arrrggghhh MALWARE DEFENSE trouble...plz help

[beautygirlhaley]

Ok someone (my kids) downloaded this horrid program (malware defense) to my computer today and it is kicking my butt. As of now, some of the most annoying components are gone (the constant popups are no longer happening) but there are still strange things happening (ie opens randomly to a website, i hear commercials occaisionally but nothing shows visually) and my antivirus has been completely disabled (it is gone!) and I have attempted to dl malwarebytes, but I cannot get it to run (and it won't uninstall at this point either) So. Please help me get rid of this awful, awful program. Below is the HJT log.

MANY thanks in advance,
Haley





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:11 PM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1259463101\ee\AOLSoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\AOL 9.5\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\AOL 9.5\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1259463101\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5\AOL.EXE" -b
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1259357999593
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7724 bytes

 

[Blade81]

Hello Haley,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

 

[beautygirlhaley]

thank you thank you

:thanks:OK I hope that I did this correctly. Things are getting worse here. There is now another program called antivirus plus that is plaguing my computer. Thank you so much for your help!

 

[beautygirlhaley]

sorry was unclear if I was supposed to post the dds or attach it...

Here is the dds posted if that was what I needed to do. I did not know how to zip up the attach file, so I hope it was ok as is....

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 18:43:31.46 on Thu 01/21/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.463 [GMT -6:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\user.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\AOL\1259463101\ee\AOLSoftware.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\spoolsv.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
svchost.exe -m
C:\Documents and Settings\Administrator\Desktop\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com
mWinlogon: Taskman=c:\recycler\s-1-5-21-2053266069-2094511536-193606254-1053\vesita.exe
BHO: c:\windows\system32\zmjderb.dll: {c4bf49a2-94f1-42bd-f034-3604811c807d} - c:\windows\system32\zmjderb.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [AntiVirus Plus] "c:\windows\system32\rundll32.exe" "c:\documents and settings\administrator\application data\antivirus plus\AntiVirus Plus.70700.dll", start 70700
uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\docume~1\admini~1\locals~1\temp\cmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [HostManager] c:\program files\common files\aol\1259463101\ee\AOLSoftware.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [net] "c:\windows\system32\net.net"
mRun: [AntiVirus Plus] "c:\windows\system32\rundll32.exe" "c:\documents and settings\administrator\application data\antivirus plus\AntiVirus Plus.70700.dll", start 70700
mRun: [nisapuzab] Rundll32.exe "c:\windows\system32\momayabe.dll",a
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\user.exe
mExplorerRun: [RTHDBPL] c:\documents and settings\administrator\application data\systemproc\lsass.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\antivi~1.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\antivi~1.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259357999593
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {53962657-1D15-47DF-B1E4-CAD213D839F0} = 193.104.110.38,4.2.2.1,68.87.68.166 68.87.74.166
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: bemadoko.dll c:\windows\system32\momayabe.dll
SSODL: jehomonop - {675ae8f8-d20c-42ac-97ea-a6c93bc00d35} - c:\windows\system32\momayabe.dll
STS: c:\windows\system32\zmjderb.dll: {c4bf49a2-94f1-42bd-f034-3604811c807d} - c:\windows\system32\zmjderb.dll
STS: mujuzedij: {675ae8f8-d20c-42ac-97ea-a6c93bc00d35} - c:\windows\system32\momayabe.dll
LSA: Notification Packages = scecli jotogeni.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-16 207792]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-1-15 266240]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-16 112592]
S3 diskmgr;diskmgr;c:\windows\system32\diskmgr.sys [2004-8-10 2304]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-16 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-16 1141712]

