Thanks for the response and help, here are my combofix and hjt logs
ComboFix 10-03-08.01 - Burnie Withins 03/08/2010 21:09:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.925 [GMT -5:00]
Running from: c:\documents and settings\Burnie Withins\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\BURNIE~1\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll
c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll
c:\documents and settings\Burnie Withins\Application Data\inst.exe
c:\documents and settings\Burnie Withins\Local Settings\Application Data\av.exe
c:\documents and settings\Burnie Withins\Local Settings\Temporary Internet Files\2MAYk30Jy.jpg
c:\documents and settings\Burnie Withins\Local Settings\Temporary Internet Files\8J5M1.jpg
c:\documents and settings\Burnie Withins\Local Settings\Temporary Internet Files\AxXNm7jJ.jpg
c:\documents and settings\Burnie Withins\Local Settings\Temporary Internet Files\j5pXA6yb.jpg
c:\documents and settings\Burnie Withins\rundll32 .exe
c:\documents and settings\Burnie Withins\rundll32.exe
C:\LOG1.tmp
c:\program files\Adobe\140078.old
c:\program files\Adobe\179937.old
c:\program files\Adobe\181046.old
c:\program files\Adobe\59895734.old
c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs .exe
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\_VOIDmeofxjwlms.dll
c:\windows\system32\_VOIDpyyyhlyrqj.dll
c:\windows\system32\_VOIDqhhjgkvymp.dat
c:\windows\system32\_VOIDqmnmpkkisk.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\app_dll.dll
c:\windows\system32\ati2mdxx .exe
c:\windows\system32\certstore.dat
c:\windows\system32\ctfmon .exe
c:\windows\system32\hesahubu.exe
c:\windows\system32\ketafopo.dll
c:\windows\system32\nc3k1x.dll
c:\windows\system32\rundll32 .exe
c:\windows\system32\seagate.sys
c:\windows\system32\sshnas21.dll
c:\windows\system32\twain_32.dll
c:\windows\system32\zoluvuwo.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service__VOIDd.sys
-------\Legacy__VOIDd.sys
-------\Service__VOIDuiqoufjpyf
-------\Legacy__VOIDuiqoufjpyf
-------\Legacy_6TO4
-------\Legacy_SEAGATE
-------\Service_6to4
-------\Service_seagate
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.
2010-03-05 21:36 . 2004-08-04 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-03-05 21:36 . 2004-08-04 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2010-03-05 21:36 . 2004-08-04 12:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2010-03-05 21:34 . 2001-08-18 03:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-03-05 21:33 . 2004-08-04 12:00 8704 -c--a-w- c:\windows\system32\dllcache\fxsperf.dll
2010-03-05 21:32 . 2003-03-24 21:52 16384 -c--a-w- c:\windows\system32\dllcache\tcptsat.dll
2010-03-05 21:30 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-03-05 21:29 . 2004-08-04 12:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-03-05 21:29 . 2004-08-04 12:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-03-05 21:29 . 2004-08-04 12:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-03-05 21:29 . 2004-08-04 12:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-03-05 21:17 . 2004-08-04 12:00 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2010-03-05 21:17 . 2004-08-04 12:00 56320 -c--a-w- c:\windows\system32\dllcache\chtskdic.dll
2010-03-05 21:17 . 2004-08-04 12:00 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2010-03-05 21:17 . 2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe
2010-03-05 21:17 . 2004-08-04 12:00 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe
2010-03-05 21:17 . 2004-08-04 12:00 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll
2010-03-05 21:17 . 2004-08-04 12:00 173568 -c--a-w- c:\windows\system32\dllcache\chtskf.dll
2010-03-05 21:17 . 2004-08-04 12:00 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll
