP
Webjal install by HarryThompson.com
Windows Desktop Search
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

9/29/2009 6:59:20 AM, error: Service Control Manager [7034] - The TVersityMediaServer service terminated unexpectedly. It has done this 1 time(s).
9/29/2009 6:40:53 AM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
9/27/2009 9:15:15 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/27/2009 9:00:15 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/26/2009 8:21:16 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 000D56EFBA03 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/25/2009 7:27:07 AM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
9/25/2009 7:27:07 AM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================

CamaroJeff
2009-10-03, 20:01
wow, that took a lot longer than i thought. heres the results...


GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-10-03 12:54:54
Windows 5.1.2600 Service Pack 3
Running: jpi5ewj4.exe; Driver: C:\DOCUME~1\SPIDER~1\LOCALS~1\Temp\fgldqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\3e3b0e9.sys ZwCreateEvent [0xBAD2F595]
SSDT \SystemRoot\System32\drivers\3e3b0e9.sys ZwCreateKey [0xBAD2D585]
SSDT sptd.sys ZwEnumerateKey [0xF8772FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF8773340]
SSDT \SystemRoot\System32\drivers\3e3b0e9.sys ZwOpenKey [0xBAD2D645]
SSDT sptd.sys ZwQueryKey [0xF8773418]
SSDT sptd.sys ZwQueryValueKey [0xF8773298]

Code 8334C500 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F7E228AC 5 Bytes JMP 831C41C8
? System32\Drivers\aef8tb7n.SYS The system cannot find the path specified. !
? C:\WINDOWS\System32\drivers\3e3b0e9.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2860] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 04131088 C:\WINDOWS\system32\dsound3dd.dll
? C:\WINDOWS\System32\svchost.exe[4024] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[4032] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F878406C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8784018] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F87A69AE] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F878406C] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F876DAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F876DC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F876DB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F876E748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F876E61E] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F878329A] sptd.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] CB8401C7
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 9BE90043
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560001D4
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [0043CB84] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01D48DE8
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] D55CE856
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 8B55C300
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 1475FFEC
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] FF1075FF
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 10C48308
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 8B55C35D
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] 1475FFEC
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] FF1075FF
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 75FF0C75
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] DA58E808
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 458B0001
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 2300E800
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] F18B0002
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] E8F07589
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 0001D35B
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 8D0875FF
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 06C70C4E
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [0043CB90] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 001C95E8
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] E8C68B00
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 000223B2
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 560004C2
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 006AF18B
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 4E8D016A
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] E80043CB
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 000021DF
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] E95ECE8B
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 0001D3EE
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] E8F18B56
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] FFFFFFDB
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 082444F6
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 56077401
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 01D4B5E8
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 0004C25E
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] CB9C01C7
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] BCE90043
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 56FFFFFF
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] [0043CB9C] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFAEE8
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 2444F6FF
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 07740108
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] D488E856
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] B8046A00
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] [00436E6D] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 022265E8
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 7D8BF075
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 33E85708
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 830001D3
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8300FC65
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 06C70C4E
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] [0043CB90] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 001BF5E8
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] E8C68B00
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 00022312
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 830004C2
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 60830020
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 0A8B0004
IAT C:\WINDOWS\System32\svchost.exe[4024] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 04728B56
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] CB8401C7
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 9BE90043
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560001D4
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [0043CB84] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01D48DE8
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] D55CE856
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 8B55C300
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 1475FFEC
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] FF1075FF
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 10C48308
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 8B55C35D
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] 1475FFEC
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] FF1075FF
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 75FF0C75
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] DA58E808
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 458B0001
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 2300E800
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] F18B0002
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] E8F07589
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 0001D35B
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 8D0875FF
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 06C70C4E
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [0043CB90] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 001C95E8
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] E8C68B00
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 000223B2
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 560004C2
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 006AF18B
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 4E8D016A
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] E80043CB
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 000021DF
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] E95ECE8B
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 0001D3EE
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] E8F18B56
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] FFFFFFDB
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 082444F6
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 56077401
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 01D4B5E8
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 0004C25E
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] CB9C01C7
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] BCE90043
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 56FFFFFF
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] [0043CB9C] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFAEE8
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 2444F6FF
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 07740108
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] D488E856
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] B8046A00
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] [00436E6D] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 022265E8
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 7D8BF075
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 33E85708
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 830001D3
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8300FC65
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 06C70C4E
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] [0043CB90] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 001BF5E8
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] E8C68B00
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 00022312
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 830004C2
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 60830020
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 0A8B0004
IAT C:\WINDOWS\System32\svchost.exe[4032] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 04728B56


...text is too long, continued in next post...

CamaroJeff
2009-10-03, 20:02
---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 3e3b0e9.sys
Device \FileSystem\Ntfs \Ntfs 8336A1E8
Device \Driver\NDIS \Device\Ndis [83273984] NDIS.sys[.reloc]
Device \Driver\Tcpip \Device\Ip 3e3b0e9.sys
Device \Driver\usbuhci \Device\USBPDO-0 8310F1E8
Device \Driver\PCI_NTPNP1052 \Device\00000044 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-1 8310F1E8
Device \Driver\usbuhci \Device\USBPDO-2 8310F1E8
Device \Driver\usbehci \Device\USBPDO-3 831B51E8
Device \Driver\Tcpip \Device\Tcp 3e3b0e9.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 833D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 833D81E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{DC6DEC2A-4BED-4762-8851-E561345257A5} 82EEA1E8
Device \Driver\Cdrom \Device\CdRom0 830C11E8
Device \Driver\Cdrom \Device\CdRom1 830C11E8
Device \Driver\Cdrom \Device\CdRom2 830C11E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 82EEA1E8
Device \Driver\NetBT \Device\NetbiosSmb 82EEA1E8
Device \Driver\Tcpip \Device\Udp 3e3b0e9.sys
Device \Driver\Tcpip \Device\RawIp 3e3b0e9.sys
Device \Driver\usbuhci \Device\USBFDO-0 8310F1E8
Device \Driver\usbuhci \Device\USBFDO-1 8310F1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 831E9790
Device \Driver\Tcpip \Device\IPMULTICAST 3e3b0e9.sys
Device \Driver\usbuhci \Device\USBFDO-2 8310F1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 831E9790
Device \Driver\usbehci \Device\USBFDO-3 831B51E8
Device \Driver\Ftdisk \Device\FtControl 833D81E8
Device \Driver\aef8tb7n \Device\Scsi\aef8tb7n1 83051540
Device \Driver\aef8tb7n \Device\Scsi\aef8tb7n1Port2Path0Target0Lun0 83051540
Device \FileSystem\Fastfat \Fat 82CD5368
Device \FileSystem\Fastfat \Fat B5F75297
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs 831931E8
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\3e3b0e9.sys (*** hidden *** ) [SYSTEM] 3e3b0e9 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\3e3b0e9@ImagePath \SystemRoot\System32\drivers\3e3b0e9.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\3e3b0e9@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\3e3b0e9@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\3e3b0e9@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\3e3b0e9@kadfmmqr 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\3e3b0e9@F96ZK6nPB YmF0dXJhbWViZWwuY29t
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 515188436
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -8797297
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3C 0xE9 0xF5 0x3B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE6 0x01 0x5F 0x93 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7A 0x9F 0x6C 0x5F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3C 0xE9 0xF5 0x3B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE6 0x01 0x5F 0x93 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7A 0x9F 0x6C 0x5F ...
Reg HKLM\SYSTEM\ControlSet004\Services\3e3b0e9@ImagePath \SystemRoot\System32\drivers\3e3b0e9.sys
Reg HKLM\SYSTEM\ControlSet004\Services\3e3b0e9@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\3e3b0e9@Start 1
Reg HKLM\SYSTEM\ControlSet004\Services\3e3b0e9@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet004\Services\3e3b0e9@kadfmmqr 1
Reg HKLM\SYSTEM\ControlSet004\Services\3e3b0e9@F96ZK6nPB YmF0dXJhbWViZWwuY29t
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3C 0xE9 0xF5 0x3B ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE6 0x01 0x5F 0x93 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7A 0x9F 0x6C 0x5F ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\1DPZU1I1\errorPageStrings[1] 850 bytes
File C:\Documents and Settings\Spiderman\My Documents\bobos stuff\INSANE CLOWN POSSE-47 ALBUMS\Insane Clown Posse - The Wraith (Remix Albums) [2006] - Rap [www.torrentazos.com]\Insane Clown Posse - The Wraith (Remix Albums) [2006] - Rap [www.torrentazos.com]\CD1\108-IN~1.MP3 6286753 bytes
File C:\I386\ndis.sys (size mismatch) 168192/182656 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 182912/182656 bytes executable
File C:\WINDOWS\SYSTEM32\DLLCACHE\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\SYSTEM32\DRIVERS\ndis.sys (size mismatch) 212224/182656 bytes executable