=============== Created Last 30 ================

2010-01-22 00:34:33 225 ----a-w- c:\windows\system32\uses32.dat
2010-01-22 00:34:33 100 ----a-w- c:\windows\system32\flags.ini
2010-01-21 23:33:19 93184 --sh--w- c:\windows\system32\momayabe.dll
2010-01-21 23:33:19 39424 --sh--w- c:\windows\system32\batimeyu.dll
2010-01-21 23:25:28 16896 ----a-w- C:\duehpow.exe
2010-01-21 23:25:28 15000 ----a-w- c:\windows\system32\zmjderb.dll
2010-01-21 23:25:25 0 d-----w- c:\docume~1\admini~1\applic~1\AntiVirus Plus
2010-01-21 23:25:23 29184 ----a-w- C:\dqccpnq.exe
2010-01-21 23:25:21 52224 ----a-w- C:\ytlmlfc.exe
2010-01-21 23:25:21 143360 ----a-w- C:\ojjw.exe
2010-01-21 23:25:21 0 d-sh--w- c:\docume~1\admini~1\applic~1\SystemProc
2010-01-21 23:25:17 265728 ----a-w- C:\yfoku.exe
2010-01-21 23:25:17 18431 ----a-w- C:\sckw.exe
2010-01-21 23:24:58 57752 ----a-w- c:\windows\system32\net.net
2010-01-17 04:13:49 0 d-----w- c:\program files\Trend Micro
2010-01-17 02:48:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-17 02:48:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 02:48:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 02:48:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-17 02:10:37 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-17 02:10:36 883 ----a-w- c:\windows\RegSDImport.xml
2010-01-17 02:10:36 880 ----a-w- c:\windows\RegISSImport.xml
2010-01-17 02:10:36 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-17 02:10:36 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-17 02:10:36 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-17 02:10:36 131 ----a-w- c:\windows\IDB.zip
2010-01-17 02:10:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-17 02:10:27 0 d-----w- c:\program files\Malware Defense
2010-01-17 02:08:17 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-17 02:08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-17 02:08:11 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-17 02:08:11 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-17 02:08:11 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-17 02:08:11 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-17 02:08:06 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-01-17 02:08:06 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-17 02:08:01 0 d-----w- c:\program files\Spyware Doctor
2010-01-17 02:08:01 0 d-----w- c:\program files\common files\PC Tools
2010-01-17 02:08:01 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-17 02:08:01 0 d-----w- c:\docume~1\admini~1\applic~1\PC Tools
2010-01-17 01:27:06 0 d-----w- c:\windows\system32\LogFiles
2010-01-16 01:28:28 266240 ----a-w- c:\windows\system32\CSHelper.exe
2010-01-16 01:28:28 225280 ----a-w- c:\windows\system32\CSInstru.DLL
2010-01-13 05:59:23 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:02:14 0 d-----w- C:\.jagex_cache_32
2010-01-03 08:23:41 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-03 08:23:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-29 20:14:04 69 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences2.dat
2009-12-29 20:13:00 39 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2009-12-29 20:12:49 0 d-----w- c:\windows\.jagex_cache_32
2009-12-24 21:51:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-24 21:51:27 411368 ----a-w- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2010-01-21 23:25:55 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-27 21:10:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-28 14:38:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-28 14:38:46 499712 ----a-w- c:\windows\system32\msvcp71.dll
1601-01-01 00:03:28 27648 --sha-w- c:\windows\system32\bejanapo.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\bemadoko.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\jotogeni.dll
1601-01-01 00:03:28 45568 --sha-w- c:\windows\system32\wugakuwa.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\zogadeli.dll

============= FINISH: 18:44:28.51 ===============

 

[Blade81]

Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[beautygirlhaley]

um nothing happens...

OK, I read the guide, printed it out for reference, dl the combofix, disable my firewall, none of my antimalware is working or running as far as I can tell and the Malware Defense has completely deleted my anti virus. So I click on the ComboFix icon on my desk top and the security warning comes up. I click RUN and NOTHING HAPPENS. Its been 10 minutes now and NOTHING. No windows, boxes nothin. HELP!! (I am posting this from a different compter btw).

 

[Blade81]

Hi,

Download Combofix again. You must rename it before saving it (use haley.exe as name). Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

Double click on haley.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt & fresh dds log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

 

[beautygirlhaley]

combo fix has been run

Ok whew! that took a while! BTW, my computer did need to reboot during the run, i copied down the files that I was instructed to please let me know if you need to know those. Below are the files i was instructed to post. Thanks again for your help!

ComboFix 10-01-21.08 - Administrator 01/22/2010 12:10:38.1.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\haleysfix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\services.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\svchost.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Administrator\Application Data\AntiVirus Plus
c:\documents and settings\Administrator\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll
c:\documents and settings\Administrator\Application Data\avp.ico
c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk
c:\documents and settings\Administrator\Application Data\SystemProc
c:\documents and settings\Administrator\Application Data\SystemProc\lsass.exe
c:\documents and settings\Administrator\Cookies\administrator@load.exe
c:\documents and settings\Administrator\Cookies\administrator@loadus.exe
c:\documents and settings\Administrator\Cookies\administrator@my.scr
c:\documents and settings\Administrator\Desktop\AntiVirus Plus.lnk
c:\documents and settings\Administrator\Start Menu\Programs\AntiVirus Plus
c:\documents and settings\Administrator\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
c:\documents and settings\Administrator\Start Menu\Programs\AntiVirus Plus\EULA.url
c:\documents and settings\Administrator\Start Menu\Programs\Startup\AntiVirus Plus.lnk
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus
c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus\EULA.url
c:\documents and settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk
c:\program files\Malware Defense
c:\program files\Malware Defense\help.ico
c:\program files\Malware Defense\md.db
c:\program files\Malware Defense\mdext.dll
c:\program files\Malware Defense\uninstall.exe
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\recycler\S-1-5-21-2053266069-2094511536-193606254-1053
c:\windows\system32\6to4v32.dll
c:\windows\system32\bejanapo.dll
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\H8SRThtpayglotm.sys
c:\windows\system32\flags.ini
c:\windows\system32\H8SRTdomlxbxnjy.dll
c:\windows\system32\H8SRTkjskeibudl.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTlkveyrndep.dll
c:\windows\system32\H8SRTpabutewlot.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTxtlkxjbfhx.dat
c:\windows\system32\Iasv32.dll
c:\windows\system32\kbdsock.dll
c:\windows\system32\mshlps.dll
c:\windows\system32\net.net
c:\windows\system32\pumepegi.dll
c:\windows\system32\siyayobu.dll
c:\windows\system32\uses32.dat
c:\windows\system32\zefozawu.dll
c:\windows\system32\zifehodo.dll
c:\windows\system32\zmjderb.dll
c:\windows\Tasks\xgfxmkpm.job
c:\windows\Temp\lsass.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://85.12.18.119
Infected copy of c:\windows\system32\logonui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\logonui.exe