2010-03-05 21:17 . 2004-08-04 12:00 59392 -c--a-w- c:\windows\system32\dllcache\imscinst.exe
2010-03-05 21:17 . 2004-08-04 12:00 70144 -c--a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-03-05 21:17 . 2004-08-04 12:00 67584 -c--a-w- c:\windows\system32\dllcache\pmigrate.dll
2010-03-05 21:16 . 2004-08-04 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-03-05 21:16 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-03-05 21:16 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-03-05 21:16 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-03-05 21:16 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-03-05 20:53 . 2010-03-05 20:53 -------- d-----w- c:\program files\ERUNT
2010-03-01 22:05 . 2010-03-01 22:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-03-01 22:03 . 2010-03-01 22:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-01 03:04 . 2010-03-01 03:04 -------- d-----w- c:\documents and settings\Burnie Withins\Application Data\Malwarebytes
2010-03-01 03:03 . 2010-03-01 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 03:03 . 2010-03-01 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 01:54 . 2010-03-01 01:54 -------- d-----w- c:\program files\Trend Micro
2010-03-01 00:01 . 2010-03-01 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-01 00:01 . 2010-03-01 00:01 8192 ----a-w- c:\windows\system32\drivers\tpjzjso.sys
2010-03-01 00:01 . 2010-03-01 00:01 -------- d-----w- c:\windows\_VOIDuiqoufjpyf
2010-02-20 19:11 . 2010-02-20 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-02-20 19:11 . 2010-02-20 19:11 -------- d-----w- c:\program files\AIM
2010-02-20 19:11 . 2010-02-20 19:11 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-02-20 06:55 . 2010-02-20 07:02 -------- d-----w- c:\documents and settings\Burnie Withins\Application Data\Singlesnet
2010-02-20 06:55 . 2010-02-20 06:55 -------- d-----w- c:\documents and settings\Burnie Withins\Local Settings\Application Data\Singlesnet.com
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 02:18 . 2010-03-09 02:18 55808 ----a-w- c:\documents and settings\Burnie Withins\rundll32.exe
2010-03-08 02:18 . 2008-04-18 01:21 99408 ----a-w- c:\documents and settings\Burnie Withins\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-05 21:44 . 2005-08-23 23:26 55808 ----a-w- c:\windows\system32\ati2mdxx.exe
2010-03-05 21:29 . 2008-04-09 00:16 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-01 04:20 . 2006-02-17 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-01 04:19 . 2009-09-17 15:55 -------- d-----w- c:\program files\Yahoo!
2010-03-01 04:16 . 2008-10-21 21:11 -------- d-----w- c:\program files\uTorrent
2010-03-01 00:02 . 2008-05-02 13:26 -------- d-----w- c:\documents and settings\Burnie Withins\Application Data\AdobeUM
2010-02-28 23:59 . 2010-02-28 23:59 55808 ----a-w- c:\windows\system32\OLDE.tmp
2010-02-27 15:17 . 2008-04-18 00:16 -------- d-----w- c:\program files\CCleaner
2010-02-24 14:16 . 2009-11-05 05:44 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-20 19:10 . 2010-02-20 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-02-10 07:05 . 2008-04-13 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-22 21:08 . 2009-02-14 21:23 -------- d-----w- c:\program files\Microsoft Silverlight
1601-01-01 00:03 . 1601-01-01 00:03 47104 --sha-w- c:\windows\system32\dehaziku.dll
1601-01-01 00:03 . 1601-01-01 00:03 95232 --sha-w- c:\windows\system32\dimadadu.dll
1601-01-01 00:00 . 1601-01-01 00:00 65024 --sha-w- c:\windows\system32\fabeduyu.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\hevesopa.exe
1601-01-01 00:03 . 1601-01-01 00:03 95232 --sha-w- c:\windows\system32\muyapojo.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\system32\pinabapu.dll
1601-01-01 00:03 . 1601-01-01 00:03 47104 --sha-w- c:\windows\system32\rurisugo.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\system32\yabopifo.dll
.