---- EOF - GMER 1.0.15 ----

Blade81
2009-10-04, 11:24
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

CamaroJeff
2009-10-04, 17:29
i know, utorrent can be a nasty program :red: i have deleted that program several times as it may have caused problems in the past. needless to say i havent used that program in a couple of years. i have removed the program again.

combofix has been run and heres its report. a new dds will be posted shortly.


ComboFix 09-10-03.01 - Spiderman 10/04/2009 9:27.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.159 [GMT -4:00]
Running from: c:\documents and settings\Spiderman\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Spiderman\Application Data\wiaserva.log
c:\documents and settings\Spiderman\Start Menu\Programs\Startup\ikowin32.exe
c:\program files\Common\_helper.dll
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\program files\Shared\lib.dll
c:\program files\Shared\lib.sig
c:\temp\abW9
c:\temp\abW9\tPho.log
c:\windows\abahakucadic.dll
c:\windows\aborerew.dll
c:\windows\abozemiz.dll
c:\windows\acaderotegixiv.dll
c:\windows\acavakadevi.dll
c:\windows\acerimuquj.dll
c:\windows\adafegizutaz.dll
c:\windows\adexipab.dll
c:\windows\adowegumesawe.dll
c:\windows\aduyamuk.dll
c:\windows\agaqatuza.dll
c:\windows\ajakigat.dll
c:\windows\ajayelovawubixax.dll
c:\windows\ajibatidedug.dll
c:\windows\ajocetuw.dll
c:\windows\alewanulamolimar.dll
c:\windows\alotakob.dll
c:\windows\amezawuf.dll
c:\windows\amifepohebafi.dll
c:\windows\amikulej.dll
c:\windows\amukupugebudax.dll
c:\windows\anelizodowurafox.dll
c:\windows\anurituci.dll
c:\windows\apegupiditemekok.dll
c:\windows\aqugojudoyatupek.dll
c:\windows\arihexop.dll
c:\windows\arubawutilesol.dll
c:\windows\asicolal.dll
c:\windows\atezosowuwu.dll
c:\windows\atomanap.dll
c:\windows\avanepoza.dll
c:\windows\avezaxifivufep.dll
c:\windows\avukejubetovapuz.dll
c:\windows\awaworucato.dll
c:\windows\awayofik.dll
c:\windows\aweqasoqege.dll
c:\windows\awequmofut.dll
c:\windows\awiritadumo.dll
c:\windows\axinirumecahalev.dll
c:\windows\ayimapiq.dll
c:\windows\download
c:\windows\ebajurij.dll
c:\windows\ebimizih.dll
c:\windows\ebocoroj.dll
c:\windows\ecefotoc.dll
c:\windows\edilaref.dll
c:\windows\edojolij.dll
c:\windows\eduhovoj.dll
c:\windows\efemirux.dll
c:\windows\egayiyoh.dll
c:\windows\eheriwesozo.dll
c:\windows\ehigozux.dll
c:\windows\ejerivehamiro.dll
c:\windows\ejeruzifuloru.dll
c:\windows\ejidiwoxewofes.dll
c:\windows\ejodafaw.dll
c:\windows\ejotilarej.dll
c:\windows\ekesuyeg.dll
c:\windows\ekoboneravasam.dll
c:\windows\eleharuculihi.dll
c:\windows\eleqafarip.dll
c:\windows\elujewuj.dll
c:\windows\enebebaguwimu.dll
c:\windows\enuxusum.dll
c:\windows\epulifipuluk.dll
c:\windows\eqamoyes.dll
c:\windows\eqavafidelujolij.dll
c:\windows\evayasomizih.dll
c:\windows\ewedigojeruqa.dll
c:\windows\ewihedil.dll
c:\windows\ewizotuqo.dll
c:\windows\ewolorom.dll
c:\windows\ewovuzitoha.dll
c:\windows\exapejid.dll
c:\windows\exelowunikazubi.dll
c:\windows\eximifora.dll
c:\windows\exovevukov.dll
c:\windows\eyogudorayeher.dll
c:\windows\eyudobuvo.dll
c:\windows\gcdx.dll
c:\windows\ibimapiqiyonox.dll
c:\windows\ibotuwef.dll
c:\windows\ibuwunoz.dll
c:\windows\icopevubeqo.dll
c:\windows\idogezorijegozu.dll
c:\windows\idujizuqu.dll
c:\windows\ifereweha.dll
c:\windows\ifidevac.dll
c:\windows\ifiyuruwokuqisal.dll
c:\windows\ifocoxicakihev.dll
c:\windows\ifogafek.dll
c:\windows\ijuxorigeg.dll
c:\windows\ikenalepetiyo.dll
c:\windows\imawiloji.dll
c:\windows\imujoxuc.dll
c:\windows\imunesey.dll
c:\windows\Installer\11195550.msp
c:\windows\Installer\3970c5.msp
c:\windows\Installer\73330d.msp
c:\windows\Installer\9dbd7d7.msp
c:\windows\Installer\f876ad4.msi
c:\windows\Installer\f876adc.msi
c:\windows\Installer\f876ae4.msi
c:\windows\Installer\f876af1.msi
c:\windows\Installer\f876af9.msi
c:\windows\Installer\f876b01.msi
c:\windows\inutezezuquj.dll
c:\windows\ipopuficuzuhi.dll
c:\windows\iqafovah.dll
c:\windows\iqejinur.dll
c:\windows\iqokilomi.dll
c:\windows\irakarat.dll
c:\windows\irenufuq.dll
c:\windows\isitibuxer.dll
c:\windows\itecigitulob.dll
c:\windows\itedowubucu.dll
c:\windows\iwewogij.dll
c:\windows\iwisefubemob.dll
c:\windows\ixikerevafidel.dll
c:\windows\ixitikapawogep.dll
c:\windows\ixiyetasoyu.dll
c:\windows\ixuqeduk.dll
c:\windows\iyatahixowetohe.dll
c:\windows\msstd.dll
c:\windows\msto.dll
c:\windows\obawulevefi.dll
c:\windows\obe.dll
c:\windows\obiwiyel.dll
c:\windows\odajezoweqoh.dll
c:\windows\odehusucam.dll
c:\windows\ofazowem.dll
c:\windows\ofeholuh.dll
c:\windows\oferesox.dll
c:\windows\ofofafawi.dll
c:\windows\ofoqusiwoj.dll
c:\windows\ofuvozeraz.dll
c:\windows\ogakupujaxakuqe.dll
c:\windows\ogipucovotuket.dll
c:\windows\oheqazejo.dll
c:\windows\ojipevubeqovuzi.dll
c:\windows\ojuqafar.dll
c:\windows\okecuvuhoxuquxoj.dll
c:\windows\okehazuyosegefim.dll
c:\windows\okucuzuhifuci.dll
c:\windows\olemopajeboy.dll
c:\windows\olenelanavecazu.dll
c:\windows\oliyonidopumam.dll
c:\windows\olumodet.dll
c:\windows\omelolac.dll
c:\windows\omiyeviw.dll
c:\windows\onehebaf.dll
c:\windows\opohugil.dll
c:\windows\opunevif.dll
c:\windows\oqegovagifobaw.dll
c:\windows\oraluwen.dll
c:\windows\orehifuc.dll
c:\windows\orejulowu.dll
c:\windows\osutiles.dll
c:\windows\oteqesuhelehizu.dll
c:\windows\ovadurayapeva.dll
c:\windows\oviloqetuguzele.dll
c:\windows\owebalikoqatu.dll
c:\windows\oxenozum.dll
c:\windows\oxumopuduy.dll
c:\windows\oyolaloc.dll
c:\windows\system32\aston.mt
c:\windows\system32\comrepl.exe
c:\windows\system32\drivers\3e3b0e9.sys
c:\windows\system32\mcrh.tmp
c:\windows\ubejefiq.dll
c:\windows\ubelerih.dll
c:\windows\ucagosixaxeteted.dll
c:\windows\ucelesolas.dll
c:\windows\ucezitoha.dll
c:\windows\ucijumuqobo.dll
c:\windows\ucikiwikisoxe.dll
c:\windows\ucoyenev.dll
c:\windows\udexusumo.dll
c:\windows\udociluvunebur.dll
c:\windows\ufihilofej.dll
c:\windows\ufirubohojafabi.dll
c:\windows\ufiyosegef.dll
c:\windows\ugifiwuz.dll
c:\windows\ugiholur.dll
c:\windows\uhikorilowadil.dll
c:\windows\uhinufeworitulus.dll
c:\windows\uhodesuvaruk.dll
c:\windows\uhoyiger.dll
c:\windows\ukayewecig.dll
c:\windows\ukicagayusaqitih.dll
c:\windows\ukifefeqacolal.dll
c:\windows\ukonirumecah.dll
c:\windows\ukoyuzubizeb.dll
c:\windows\unuhovehula.dll
c:\windows\unuwevev.dll
c:\windows\upotepin.dll
c:\windows\upuyosamavab.dll
c:\windows\uracusezejoher.dll
c:\windows\urewixanimi.dll
c:\windows\uribiyov.dll
c:\windows\urocawaj.dll
c:\windows\urucozis.dll
c:\windows\urufixej.dll
c:\windows\usoniwulaqo.dll
c:\windows\usotolix.dll
c:\windows\usoxivaz.dll
c:\windows\utodiqatarive.dll
c:\windows\utogofor.dll
c:\windows\uvajivanoq.dll
c:\windows\uvamibah.dll
c:\windows\uvikuwafonut.dll
c:\windows\uwapalir.dll
c:\windows\uwemavab.dll
c:\windows\uwodewiy.dll
c:\windows\uxatigokidonot.dll
c:\windows\uxeturet.dll
c:\windows\uxosuloromazizu.dll
c:\windows\uxucubalepi.dll
c:\windows\uyazoquqisefac.dll
c:\windows\uyezizaz.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_3e3b0e9