Infected copy of c:\windows\system32\wbem\wmiprvse.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wmiprvse.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Legacy_IAS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-22 18:22 . 2010-01-22 18:22 -------- d-----w- c:\windows\LastGood
2010-01-22 06:03 . 2010-01-22 06:03 110592 ----a-w- C:\autoexec.exe
2010-01-21 23:33 . 2010-01-21 23:33 93184 --sh--w- c:\windows\system32\momayabe.dll
2010-01-21 23:33 . 2010-01-21 23:33 39424 --sh--w- c:\windows\system32\batimeyu.dll
2010-01-21 23:25 . 2010-01-21 23:25 16896 ----a-w- C:\duehpow.exe
2010-01-21 23:25 . 2010-01-21 23:25 29184 ----a-w- C:\dqccpnq.exe
2010-01-21 23:25 . 2010-01-21 23:25 143360 ----a-w- C:\ojjw.exe
2010-01-21 23:25 . 2010-01-21 23:25 52224 ----a-w- C:\ytlmlfc.exe
2010-01-21 23:25 . 2010-01-21 23:25 265728 ----a-w- C:\yfoku.exe
2010-01-21 23:25 . 2010-01-21 23:25 18431 ----a-w- C:\sckw.exe
2010-01-21 21:29 . 2010-01-21 21:29 749 ----a-w- c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
2010-01-17 04:13 . 2010-01-17 04:13 -------- d-----w- c:\program files\Trend Micro
2010-01-17 04:10 . 2010-01-17 04:11 -------- d-----w- c:\program files\ERUNT
2010-01-17 02:48 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-17 02:48 . 2010-01-21 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 02:48 . 2010-01-17 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-17 02:48 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-01-17 02:07 . 2010-01-22 18:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-17 01:27 . 2010-01-17 01:27 -------- d-----w- c:\windows\system32\LogFiles
2010-01-16 01:28 . 2010-01-16 01:28 266240 ----a-w- c:\windows\system32\CSHelper.exe
2010-01-16 01:28 . 2010-01-16 01:28 225280 ----a-w- c:\windows\system32\CSInstru.DLL
2010-01-13 05:59 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:02 . 2010-01-06 22:02 -------- d-----w- C:\.jagex_cache_32
2010-01-03 08:23 . 2010-01-03 08:23 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-03 08:23 . 2010-01-17 11:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-29 20:14 . 2010-01-14 23:07 69 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences2.dat
2009-12-29 20:13 . 2010-01-14 23:06 39 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2009-12-29 20:12 . 2009-12-29 22:03 -------- d-----w- c:\windows\.jagex_cache_32
2009-12-24 21:51 . 2009-12-24 21:51 -------- d-----w- c:\windows\Sun
2009-12-24 21:51 . 2009-12-24 21:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-24 21:51 . 2009-12-24 21:51 -------- d-----w- c:\program files\Java
2009-12-24 21:50 . 2009-12-24 21:50 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 11:33 . 2010-01-22 11:33 0 ---ha-w- c:\windows\system32\BIT13.tmp
2010-01-21 23:25 . 2004-08-10 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-21 21:28 . 2010-01-17 02:08 -------- d-----w- c:\program files\Spyware Doctor
2010-01-17 02:10 . 2010-01-17 02:08 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-04 00:12 . 2009-11-28 00:56 17768 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 16:19 . 2009-12-21 16:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-12-21 15:53 . 2009-12-21 15:53 -------- d-----w- c:\program files\MSECache
2009-12-20 22:16 . 2009-12-20 22:16 -------- d-----w- c:\program files\Wisdom-soft ScreenHunter 5 Free
2009-12-09 13:04 . 2009-12-01 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-05 02:43 . 2009-11-29 02:51 -------- d-----w- c:\program files\Common Files\aol
2009-12-03 16:42 . 2009-12-03 16:42 423464 ----a-w- c:\documents and settings\Administrator\Application Data\E-centives\BSTIEPrintCtl1.dll
2009-12-03 16:42 . 2009-12-03 16:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\E-centives
2009-12-02 17:14 . 2009-12-02 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\WeatherBug
2009-12-02 17:14 . 2009-12-02 17:14 18944 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A16301.exe
2009-12-02 17:14 . 2009-12-02 17:14 11264 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A1630.exe
2009-12-02 17:14 . 2009-12-02 17:14 -------- d-----w- c:\program files\AWS
2009-12-02 15:04 . 2009-12-02 14:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\ICAClient
2009-12-02 14:37 . 2009-12-02 14:37 -------- d-----w- c:\program files\Citrix
2009-12-01 00:53 . 2009-12-01 00:52 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-01 00:52 . 2009-12-01 00:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-01 00:51 . 2009-12-01 00:51 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-30 15:31 . 2009-11-29 02:51 -------- d-----w- c:\program files\AOL 9.5
2009-11-30 05:03 . 2009-11-29 02:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-11-29 03:47 . 2009-11-29 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-11-29 03:46 . 2009-11-29 03:46 -------- d-----w- c:\program files\Siber Systems
2009-11-29 02:54 . 2009-11-29 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-29 02:53 . 2009-11-29 02:51 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-29 02:53 . 2009-11-29 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-29 02:53 . 2009-11-29 02:53 -------- d-----w- c:\program files\Viewpoint
2009-11-29 02:52 . 2009-11-29 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-11-29 02:49 . 2009-11-29 02:47 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2009-11-29 02:47 . 2009-11-29 02:47 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2009-11-29 02:47 . 2009-11-29 02:47 335 ----a-w- c:\windows\nsreg.dat
2009-11-29 02:47 . 2009-11-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-11-29 02:36 . 2009-11-29 02:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-28 00:57 . 2009-11-27 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-11-28 00:57 . 2009-11-27 23:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-11-28 00:55 . 2009-11-28 00:55 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-11-28 00:55 . 2009-11-28 00:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-11-28 00:51 . 2009-11-28 00:51 -------- d-----w- c:\program files\MSBuild
2009-11-28 00:51 . 2009-11-28 00:51 -------- d-----w- c:\program files\Reference Assemblies
2009-11-28 00:41 . 2009-11-28 00:41 -------- d-----w- c:\program files\CCleaner
2009-11-28 00:36 . 2009-11-28 00:35 -------- d-----w- c:\program files\ATI Technologies
2009-11-28 00:36 . 2009-11-28 00:22 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-28 00:36 . 2009-11-28 00:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-28 00:23 . 2009-11-28 00:23 -------- d-----w- c:\program files\Realtek AC97
2009-11-27 23:32 . 2009-11-27 23:32 -------- d-----w- c:\program files\LSI SoftModem
2009-11-27 22:02 . 2009-11-27 21:18 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-27 21:19 . 2009-11-27 21:19 -------- d-----w- c:\program files\microsoft frontpage
2009-11-27 21:10 . 2009-11-27 21:10 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-27 21:09 . 2009-11-27 21:09 -------- d-----w- c:\program files\Windows Plus
2009-11-21 15:51 . 2004-08-10 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-10 16:28 . 2010-01-17 02:10 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-10 16:28 . 2010-01-17 02:10 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-10 16:28 . 2010-01-17 02:10 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-10 16:26 . 2010-01-17 02:10 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-09 17:20 . 2010-01-17 02:08 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-03 02:42 . 2009-11-29 02:38 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 17:11 . 2010-01-17 02:08 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-29 07:46 . 2004-08-10 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-28 14:38 . 2009-10-28 14:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-28 14:38 . 2009-10-28 14:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-28 07:36 . 2010-01-17 02:10 1152444 ----a-w- c:\windows\UDB.zip
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\system32\bemadoko.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\system32\gokupine.dll
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\system32\jotogeni.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\system32\nevahoti.dll
1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\system32\sitijafe.dll
1601-01-01 00:03 . 1601-01-01 00:03 45568 --sha-w- c:\windows\system32\wugakuwa.dll
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\system32\zogadeli.dll.tmp
.