Code:
<pre>
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\qlbctrl .exe
c:\program files\HPQ\HP Wireless Assistant\hp wireless assistant .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\windows\ime\IMJP8_1\imjpmig .exe
c:\windows\ime\IMKR6_1\imekrmig .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
</pre>
------- Sigcheck -------
[-] 2004-08-04 12:00 . FDA33EAC263D97CC9BC0815A3A93796D . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e8be0dd-c278-4b36-91b7-1ff46ac3d755}]
1601-01-01 00:00 65024 --sha-w- c:\windows\system32\fabeduyu.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2010-03-09 55808]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-03-09 55808]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2010-03-09 55808]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [2010-03-09 55808]
"zawezamovu"="zoluvuwo.dll" [N/A]
c:\documents and settings\Burnie Withins\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_Reader]
2010-03-09 02:18 55808 ----a-w- c:\program files\Internet Explorer\wmpscfgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-10-05 19:10 3634024 ----a-w- c:\program files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamserviceDeluxe2]
2007-08-10 18:38 81920 ----a-w- c:\program files\Hercules\Deluxe Optical Glass\CamService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-23 04:00 385024 ----a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
c:\program files\Yahoo!\Messenger\YahooMessenger.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
c:\program files\Microsoft Security Essentials\msseces.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Singlesnet]
c:\program files\Singlesnet\Singlesnet\Singlesnet.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zawezamovu"=Rundll32.exe "zoluvuwo.dll",s
"Adobe_Reader"=c:\program files\internet explorer\wmpscfgs.exe
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Hercules\\Deluxe Optical Glass\\Station2.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server
R0 tpjzjso;tpjzjso;c:\windows\system32\drivers\tpjzjso.sys [2/28/2010 7:01 PM 8192]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/14/2009 5:43 PM 24652]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [7/15/2009 6:07 PM 33792]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [4/8/2008 7:36 PM 200192]
S3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [5/19/2009 8:59 PM 94720]
S4 PHPGeekUtil;PHPGeekUtil;"c:\apache\APACHE.EXE" --ntservice --> c:\apache\APACHE.EXE [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-03-09 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
2010-03-09 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4098AE48-3F18-4678-B8BD-77D31E5F01CB} = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
TCP: {644E93E5-D156-4FB8-B7A2-1BCB93FD0F6D} = 217.23.14.75,4.2.2.1
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -
SharedTaskScheduler-{d07201db-c091-45c8-b06f-bd9a33986bf6} - c:\windows\system32\vadawife.dll
SSODL-vuyuwesur-{d07201db-c091-45c8-b06f-bd9a33986bf6} - c:\windows\system32\vadawife.dll
AddRemove-AntiVirus Plus - c:\documents and settings\Burnie Withins\Application Data\AntiVirus Plus\AntiVirus Plus.55530.dll
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 21:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\wuapi.dll.wusetup.152765.bak 430592 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.157859.bak 111104 bytes executable
c:\windows\system32\wuaucpl.cpl.wusetup.159234.bak 162304 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.160984.bak 1134592 bytes executable
scan completed successfully
hidden files: 4
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\ati technologies\ati control panel\atiptaxx .exe
c:\program files\hewlett-packard\hp quick launch buttons\qlbctrl .exe
c:\program files\hpq\hp wireless assistant\hp wireless assistant .exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2010-03-08 21:22:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-09 02:22
Pre-Run: 13,442,949,120 bytes free
Post-Run: 13,338,046,464 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
Current=3 Default=3 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 4292C094A602E9615C8F7FB7B0D5F8CE
*****
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:28 PM, on 3/8/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\ati technologies\ati control panel\atiptaxx .exe
c:\program files\hewlett-packard\hp quick launch buttons\qlbctrl .exe
c:\program files\hpq\hp wireless assistant\hp wireless assistant .exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5e8be0dd-c278-4b36-91b7-1ff46ac3d755} - fabeduyu.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
O4 - HKLM\..\Run: [zawezamovu] Rundll32.exe "zoluvuwo.dll",s
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{644E93E5-D156-4FB8-B7A2-1BCB93FD0F6D}: NameServer = 217.23.14.75,4.2.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O17 - HKLM\System\CS4\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 5861 bytes