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-04 14:11 . 2009-10-04 14:11 11554 ----a-w- c:\windows\egoxowalif.dll
2009-09-12 19:11 . 2009-09-12 19:11 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-04 17:15 . 2009-09-12 19:11 -------- d-----w- c:\documents and settings\Bobo\Local Settings\Application Data\{7774A5C0-4F5A-4A25-A039-29FB6B2E855C}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 13:44 . 2009-06-23 12:15 -------- d-----w- c:\program files\Shared
2009-10-04 13:44 . 2009-03-31 21:56 -------- d-----w- c:\program files\Common
2009-10-04 13:21 . 2002-08-29 10:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-10-04 12:15 . 2009-08-28 01:45 120 ----a-w- c:\windows\Ulujoqafarip.dat
2009-09-30 00:02 . 2005-12-30 00:37 -------- d-----w- c:\program files\Common Files\KnifeEdge
2009-09-14 21:38 . 2005-07-13 03:08 -------- d-----w- c:\program files\Program Files
2009-09-12 19:10 . 2009-03-15 00:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-03 03:58 . 2004-07-09 22:13 118440 ----a-w- c:\documents and settings\Spiderman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 21:35 . 2009-08-25 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\10983904
2009-08-06 21:57 . 2009-08-06 21:57 -------- d-----w- c:\program files\MSBuild
2009-08-06 21:56 . 2009-08-06 21:56 -------- d-----w- c:\program files\Reference Assemblies
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl(3)(3).dll
2009-07-14 03:43 . 2004-08-11 05:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-11-25 07:57 . 2006-11-25 07:57 482 ----a-w- c:\program files\Del.js
2005-08-21 16:42 . 2005-06-27 23:17 905 -c--a-w- c:\program files\uninstal.log
2006-01-11 06:41 . 2004-08-29 00:07 56 --sh--r- c:\windows\SYSTEM32\6BBF71BA10.sys
2006-09-24 00:47 . 2004-08-29 00:07 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-12 6729728]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\SYSTEM32\nvmctray.dll [2005-05-12 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli carcpc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^clippy.exe]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\clippy.exe
backup=c:\windows\pss\clippy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Magnifier.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Magnifier.lnk
backup=c:\windows\pss\Magnifier.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Insider"=c:\program files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=c:\windows\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
"QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" -atboottime
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\lxczcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\FRegister.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGUpdate.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Summitsoft Products.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGFonts.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash_LDS.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash Series 1_Oct132008.exe"=

S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [8/13/2006 9:48 AM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\SYSTEM32\DRIVERS\BrParImg.sys [8/13/2006 9:48 AM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\SYSTEM32\DRIVERS\BrParwdm.sys [8/13/2006 9:48 AM 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [8/13/2006 9:48 AM 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\SYSTEM32\DRIVERS\SaiNtSub.sys [2/4/2005 10:28 PM 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-Ksebuhey - c:\windows\urufixej.dll
AddRemove-Viewpoint Manager - c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 10:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1665667976-894762885-3311537992-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\NTMARTA.DLL

- - - - - - - > 'lsass.exe'(608)
c:\windows\carcpc.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\carcpc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\lxczcoms.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-10-04 10:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 14:17
ComboFix2.txt 2007-11-30 03:16

Pre-Run: 4,740,100,096 bytes free
Post-Run: 4,988,645,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
406 --- E O F --- 2009-08-27 21:59

CamaroJeff
2009-10-04, 17:33
heres the dds log.