------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2004-08-10 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d123a9fe-1d8d-41ac-ac1e-0acfadaea190}]
1601-01-01 00:03 53248 --sha-w- c:\windows\system32\nevahoti.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-11-29 160592]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-10-20 1693184]
"AOL Fast Start"="c:\program files\AOL 9.5\AOL.EXE" [2009-10-28 50536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 114688]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-14 57344]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"HostManager"="c:\program files\Common Files\AOL\1259463101\ee\AOLSoftware.exe" [2009-07-20 41264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-24 149280]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-8-14 57344]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1259463101\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/16/2010 8:08 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/16/2010 8:10 PM 112592]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [1/15/2010 7:28 PM 266240]
S3 diskmgr;diskmgr;c:\windows\system32\diskmgr.sys [8/10/2004 6:00 AM 2304]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/16/2010 8:08 PM 359624]
.
Contents of the 'Scheduled Tasks' folder

2010-01-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-03 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: {53962657-1D15-47DF-B1E4-CAD213D839F0} = 193.104.110.38,4.2.2.1,68.87.68.166 68.87.74.166
.
- - - - ORPHANS REMOVED - - - -

BHO-{C4BF49A2-94F1-42BD-F034-3604811C807D} - c:\windows\system32\zmjderb.dll
HKLM-Run-nisapuzab - c:\windows\system32\pumepegi.dll
HKLM-Run-koresejomo - siyayobu.dll
HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\Administrator\Application Data\SystemProc\lsass.exe
SharedTaskScheduler-{C4BF49A2-94F1-42BD-F034-3604811C807D} - c:\windows\system32\zmjderb.dll
SharedTaskScheduler-{0f85ada6-f152-4486-a71f-e2578afd0f11} - c:\windows\system32\pumepegi.dll
SSODL-gosijusin-{0f85ada6-f152-4486-a71f-e2578afd0f11} - c:\windows\system32\pumepegi.dll
AddRemove-LSI Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 12:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Administrator\Application Data\SystemProc\lsass.exe???????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5284)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\AOL 9.5\waol.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\AOL 9.5\shellmon.exe
.
**************************************************************************
.
Completion time: 2010-01-22 12:35:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-22 18:35

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 83DA205936491415316B58EBDBC28213