DDS (Ver_09-09-29.01) - NTFSx86
Run by Spiderman at 10:30:41.29 on Sun 10/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.244 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Spiderman\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
dRunOnce: [RunNarrator] Narrator.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {205FF73B-CA67-11D5-99DD-444553540000} - hxxp://66.154.44.68/cam/Install.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxps://cs7b.instantservice.com/jars/customerxsigned42.cab
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli carcpc.dll

============= SERVICES / DRIVERS ===============

R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-8-13 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2006-8-13 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2006-8-13 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-8-13 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\spider~1\locals~1\temp\dmskssrh.sys --> c:\docume~1\spider~1\locals~1\temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\system32\drivers\SaiNtSub.sys [2005-2-4 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
UnknownUnknown 3e3b0e9;3e3b0e9; [x]

=============== Created Last 30 ================

2009-10-04 10:16 11,520 a------- c:\windows\ifocolaloc.dll
2009-10-04 10:11 11,554 a------- c:\windows\egoxowalif.dll
2009-10-04 09:23 <DIR> a-dshr-- C:\cmdcons
2009-10-04 09:20 229,888 a------- c:\windows\PEV.exe
2009-10-04 09:20 161,792 a------- c:\windows\SWREG.exe
2009-10-04 09:20 98,816 a------- c:\windows\sed.exe
2009-09-12 15:11 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-10-04 09:21 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-10-04 09:21 182,656 -------- c:\windows\system32\drivers\ndis.sys
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl(3)(3).dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2007-03-29 09:13 87,608 a------- c:\docume~1\spider~1\applic~1\ezpinst.exe
2007-03-29 09:13 47,360 a------- c:\docume~1\spider~1\applic~1\pcouffin.sys
2006-11-25 03:57 482 a------- c:\program files\Del.js
2005-08-21 12:42 905 ac------ c:\program files\uninstal.log
2004-07-09 19:24 784 a------- c:\docume~1\spider~1\applic~1\mpauth.dat
2006-01-11 02:41 56 ---shr-- c:\windows\system32\6BBF71BA10.sys
2006-09-23 20:47 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-09 23:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020920090210\index.dat

============= FINISH: 10:31:40.98 ===============

CamaroJeff
2009-10-04, 17:34
also, if needed, the attach.txt log that accompanies. computer is running faster already too.



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/9/2004 6:12:37 PM
System Uptime: 10/4/2009 9:53:49 AM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel(R) Celeron(R) CPU 2.50GHz | Microprocessor | 2491/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 4.678 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
Description: Plug and Play Monitor
Device ID: DISPLAY\DELD002\4&328453E3&0&80861100&00&02
Manufacturer: (Standard monitor types)
Name: Plug and Play Monitor
PNP Device ID: DISPLAY\DELD002\4&328453E3&0&80861100&00&02
Service:

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 537EP V9x DFV PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&30F0
Manufacturer: Intel Corporation
Name: Intel(R) 537EP V9x DFV PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&30F0
Service: Modem

Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&C4AE404&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&C4AE404&0&0
Service: flpydisk

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM TV Tuner (Microsoft)
Device ID: ROOT\LEGACY_ATITUNEP\0000
Manufacturer:
Name: ATI WDM TV Tuner (Microsoft)
PNP Device ID: ROOT\LEGACY_ATITUNEP\0000
Service: ATITUNEP

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM TV Audio Crossbar (Microsoft)
Device ID: ROOT\LEGACY_ATIXSAUDIO\0000
Manufacturer:
Name: ATI WDM TV Audio Crossbar (Microsoft)
PNP Device ID: ROOT\LEGACY_ATIXSAUDIO\0000
Service: ATIXSAudio

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM Specialized MVD Codec (Microsoft)
Device ID: ROOT\LEGACY_MVDCODEC\0000
Manufacturer:
Name: ATI WDM Specialized MVD Codec (Microsoft)
PNP Device ID: ROOT\LEGACY_MVDCODEC\0000
Service: MVDCODEC

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM Specialized PCD Codec (Microsoft)
Device ID: ROOT\LEGACY_PCDCODEC\0000
Manufacturer:
Name: ATI WDM Specialized PCD Codec (Microsoft)
PNP Device ID: ROOT\LEGACY_PCDCODEC\0000
Service: PCDCODEC

==== System Restore Points ===================

RP536: 9/11/2009 6:08:04 PM - Restore Operation
RP537: 9/12/2009 3:07:10 PM - Restore Operation
RP538: 9/13/2009 3:49:33 PM - System Checkpoint
RP539: 9/14/2009 4:58:05 PM - System Checkpoint
RP540: 9/15/2009 5:29:48 PM - System Checkpoint
RP541: 9/16/2009 6:30:49 PM - System Checkpoint
RP542: 9/17/2009 7:03:11 PM - System Checkpoint
RP543: 9/18/2009 7:29:50 PM - System Checkpoint
RP544: 9/19/2009 8:57:54 PM - System Checkpoint
RP545: 9/20/2009 9:29:33 PM - System Checkpoint
RP546: 9/21/2009 9:36:49 PM - System Checkpoint
RP547: 9/22/2009 11:56:59 PM - System Checkpoint
RP548: 9/24/2009 12:34:10 AM - System Checkpoint
RP549: 9/25/2009 1:02:38 AM - System Checkpoint
RP550: 9/26/2009 2:02:31 AM - System Checkpoint
RP551: 9/27/2009 3:02:46 AM - System Checkpoint
RP552: 9/28/2009 4:02:32 AM - System Checkpoint
RP553: 9/29/2009 7:45:36 AM - System Checkpoint
RP554: 9/30/2009 8:44:28 AM - System Checkpoint
RP555: 10/1/2009 9:44:27 AM - System Checkpoint
RP556: 10/2/2009 10:44:17 AM - System Checkpoint
RP557: 10/3/2009 11:21:28 AM - System Checkpoint

==== Installed Programs ======================


ABBYY FineReader 6.0 Sprint
AC3Filter (remove only)
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
AOL Instant Messenger
AutoUpdate
Banctec Service Agreement
Battlefield 2(TM)
Bejeweled 2 Deluxe 1.0
Big Fish Games Client
Bookworm Deluxe 1.03
Broadcom Management Programs
Business Card Generator Fonts
Business Card Shop
Chutes and Ladders
Critical Update for Windows Media Player 11 (KB959772)
dBpoweramp DSP Effects
Deer Avenger
Dell Driver Reset Tool
Dell Networking Guide
Dell Solution Center
DivX Codec
DVDSentry
Dyno2000 Version 3.10
ffdshow [rev 1324] [2007-07-01]
Google Video Player
GTAIII
HarryThompson.com - Webjal Patcher
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hot Rod Garage to Glory
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
ieSpell
Intel(R) 537EP V9x DFV PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Lexmark 1200 Series
Lexmark 640 Series
Lexmark Fax Solutions
Macromedia Flash Player
Macromedia Shockwave Player
MathPlayer
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires Gold
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
Mobsters Superbot
Modem Event Monitor
MS Access 97 SP2
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MyJAL MediaPAL
Mystery Case Files: Madame Fate ™
Need For Speed Hot Pursuit 2
Network Play System (Patching)
NVIDIA Drivers
ObjectDock
PeerGuardian 2.0
PowerDVD
QuickTime
R/C Pilot Simulator
RealFlight G3 R/C Simulator
RealFlight Simulator
RealPlayer
Saitek Configuration Software
Saitek NT Controller Drivers
Samsung CamCorder Driver
Samsung Video Codec 1.1 Uninstall
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster v3.5.1
TVersity Codec Pack 1.1
TVersity Media Server 0.9.11.4 beta
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB968389)
Viewpoint Media Player
Visual FoxPro ODBC Driver
WavePad Uninstall
WebFldrs XP
Webjal install by HarryThompson.com
Windows Desktop Search
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

9/29/2009 8:00:52 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/29/2009 6:59:20 AM, error: Service Control Manager [7034] - The TVersityMediaServer service terminated unexpectedly. It has done this 1 time(s).
9/29/2009 6:40:53 AM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
9/29/2009 6:40:53 AM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
9/27/2009 9:15:15 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/27/2009 9:00:15 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/4/2009 9:26:46 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

==== End Of File ===========================

Blade81
2009-10-04, 18:56
Hi,


Open notepad and copy/paste the text in the quotebox below into it:



http://forums.spybot.info/showthread.php?p=339991#post339991
Driver::
3e3b0e9
Collect::
c:\windows\carcpc.dll
File::
c:\windows\ifocolaloc.dll
c:\windows\egoxowalif.dll
c:\windows\Ulujoqafarip.dat
c:\program files\Del.js
DDS::
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.1 + updates 9.1.2 and 9.1.3 for it) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).

Do you necessary need Adobe Acrobat 5.0? If not, I strongly recommend to uninstall it since it's badly outdated.

Uninstall your current shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.

Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 16 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

CamaroJeff
2009-10-04, 20:04
heres the fresh combofix log after pasting the text file. will be doing the following steps shortly.


ComboFix 09-10-03.01 - Spiderman 10/04/2009 12:31.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.240 [GMT -4:00]
Running from: c:\documents and settings\Spiderman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Spiderman\Desktop\CFScript.txt

FILE ::
"c:\program files\Del.js"
"c:\windows\egoxowalif.dll"
"c:\windows\ifocolaloc.dll"
"c:\windows\Ulujoqafarip.dat"

file zipped: c:\windows\carcpc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\Common\_helper.sig
c:\program files\Del.js
c:\program files\Shared
c:\windows\carcpc.dll
c:\windows\egoxowalif.dll
c:\windows\ifocolaloc.dll
c:\windows\okaleriweso.dll
c:\windows\system32\dsound3dd.dll
c:\windows\Ulujoqafarip.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-09-12 19:11 . 2009-09-12 19:11 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-04 17:15 . 2009-09-12 19:11 -------- d-----w- c:\documents and settings\Bobo\Local Settings\Application Data\{7774A5C0-4F5A-4A25-A039-29FB6B2E855C}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 13:21 . 2002-08-29 10:00 182656 ------w- c:\windows\system32\drivers\ndis.sys
2009-09-30 00:02 . 2005-12-30 00:37 -------- d-----w- c:\program files\Common Files\KnifeEdge
2009-09-14 21:38 . 2005-07-13 03:08 -------- d-----w- c:\program files\Program Files
2009-09-12 19:10 . 2009-03-15 00:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-03 03:58 . 2004-07-09 22:13 118440 ----a-w- c:\documents and settings\Spiderman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 21:35 . 2009-08-25 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\10983904
2009-08-06 21:57 . 2009-08-06 21:57 -------- d-----w- c:\program files\MSBuild
2009-08-06 21:56 . 2009-08-06 21:56 -------- d-----w- c:\program files\Reference Assemblies
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl(3)(3).dll
2009-07-14 03:43 . 2004-08-11 05:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2005-08-21 16:42 . 2005-06-27 23:17 905 -c--a-w- c:\program files\uninstal.log
2006-01-11 06:41 . 2004-08-29 00:07 56 --sh--r- c:\windows\SYSTEM32\6BBF71BA10.sys
2006-09-24 00:47 . 2004-08-29 00:07 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-04_14.11.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-04 16:44 . 2009-10-04 16:44 40960 c:\windows\temp\rtdrvmon.exe
- 2009-10-04 13:54 . 2009-10-04 13:54 40960 c:\windows\temp\rtdrvmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-12 6729728]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\SYSTEM32\nvmctray.dll [2005-05-12 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^clippy.exe]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\clippy.exe
backup=c:\windows\pss\clippy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Magnifier.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Magnifier.lnk
backup=c:\windows\pss\Magnifier.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Insider"=c:\program files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" -atboottime
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\lxczcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\FRegister.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGUpdate.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Summitsoft Products.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGFonts.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash_LDS.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash Series 1_Oct132008.exe"=

S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [8/13/2006 9:48 AM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\SYSTEM32\DRIVERS\BrParImg.sys [8/13/2006 9:48 AM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\SYSTEM32\DRIVERS\BrParwdm.sys [8/13/2006 9:48 AM 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [8/13/2006 9:48 AM 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\SYSTEM32\DRIVERS\SaiNtSub.sys [2/4/2005 10:28 PM 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 12:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1665667976-894762885-3311537992-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\lxczcoms.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-10-04 12:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 16:54
ComboFix2.txt 2009-10-04 14:17
ComboFix3.txt 2007-11-30 03:16

Pre-Run: 4,962,119,680 bytes free
Post-Run: 4,930,002,944 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
166 --- E O F --- 2009-08-27 21:59

Blade81
2009-10-04, 20:37
will be doing the following steps shortly.
Ok. Please see also if you can find a zip file with name beginning as [4]-Submit. Upload it here (http://www.bleepingcomputer.com/submit-malware.php?channel=4). Kindly include a link to this topic in the message.

CamaroJeff
2009-10-04, 21:13
i ran a search for said file ([4]-Submit) through win rar and came up with zero results. are there any other methods to find this file if its present?

currently im attepmting to update java. i get to the step of clicking "the link to download Windows Offline Installation with or without Multi-language and save to your desktop" and i do not find the link to update offline. should i continue with the installation that the site suggests? all other steps have been completed successfully.

i cannot express how much i appreciate your help in this matter. the computer is running much better already but i know there are more steps to follow. im patiently awaiting further instructions to ensure things go as they should :)

Blade81
2009-10-04, 22:21
Sorry, I should had been more specific. See if you can find .zip file beginning with that name in c:\qoobox\quarantine folder.

CamaroJeff
2009-10-06, 00:38
i found and submitted the [4]-Submit zip file, it was right where you said it was.

im still not sure what to do with the offline installation for java though, i still dont find a link for it. should i continue with the method the site gives me? i have not done the ATF cleaner or the Kaspersky scan yet because of the java update issue. should i continue on with the rest of the steps without updating java?

CamaroJeff
2009-10-06, 14:24
alright, i figured the java update out once i found the correct link :red:
i will be finishing up the rest after i get home from work today.