Here is the new DDS file

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 12:50:04.28 on Fri 01/22/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.590 [GMT -6:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\AOL\1259463101\ee\AOLSoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AOL 9.5\waol.exe
C:\Program Files\AOL 9.5\shellmon.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com
BHO: c:\windows\system32\zmjderb.dll: {c4bf49a2-94f1-42bd-f034-3604811c807d} - c:\windows\system32\zmjderb.dll
BHO: {d123a9fe-1d8d-41ac-ac1e-0acfadaea190} - nevahoti.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [AOL Fast Start] "c:\program files\aol 9.5\AOL.EXE" -b
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [HostManager] c:\program files\common files\aol\1259463101\ee\AOLSoftware.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [nisapuzab] Rundll32.exe "c:\windows\system32\pumepegi.dll",a
mRun: [koresejomo] Rundll32.exe "siyayobu.dll",s
mExplorerRun: [RTHDBPL] c:\documents and settings\administrator\application data\systemproc\lsass.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259357999593
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {53962657-1D15-47DF-B1E4-CAD213D839F0} = 193.104.110.38,4.2.2.1,68.87.68.166 68.87.74.166
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: zefozawu.dll
SSODL: gosijusin - {0f85ada6-f152-4486-a71f-e2578afd0f11} - c:\windows\system32\pumepegi.dll
STS: c:\windows\system32\zmjderb.dll: {c4bf49a2-94f1-42bd-f034-3604811c807d} - c:\windows\system32\zmjderb.dll
STS: jugezatag: {0f85ada6-f152-4486-a71f-e2578afd0f11} - c:\windows\system32\pumepegi.dll
LSA: Notification Packages = scecli siyayobu.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-16 207792]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-16 112592]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-1-15 266240]
S3 diskmgr;diskmgr;c:\windows\system32\diskmgr.sys [2004-8-10 2304]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-16 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-16 1141712]

=============== Created Last 30 ================

2010-01-22 17:55:35 0 d-sha-r- C:\cmdcons
2010-01-22 17:54:14 98816 ----a-w- c:\windows\sed.exe
2010-01-22 17:54:14 77312 ----a-w- c:\windows\MBR.exe
2010-01-22 17:54:14 261632 ----a-w- c:\windows\PEV.exe
2010-01-22 17:54:14 161792 ----a-w- c:\windows\SWREG.exe
2010-01-22 17:53:59 0 d-----w- C:\haleysfix
2010-01-22 11:33:27 0 ---ha-w- c:\windows\system32\BIT13.tmp
2010-01-22 06:03:34 110592 ----a-w- C:\autoexec.exe
2010-01-21 23:33:19 93184 --sh--w- c:\windows\system32\momayabe.dll
2010-01-21 23:33:19 39424 --sh--w- c:\windows\system32\batimeyu.dll
2010-01-21 23:25:28 16896 ----a-w- C:\duehpow.exe
2010-01-21 23:25:23 29184 ----a-w- C:\dqccpnq.exe
2010-01-21 23:25:21 52224 ----a-w- C:\ytlmlfc.exe
2010-01-21 23:25:21 143360 ----a-w- C:\ojjw.exe
2010-01-21 23:25:17 265728 ----a-w- C:\yfoku.exe
2010-01-21 23:25:17 18431 ----a-w- C:\sckw.exe
2010-01-21 21:29:27 749 ----a-w- c:\docume~1\alluse~1\applic~1\h8srtkrl32mainweq.dll
2010-01-17 04:13:49 0 d-----w- c:\program files\Trend Micro
2010-01-17 02:48:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-17 02:48:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 02:48:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 02:48:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-17 02:10:37 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-17 02:10:36 883 ----a-w- c:\windows\RegSDImport.xml
2010-01-17 02:10:36 880 ----a-w- c:\windows\RegISSImport.xml
2010-01-17 02:10:36 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-17 02:10:36 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-17 02:10:36 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-17 02:10:36 131 ----a-w- c:\windows\IDB.zip
2010-01-17 02:10:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-17 02:08:17 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-17 02:08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-17 02:08:11 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-17 02:08:11 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-17 02:08:11 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-17 02:08:11 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-17 02:08:06 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-01-17 02:08:06 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-17 02:08:01 0 d-----w- c:\program files\Spyware Doctor
2010-01-17 02:08:01 0 d-----w- c:\program files\common files\PC Tools
2010-01-17 02:08:01 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-17 02:08:01 0 d-----w- c:\docume~1\admini~1\applic~1\PC Tools
2010-01-17 01:27:06 0 d-----w- c:\windows\system32\LogFiles
2010-01-16 01:28:28 266240 ----a-w- c:\windows\system32\CSHelper.exe
2010-01-16 01:28:28 225280 ----a-w- c:\windows\system32\CSInstru.DLL
2010-01-13 05:59:23 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:02:14 0 d-----w- C:\.jagex_cache_32
2010-01-03 08:23:41 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-03 08:23:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-29 20:14:04 69 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences2.dat
2009-12-29 20:13:00 39 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2009-12-29 20:12:49 0 d-----w- c:\windows\.jagex_cache_32
2009-12-24 21:51:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-24 21:51:27 411368 ----a-w- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2010-01-21 23:25:55 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-27 21:10:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-28 14:38:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-28 14:38:46 499712 ----a-w- c:\windows\system32\msvcp71.dll
1601-01-01 00:03:28 53248 --sha-w- c:\windows\system32\gokupine.dll
1601-01-01 00:03:52 53248 --sha-w- c:\windows\system32\nevahoti.dll
1601-01-01 00:03:28 61952 --sha-w- c:\windows\system32\sitijafe.dll
1601-01-01 00:03:28 45568 --sha-w- c:\windows\system32\wugakuwa.dll

============= FINISH: 12:50:13.84 ===============

 

[Blade81]

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Please post contents of that file in your next reply.