Blade81
2009-10-06, 14:26
Thanks for the submit. Shall wait for your reply :)

CamaroJeff
2009-10-07, 00:56
okay, i downloaded atf cleaner and successfully cleaned up the mentioned files. i get to the kaspersky online scan and i get this message:

Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.

not sure where to go from there. a java icon did pop up in the tray on the right hand side, giving me options to change settings but im not about to play around with something im unfamiliar with :(

Blade81
2009-10-07, 08:05
Please try this alternative scanner instead:

Download the latest version of Kaspersky Virus Removal Tool (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) Kaspersky Virus Removal Tool (ftp://downloads2.kaspersky-labs.com/devbuilds/AVPTool)

* Close all other applications and double-click and run the installer.
* When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
* If malware is detected, don't remove anything.
* After the scan finishes, don't neutralize anything.
* In the Scan window click the Reports button and select Save to file.
* Name the report AVPT.txt, and save it to the Desktop.
* Close AVPTool.
* You will be prompted if you want to uninstall the program; click Yes.
* You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
* Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

CamaroJeff
2009-10-08, 14:21
wow that scan took all night. heres the report, dosent look good...



Scan
----
Scanned: 490273
Detected: 22
Untreated: 22
Start time: 10/7/2009 5:54:13 PM
Duration: 13:17:29
Finish time: 10/8/2009 7:11:42 AM


Detected
--------
Status Object
------ ------
detected: Trojan program Trojan-Downloader.Win32.Mufanom.ddy File: C:\qoobox\Quarantine\[4]-Submit_2009-10-04_12.31.24.zip/carcpc.dll
detected: Trojan program Backdoor.Win32.Bredolab.bp File: C:\qoobox\Quarantine\C\Documents and Settings\Spiderman\Start Menu\Programs\Startup\ikowin32.exe.vir
detected: Trojan program Trojan.Win32.ExeDot.mq File: C:\qoobox\Quarantine\C\Program Files\Common\helper.dll.vir
detected: Trojan program Trojan.Win32.ExeDot.mq File: C:\qoobox\Quarantine\C\Program Files\Common\_helper.dll.vir
detected: virus Worm.Win32.Pinit.aj File: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\aston.mt.vir
detected: Trojan program Backdoor.Win32.NewRest.hx File: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\3e3b0e9.sys.vir
detected: virus Virus.Win32.Protector.b File: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\ndis.sys.vir
detected: Trojan program Backdoor.Win32.NewRest.hx File: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_3e3b0e9_.sys.zip/3e3b0e9.sys
detected: Trojan program Backdoor.Win32.NewRest.hx File: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_3e3b0e9_.sys.zip/3e3b0e9.sys.1
detected: Trojan program Trojan-Downloader.Win32.Mufanom.ddy File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP536\A0085554.dll
detected: Trojan program Trojan-Downloader.Win32.Mufanom.dfd File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP537\A0085560.dll
detected: virus Virus.Win32.Protector.b File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088370.sys
detected: virus Virus.Win32.Protector.b File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088371.sys
detected: Trojan program Backdoor.Win32.Bredolab.bp File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088372.exe
detected: Trojan program Trojan.Win32.ExeDot.mq File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088373.dll
detected: Trojan program Trojan.Win32.ExeDot.mq File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088374.dll
detected: Trojan program Backdoor.Win32.NewRest.hx File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088592.sys
detected: pornware not-a-virus:Porn-Downloader.Win32.StripSaver.a File: C:\WINDOWS\Downloaded Program Files\StripSaver_116.EXE//WISE0001.BIN
detected: Trojan program Trojan.Win32.Patched.dr File: C:\WINDOWS\SYSTEM32\dhero
detected: Trojan program Trojan-Spy.Win32.Agent.azgv File: C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\podli[1].exe//#
detected: Trojan program Trojan-Downloader.Win32.FraudLoad.feh File: C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\b[1].exe
detected: Trojan program Trojan-Spy.Win32.Zbot.gen File: C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\Z[1].exe

Blade81
2009-10-08, 16:51
Hi,

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\Downloaded Program Files\StripSaver_116.EXE
C:\WINDOWS\SYSTEM32\dhero
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\podli[1].exe
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\b[1].exe
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\Z[1].exe



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds.txt log. How's the system running?

CamaroJeff
2009-10-09, 00:43
when i pasted the text file on combofix the first thing that happened was an update for combofix. it restarted after updating but i think it got the files, as theyre mentioned in the log. dds.txt log will follow shortly.

machine is running pretty good, a lot faster than it was before this mess. thanks again for your help.


ComboFix 09-10-07.05 - Spiderman 10/08/2009 17:21.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.242 [GMT -4:00]
Running from: c:\documents and settings\Spiderman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Spiderman\Desktop\CFScript.txt

FILE ::
"c:\windows\Downloaded Program Files\StripSaver_116.EXE"
"c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\podli[1].exe"
"c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\b[1].exe"
"c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\Z[1].exe"
"c:\windows\SYSTEM32\dhero"

file zipped: c:\windows\Downloaded Program Files\StripSaver_116.EXE
file zipped: c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\podli[1].exe
file zipped: c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\b[1].exe
file zipped: c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\Z[1].exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\StripSaver_116.EXE
c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\podli[1].exe
c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\b[1].exe
c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\Z[1].exe
c:\windows\SYSTEM32\dhero

.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-07 21:53 . 2009-10-08 11:15 790560 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-05 22:15 . 2009-10-05 22:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-04 17:37 . 2009-10-04 17:39 -------- d-----w- c:\windows\system32\Adobe
2009-10-04 17:18 . 2009-10-04 17:18 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-04 17:16 . 2009-10-05 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-04 17:09 . 2009-10-04 17:09 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-09-12 19:11 . 2009-09-12 19:11 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 11:15 . 2009-10-07 21:53 10340 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-07 21:53 . 2007-11-22 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-05 22:15 . 2004-05-19 15:18 -------- d-----w- c:\program files\Java
2009-10-05 21:51 . 2007-09-16 20:15 -------- d-----w- c:\program files\PeerGuardian2
2009-10-04 17:21 . 2004-07-20 03:08 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-04 17:08 . 2005-09-25 02:53 -------- d-----w- c:\program files\AIM
2009-10-04 17:08 . 2005-09-25 02:53 -------- d-----w- c:\documents and settings\Spiderman\Application Data\Aim
2009-10-04 13:21 . 2002-08-29 10:00 182656 ------w- c:\windows\system32\drivers\ndis.sys
2009-09-30 00:02 . 2005-12-30 00:37 -------- d-----w- c:\program files\Common Files\KnifeEdge
2009-09-14 21:38 . 2005-07-13 03:08 -------- d-----w- c:\program files\Program Files
2009-09-12 19:10 . 2009-03-15 00:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-03 03:58 . 2004-07-09 22:13 118440 ----a-w- c:\documents and settings\Spiderman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 21:35 . 2009-08-25 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\10983904
2009-08-06 23:24 . 2004-08-12 15:45 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-12 15:45 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-12 15:45 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2002-08-29 10:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-08-29 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-12 15:45 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-11-02 22:34 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2006-11-02 22:34 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2002-08-29 10:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl(3)(3).dll
2009-07-14 03:43 . 2004-08-11 05:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2005-08-21 16:42 . 2005-06-27 23:17 905 -c--a-w- c:\program files\uninstal.log
2006-01-11 06:41 . 2004-08-29 00:07 56 --sh--r- c:\windows\SYSTEM32\6BBF71BA10.sys
2006-09-24 00:47 . 2004-08-29 00:07 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-04_14.11.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-05 20:55 . 2009-08-06 23:24 44768 c:\windows\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-10-05 20:55 . 2009-08-06 23:24 35552 c:\windows\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2009-10-04 17:43 . 2009-10-04 17:43 88589 c:\windows\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
+ 2004-08-12 15:45 . 2009-08-06 23:24 35552 c:\windows\SYSTEM32\DLLCACHE\wups.dll
+ 2002-08-29 10:00 . 2009-08-06 23:24 53472 c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
+ 2002-08-29 10:00 . 2009-08-06 23:24 96480 c:\windows\SYSTEM32\DLLCACHE\cdm.dll
+ 2009-10-04 17:38 . 2009-10-04 17:38 87618 c:\windows\SYSTEM32\Adobe\Shockwave 11\uninstaller.exe
+ 2009-07-31 13:26 . 2009-07-31 13:26 94208 c:\windows\SYSTEM32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 79488 c:\windows\SYSTEM32\Adobe\Shockwave 11\gtapi.dll
+ 2009-07-31 13:42 . 2009-07-31 13:42 67000 c:\windows\SYSTEM32\Adobe\Director\SWDNLD.EXE
+ 2009-10-04 17:18 . 2009-10-04 17:18 21504 c:\windows\Installer\6c7a1.msi
+ 2009-10-04 17:18 . 2009-10-04 17:18 27648 c:\windows\Installer\6c79c.msi
+ 2009-07-31 13:28 . 2009-07-31 13:28 9216 c:\windows\SYSTEM32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-10-04 17:09 . 2009-10-04 17:09 2560 c:\windows\_MSRSTRT.EXE
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10c.exe
+ 2009-10-05 22:15 . 2009-10-05 22:15 149280 c:\windows\SYSTEM32\javaws.exe
+ 2009-10-05 22:15 . 2009-10-05 22:15 145184 c:\windows\SYSTEM32\javaw.exe
+ 2009-10-05 22:15 . 2009-10-05 22:15 145184 c:\windows\SYSTEM32\java.exe
+ 2004-08-12 15:45 . 2009-08-06 23:24 209632 c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
+ 2004-08-12 15:45 . 2009-08-06 23:24 327896 c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
+ 2004-08-12 15:45 . 2009-08-06 23:23 575704 c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 132472 c:\windows\SYSTEM32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2009-07-31 13:26 . 2009-07-31 13:26 114688 c:\windows\SYSTEM32\Adobe\Shockwave 11\SwInit.exe
+ 2009-07-31 13:40 . 2009-07-31 13:40 468408 c:\windows\SYSTEM32\Adobe\Shockwave 11\SwHelper_1151601.exe
+ 2009-07-31 13:28 . 2009-07-31 13:28 446464 c:\windows\SYSTEM32\Adobe\Shockwave 11\Proj.dll
+ 2009-07-31 13:26 . 2009-07-31 13:26 372736 c:\windows\SYSTEM32\Adobe\Shockwave 11\Plugin.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 714752 c:\windows\SYSTEM32\Adobe\Shockwave 11\gi.dll
+ 2009-07-31 13:25 . 2009-07-31 13:25 614400 c:\windows\SYSTEM32\Adobe\Shockwave 11\Control.dll
+ 2009-07-31 13:41 . 2009-07-31 13:41 206264 c:\windows\SYSTEM32\Adobe\Director\SwDir.dll
+ 2009-07-31 13:27 . 2009-07-31 13:27 131072 c:\windows\SYSTEM32\Adobe\Director\np32dsw.dll
+ 2009-01-18 20:05 . 2009-01-18 20:05 675840 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\JP2KLib.dll
+ 2002-08-29 10:00 . 2009-08-06 23:23 1929952 c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
+ 2009-07-31 13:00 . 2009-07-31 13:00 1011712 c:\windows\SYSTEM32\Adobe\Shockwave 11\iml32.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 1886320 c:\windows\SYSTEM32\Adobe\Shockwave 11\gt.exe
+ 2009-07-31 13:04 . 2009-07-31 13:04 1798144 c:\windows\SYSTEM32\Adobe\Shockwave 11\dirapi.dll
+ 2009-10-04 17:21 . 2009-10-04 17:21 3938816 c:\windows\Installer\6c7a6.msi
+ 2009-10-04 17:36 . 2009-10-04 17:36 1697792 c:\windows\Installer\143596.msp
+ 2009-10-04 17:34 . 2009-10-04 17:34 6653952 c:\windows\Installer\143588.msp
+ 2009-10-04 17:32 . 2009-10-04 17:32 2150400 c:\windows\Installer\143564.msp
+ 2009-10-05 22:15 . 2009-10-05 22:15 1757696 c:\windows\Installer\102ee5.msi
+ 2008-12-18 20:48 . 2008-12-18 20:48 3645440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\authplay.dll
+ 2009-02-27 20:37 . 2009-02-27 20:37 20403568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-12 6729728]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\SYSTEM32\nvmctray.dll [2005-05-12 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^clippy.exe]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\clippy.exe
backup=c:\windows\pss\clippy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Magnifier.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Magnifier.lnk
backup=c:\windows\pss\Magnifier.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Insider"=c:\program files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" -atboottime
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\lxczcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\FRegister.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGUpdate.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Summitsoft Products.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGFonts.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash_LDS.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash Series 1_Oct132008.exe"=

S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [8/13/2006 9:48 AM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\SYSTEM32\DRIVERS\BrParImg.sys [8/13/2006 9:48 AM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\SYSTEM32\DRIVERS\BrParwdm.sys [8/13/2006 9:48 AM 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [8/13/2006 9:48 AM 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\SYSTEM32\DRIVERS\SaiNtSub.sys [2/4/2005 10:28 PM 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 17:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1665667976-894762885-3311537992-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-10-08 17:37
ComboFix-quarantined-files.txt 2009-10-08 21:36
ComboFix2.txt 2009-10-04 16:54
ComboFix3.txt 2009-10-04 14:17
ComboFix4.txt 2007-11-30 03:16

Pre-Run: 4,294,623,232 bytes free
Post-Run: 4,333,191,168 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
227 --- E O F --- 2009-08-27 21:59
Upload was successful

CamaroJeff
2009-10-09, 00:47
heres the dds.txt



DDS (Ver_09-09-29.01) - NTFSx86
Run by Spiderman at 17:44:49.95 on Thu 10/08/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.214 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Spiderman\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {205FF73B-CA67-11D5-99DD-444553540000} - hxxp://66.154.44.68/cam/Install.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxps://cs7b.instantservice.com/jars/customerxsigned42.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-8-13 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2006-8-13 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2006-8-13 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-8-13 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\spider~1\locals~1\temp\dmskssrh.sys --> c:\docume~1\spider~1\locals~1\temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\system32\drivers\SaiNtSub.sys [2005-2-4 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]

=============== Created Last 30 ================

2009-10-07 17:53 790,560 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-10-07 17:53 10,340 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-10-07 13:01 9,769 a------- C:\01.gif
2009-10-05 18:15 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-05 18:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-04 13:37 <DIR> --d----- c:\windows\system32\Adobe
2009-10-04 13:09 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-10-04 09:23 <DIR> a-dshr-- C:\cmdcons
2009-10-04 09:20 229,888 a------- c:\windows\PEV.exe
2009-10-04 09:20 161,792 a------- c:\windows\SWREG.exe
2009-10-04 09:20 98,816 a------- c:\windows\sed.exe
2009-09-12 15:11 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-10-04 09:21 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-10-04 09:21 182,656 -------- c:\windows\system32\drivers\ndis.sys
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl(3)(3).dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2007-03-29 09:13 87,608 a------- c:\docume~1\spider~1\applic~1\ezpinst.exe
2007-03-29 09:13 47,360 a------- c:\docume~1\spider~1\applic~1\pcouffin.sys
2005-08-21 12:42 905 ac------ c:\program files\uninstal.log
2004-07-09 19:24 784 a------- c:\docume~1\spider~1\applic~1\mpauth.dat
2006-01-11 02:41 56 ---shr-- c:\windows\system32\6BBF71BA10.sys
2006-09-23 20:47 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-09 23:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020920090210\index.dat

============= FINISH: 17:45:42.92 ===============

CamaroJeff
2009-10-09, 00:50
and attach.txt, if needed.