 

[beautygirlhaley]

i can't run this program??

Hi again! Thanks for your help so far. My antivirus is up and running again, but my browser is still getting hijacked. I dl the malwarebytes, but there is some sort of problem. I had dl this program before i posted on here, so when I tried to dl the second time, I was getting corrupted files, so I uninstalled the first program and then deleted the dl off my desktop. The third time I dl the program all seemed to go well, but it would not launch. It is telling me that mbam.exe is missing. I cannot find it in the folder also??? I renamed the file that I dl to my desktop to mbaaam-setup incase it was a name issue that was causing me dl troubles. Anyway. It won't run and I don't have a clue. As usual.

 

[Blade81]

Ok. Then let's leave MBAM run till later.


Open notepad and copy/paste the text in the quotebox below into it:

http://forums.spybot.info/showthread.php?p=356802#post356802
Collect::
C:\autoexec.exe
c:\windows\system32\momayabe.dll
c:\windows\system32\batimeyu.dll
C:\duehpow.exe
C:\dqccpnq.exe
C:\ojjw.exe
C:\ytlmlfc.exe
C:\yfoku.exe
C:\sckw.exe
c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
c:\windows\system32\bemadoko.dll.tmp
c:\windows\system32\gokupine.dll
c:\windows\system32\jotogeni.dll.tmp
c:\windows\system32\nevahoti.dll
c:\windows\system32\sitijafe.dll
c:\windows\system32\wugakuwa.dll
c:\windows\system32\zogadeli.dll.tmp
DDS::
BHO: c:\windows\system32\zmjderb.dll: {c4bf49a2-94f1-42bd-f034-3604811c807d} - c:\windows\system32\zmjderb.dll
BHO: {d123a9fe-1d8d-41ac-ac1e-0acfadaea190} - nevahoti.dll
mRun: [nisapuzab] Rundll32.exe "c:\windows\system32\pumepegi.dll",a
mRun: [koresejomo] Rundll32.exe "siyayobu.dll",s
mExplorerRun: [RTHDBPL] c:\documents and settings\administrator\application data\systemproc\lsass.exe
TCP: {53962657-1D15-47DF-B1E4-CAD213D839F0} = 193.104.110.38,4.2.2.1,68.87.68.166 68.87.74.166
AppInit_DLLs: zefozawu.dll
SSODL: gosijusin - {0f85ada6-f152-4486-a71f-e2578afd0f11} - c:\windows\system32\pumepegi.dll
STS: c:\windows\system32\zmjderb.dll: {c4bf49a2-94f1-42bd-f034-3604811c807d} - c:\windows\system32\zmjderb.dll
STS: jugezatag: {0f85ada6-f152-4486-a71f-e2578afd0f11} - c:\windows\system32\pumepegi.dll
LSA: Notification Packages = scecli siyayobu.dll
FCopy::
c:\windows\ServicePackFiles\i386\ctfmon.exe|c:\windows\System32\ctfmon.exe
c:\windows\ServicePackFiles\i386\ctfmon.exe|c:\windows\System32\dllcache\ctfmon.exe

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into haleysfix.exe (keep internet connection enabled and let ComboFix update itself if asked for a permission).
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.3) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 18.
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

 

[beautygirlhaley]

ummmmm.....

Am I supposed to close out of my antivirus and firewall and stuff before I drag the CFScript over to the combofix? And does it matter if I run combofix before or after I update all my Acrobat, Java and such?

Haley

 

[Blade81]

Yes, disable protection first. You may carry out other things after ComboFix run

 

[beautygirlhaley]

Alrighty....

Hi Blade!

Here are the requested logs:



COMBOFIX
ComboFix 10-01-23.02 - Administrator 01/23/2010 14:51:38.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.559 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\haleysfix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

file zipped: C:\autoexec.exe
file zipped: c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
file zipped: C:\dqccpnq.exe
file zipped: C:\duehpow.exe
file zipped: C:\ojjw.exe
file zipped: C:\sckw.exe
file zipped: c:\windows\system32\batimeyu.dll
file zipped: c:\windows\system32\bemadoko.dll.tmp
file zipped: c:\windows\system32\gokupine.dll
file zipped: c:\windows\system32\jotogeni.dll.tmp
file zipped: c:\windows\system32\momayabe.dll
file zipped: c:\windows\system32\nevahoti.dll
file zipped: c:\windows\system32\sitijafe.dll
file zipped: c:\windows\system32\wugakuwa.dll
file zipped: c:\windows\system32\zogadeli.dll.tmp
file zipped: C:\yfoku.exe
file zipped: C:\ytlmlfc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autoexec.exe
c:\documents and settings\Administrator\Cookies\administrator@my.scr
c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
C:\dqccpnq.exe
C:\duehpow.exe
C:\ojjw.exe
C:\sckw.exe
c:\windows\system32\bafovudu.dll
c:\windows\system32\batimeyu.dll
c:\windows\system32\bemadoko.dll.tmp
c:\windows\system32\gokupine.dll
c:\windows\system32\jotogeni.dll.tmp
c:\windows\system32\momayabe.dll
c:\windows\system32\nevahoti.dll
c:\windows\system32\sitijafe.dll
c:\windows\system32\wugakuwa.dll
c:\windows\system32\zmjderb.dll
c:\windows\system32\zogadeli.dll.tmp
c:\windows\Tasks\qqvjfhhl.job
C:\yfoku.exe
C:\ytlmlfc.exe

Infected copy of c:\windows\regedit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\regedit.exe

Infected copy of c:\windows\system32\cmd.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cmd.exe

Infected copy of c:\windows\system32\logonui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\logonui.exe

Infected copy of c:\windows\system32\net.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\net.exe

Infected copy of c:\windows\system32\notepad.exe was found and disinfected
Restored copy from - c:\windows\notepad.exe

Infected copy of c:\windows\system32\wbem\wmiapsrv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wmiapsrv.exe

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\ctfmon.exe --> c:\windows\System32\ctfmon.exe
c:\windows\ServicePackFiles\i386\ctfmon.exe --> c:\windows\System32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.

2010-01-23 20:51 . 2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-01-23 20:51 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
2010-01-23 20:34 . 2010-01-23 20:34 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-23 20:34 . 2010-01-23 20:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-23 20:33 . 2010-01-23 20:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-23 20:27 . 2010-01-23 20:27 -------- d-----w- c:\program files\Common Files\Java
2010-01-23 20:26 . 2010-01-23 20:26 -------- d-----w- c:\program files\Java
2010-01-23 03:37 . 2010-01-23 03:37 -------- d-----w- C:\BJPrinter
2010-01-23 03:23 . 2010-01-23 03:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2010-01-23 00:13 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-23 00:13 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 04:13 . 2010-01-17 04:13 -------- d-----w- c:\program files\Trend Micro
2010-01-17 04:10 . 2010-01-17 04:11 -------- d-----w- c:\program files\ERUNT
2010-01-17 02:48 . 2010-01-23 00:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 02:48 . 2010-01-17 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-01-17 02:07 . 2010-01-23 20:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-17 01:27 . 2010-01-17 01:27 -------- d-----w- c:\windows\system32\LogFiles
2010-01-16 01:28 . 2010-01-16 01:28 266240 ----a-w- c:\windows\system32\CSHelper.exe
2010-01-16 01:28 . 2010-01-16 01:28 225280 ----a-w- c:\windows\system32\CSInstru.DLL
2010-01-13 05:59 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:02 . 2010-01-06 22:02 -------- d-----w- C:\.jagex_cache_32
2010-01-03 08:23 . 2010-01-03 08:23 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-03 08:23 . 2010-01-17 11:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-29 20:14 . 2010-01-14 23:07 69 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences2.dat
2009-12-29 20:13 . 2010-01-14 23:06 39 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2009-12-29 20:12 . 2009-12-29 22:03 -------- d-----w- c:\windows\.jagex_cache_32
2009-12-24 21:51 . 2009-12-24 21:51 -------- d-----w- c:\windows\Sun
2009-12-24 21:51 . 2010-01-23 20:26 411368 ----a-w- c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 20:49 . 2009-12-01 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-23 20:32 . 2010-01-23 20:32 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-23 20:27 . 2010-01-23 20:27 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23d147d4-n\msvcp71.dll
2010-01-23 20:27 . 2010-01-23 20:27 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23d147d4-n\jmc.dll
2010-01-23 20:27 . 2010-01-23 20:27 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23d147d4-n\msvcr71.dll
2010-01-23 20:27 . 2010-01-23 20:27 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65ce984d-n\decora-sse.dll
2010-01-23 20:27 . 2010-01-23 20:27 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65ce984d-n\decora-d3d.dll
2010-01-23 20:15 . 2010-01-23 20:15 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-23 20:15 . 2010-01-23 20:15 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-22 11:33 . 2010-01-22 11:33 0 ---ha-w- c:\windows\system32\BIT13.tmp
2010-01-21 23:25 . 2004-08-10 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-21 21:28 . 2010-01-17 02:08 -------- d-----w- c:\program files\Spyware Doctor
2010-01-17 02:10 . 2010-01-17 02:08 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-14 17:12 . 2009-11-29 02:38 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-04 00:12 . 2009-11-28 00:56 17768 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 16:19 . 2009-12-21 16:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-12-21 15:53 . 2009-12-21 15:53 -------- d-----w- c:\program files\MSECache
2009-12-20 22:16 . 2009-12-20 22:16 -------- d-----w- c:\program files\Wisdom-soft ScreenHunter 5 Free
2009-12-05 02:43 . 2009-11-29 02:51 -------- d-----w- c:\program files\Common Files\aol
2009-12-03 16:42 . 2009-12-03 16:42 423464 ----a-w- c:\documents and settings\Administrator\Application Data\E-centives\BSTIEPrintCtl1.dll
2009-12-03 16:42 . 2009-12-03 16:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\E-centives
2009-12-02 17:14 . 2009-12-02 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\WeatherBug
2009-12-02 17:14 . 2009-12-02 17:14 18944 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A16301.exe
2009-12-02 17:14 . 2009-12-02 17:14 11264 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A1630.exe
2009-12-02 17:14 . 2009-12-02 17:14 -------- d-----w- c:\program files\AWS
2009-12-02 15:04 . 2009-12-02 14:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\ICAClient
2009-12-02 14:37 . 2009-12-02 14:37 -------- d-----w- c:\program files\Citrix
2009-11-30 15:31 . 2009-11-29 02:51 -------- d-----w- c:\program files\AOL 9.5
2009-11-30 05:03 . 2009-11-29 02:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-11-29 03:47 . 2009-11-29 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-11-29 03:46 . 2009-11-29 03:46 -------- d-----w- c:\program files\Siber Systems