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/9/2004 6:12:37 PM
System Uptime: 10/8/2009 7:15:54 AM (10 hours ago)

Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel(R) Celeron(R) CPU 2.50GHz | Microprocessor | 2491/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 4.061 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 537EP V9x DFV PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&30F0
Manufacturer: Intel Corporation
Name: Intel(R) 537EP V9x DFV PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&30F0
Service: Modem

Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&C4AE404&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&C4AE404&0&0
Service: flpydisk

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM TV Tuner (Microsoft)
Device ID: ROOT\LEGACY_ATITUNEP\0000
Manufacturer:
Name: ATI WDM TV Tuner (Microsoft)
PNP Device ID: ROOT\LEGACY_ATITUNEP\0000
Service: ATITUNEP

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM TV Audio Crossbar (Microsoft)
Device ID: ROOT\LEGACY_ATIXSAUDIO\0000
Manufacturer:
Name: ATI WDM TV Audio Crossbar (Microsoft)
PNP Device ID: ROOT\LEGACY_ATIXSAUDIO\0000
Service: ATIXSAudio

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM Specialized MVD Codec (Microsoft)
Device ID: ROOT\LEGACY_MVDCODEC\0000
Manufacturer:
Name: ATI WDM Specialized MVD Codec (Microsoft)
PNP Device ID: ROOT\LEGACY_MVDCODEC\0000
Service: MVDCODEC

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM Specialized PCD Codec (Microsoft)
Device ID: ROOT\LEGACY_PCDCODEC\0000
Manufacturer:
Name: ATI WDM Specialized PCD Codec (Microsoft)
PNP Device ID: ROOT\LEGACY_PCDCODEC\0000
Service: PCDCODEC

==== System Restore Points ===================

RP536: 9/11/2009 6:08:04 PM - Restore Operation
RP537: 9/12/2009 3:07:10 PM - Restore Operation
RP538: 9/13/2009 3:49:33 PM - System Checkpoint
RP539: 9/14/2009 4:58:05 PM - System Checkpoint
RP540: 9/15/2009 5:29:48 PM - System Checkpoint
RP541: 9/16/2009 6:30:49 PM - System Checkpoint
RP542: 9/17/2009 7:03:11 PM - System Checkpoint
RP543: 9/18/2009 7:29:50 PM - System Checkpoint
RP544: 9/19/2009 8:57:54 PM - System Checkpoint
RP545: 9/20/2009 9:29:33 PM - System Checkpoint
RP546: 9/21/2009 9:36:49 PM - System Checkpoint
RP547: 9/22/2009 11:56:59 PM - System Checkpoint
RP548: 9/24/2009 12:34:10 AM - System Checkpoint
RP549: 9/25/2009 1:02:38 AM - System Checkpoint
RP550: 9/26/2009 2:02:31 AM - System Checkpoint
RP551: 9/27/2009 3:02:46 AM - System Checkpoint
RP552: 9/28/2009 4:02:32 AM - System Checkpoint
RP553: 9/29/2009 7:45:36 AM - System Checkpoint
RP554: 9/30/2009 8:44:28 AM - System Checkpoint
RP555: 10/1/2009 9:44:27 AM - System Checkpoint
RP556: 10/2/2009 10:44:17 AM - System Checkpoint
RP557: 10/3/2009 11:21:28 AM - System Checkpoint
RP558: 10/4/2009 11:59:28 AM - System Checkpoint
RP559: 10/4/2009 1:07:37 PM - Removed Adobe Reader 7.0
RP560: 10/4/2009 1:20:16 PM - Installed Adobe Reader 9.1.
RP561: 10/5/2009 5:47:49 PM - Removed Java 2 Runtime Environment, SE v1.4.2
RP562: 10/5/2009 5:54:09 PM - Removed Macromedia Flash Player
RP563: 10/5/2009 5:55:23 PM - Removed ABBYY FineReader 6.0 Sprint
RP564: 10/5/2009 6:15:12 PM - Installed Java(TM) 6 Update 16
RP565: 10/6/2009 6:18:42 PM - System Checkpoint
RP566: 10/7/2009 11:38:28 PM - System Checkpoint

==== Installed Programs ======================


AC3Filter (remove only)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1.3
Adobe Shockwave Player 11.5
AutoUpdate
Banctec Service Agreement
Battlefield 2(TM)
Bejeweled 2 Deluxe 1.0
Big Fish Games Client
Bookworm Deluxe 1.03
Broadcom Management Programs
Business Card Generator Fonts
Business Card Shop
Chutes and Ladders
Critical Update for Windows Media Player 11 (KB959772)
dBpoweramp DSP Effects
Deer Avenger
Dell Driver Reset Tool
Dell Networking Guide
Dell Solution Center
DivX Codec
DVDSentry
Dyno2000 Version 3.10
ffdshow [rev 1324] [2007-07-01]
Google Video Player
GTAIII
HarryThompson.com - Webjal Patcher
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hot Rod Garage to Glory
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
ieSpell
Intel(R) 537EP V9x DFV PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
IrfanView (remove only)
Java(TM) 6 Update 16
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Lexmark 1200 Series
Lexmark 640 Series
Lexmark Fax Solutions
MathPlayer
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires Gold
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
Modem Event Monitor
MS Access 97 SP2
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MyJAL MediaPAL
Mystery Case Files: Madame Fate ™
Need For Speed Hot Pursuit 2
Network Play System (Patching)
NVIDIA Drivers
PowerDVD
QuickTime
R/C Pilot Simulator
RealFlight G3 R/C Simulator
RealFlight Simulator
RealPlayer
Saitek Configuration Software
Saitek NT Controller Drivers
Samsung CamCorder Driver
Samsung Video Codec 1.1 Uninstall
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster v3.5.1
TVersity Codec Pack 1.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB968389)
Viewpoint Media Player
Visual FoxPro ODBC Driver
WavePad Uninstall
WebFldrs XP
Webjal install by HarryThompson.com
Windows Desktop Search
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

10/8/2009 5:19:50 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 6:13:12 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/4/2009 9:54:57 AM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
10/4/2009 9:54:57 AM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
10/4/2009 9:52:47 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/4/2009 9:45:25 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/4/2009 8:20:08 AM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/4/2009 10:24:45 AM, error: Service Control Manager [7034] - The TVersityMediaServer service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Blade81
2009-10-09, 16:26
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /u in the runbox and click OK



Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

Blade81
2009-10-17, 15:13
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.