2009-11-29 02:54 . 2009-11-29 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-29 02:53 . 2009-11-29 02:51 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-29 02:53 . 2009-11-29 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-29 02:53 . 2009-11-29 02:53 -------- d-----w- c:\program files\Viewpoint
2009-11-29 02:52 . 2009-11-29 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-11-29 02:49 . 2009-11-29 02:47 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2009-11-29 02:47 . 2009-11-29 02:47 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2009-11-29 02:47 . 2009-11-29 02:47 335 ----a-w- c:\windows\nsreg.dat
2009-11-29 02:47 . 2009-11-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-11-29 02:36 . 2009-11-29 02:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-28 00:57 . 2009-11-27 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-11-28 00:57 . 2009-11-27 23:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-11-28 00:55 . 2009-11-28 00:55 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-11-28 00:55 . 2009-11-28 00:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-11-28 00:51 . 2009-11-28 00:51 -------- d-----w- c:\program files\MSBuild
2009-11-28 00:51 . 2009-11-28 00:51 -------- d-----w- c:\program files\Reference Assemblies
2009-11-28 00:41 . 2009-11-28 00:41 -------- d-----w- c:\program files\CCleaner
2009-11-28 00:36 . 2009-11-28 00:35 -------- d-----w- c:\program files\ATI Technologies
2009-11-28 00:36 . 2009-11-28 00:22 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-28 00:36 . 2009-11-28 00:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-28 00:23 . 2009-11-28 00:23 -------- d-----w- c:\program files\Realtek AC97
2009-11-27 23:32 . 2009-11-27 23:32 -------- d-----w- c:\program files\LSI SoftModem
2009-11-27 22:02 . 2009-11-27 21:18 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-27 21:19 . 2009-11-27 21:19 -------- d-----w- c:\program files\microsoft frontpage
2009-11-27 21:10 . 2009-11-27 21:10 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-27 21:09 . 2009-11-27 21:09 -------- d-----w- c:\program files\Windows Plus
2009-11-21 15:51 . 2004-08-10 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2010-01-23 20:33 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-20 11:08 . 2010-01-23 20:33 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-10 16:28 . 2010-01-17 02:10 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-10 16:28 . 2010-01-17 02:10 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-10 16:28 . 2010-01-17 02:10 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-10 16:26 . 2010-01-17 02:10 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-09 17:20 . 2010-01-17 02:08 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-30 17:11 . 2010-01-17 02:08 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-29 07:46 . 2004-08-10 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-28 14:38 . 2009-10-28 14:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-28 14:38 . 2009-10-28 14:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-28 07:36 . 2010-01-17 02:10 1152444 ----a-w- c:\windows\UDB.zip
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\bokeneja.dll
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\system32\mipolawe.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\safodaru.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-01-22_18.32.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-23 20:57 . 2010-01-23 20:57 16384 c:\windows\Temp\Perflib_Perfdata_160.dat
+ 2004-08-10 12:00 . 2008-04-14 00:12 69120 c:\windows\system32\notepad.exe
+ 2010-01-23 20:37 . 2010-01-23 20:37 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2010-01-23 20:33 . 2010-01-23 20:33 24576 c:\windows\Installer\2e40e.msi
+ 2010-01-23 20:33 . 2010-01-23 20:33 27648 c:\windows\Installer\2e3fa.msi
+ 2009-11-27 21:01 . 2008-04-14 00:12 126464 c:\windows\system32\wbem\wmiapsrv.exe
+ 2009-12-01 00:06 . 2004-02-03 13:00 119808 c:\windows\system32\spool\drivers\w32x86\3\CNMSM58.EXE
+ 2009-11-03 00:24 . 2009-11-03 00:24 257440 c:\windows\system32\Macromed\Flash\FlashUtil10d.exe
+ 2004-08-10 12:00 . 2008-04-14 00:12 514560 c:\windows\system32\logonui.exe
+ 2010-01-23 20:27 . 2010-01-23 20:26 153376 c:\windows\system32\javaws.exe
- 2009-12-24 21:51 . 2009-12-24 21:51 145184 c:\windows\system32\javaw.exe
+ 2010-01-23 20:27 . 2010-01-23 20:26 145184 c:\windows\system32\javaw.exe
+ 2010-01-23 20:27 . 2010-01-23 20:26 145184 c:\windows\system32\java.exe
- 2009-12-24 21:51 . 2009-12-24 21:51 145184 c:\windows\system32\java.exe
+ 2010-01-23 20:27 . 2010-01-23 20:27 178176 c:\windows\Installer\2e2ed.msi
+ 2010-01-23 20:26 . 2010-01-23 20:26 576000 c:\windows\Installer\2e2e8.msi
+ 2010-01-23 20:25 . 2010-01-23 20:25 172032 c:\windows\ERDNT\AutoBackup\1-23-2010\Users\00000002\UsrClass.dat
+ 2010-01-23 20:25 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\1-23-2010\ERDNT.EXE
+ 2010-01-23 20:34 . 2010-01-23 20:34 3940352 c:\windows\Installer\2e413.msi
+ 2010-01-23 20:25 . 2010-01-23 20:25 1839104 c:\windows\ERDNT\AutoBackup\1-23-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4BF49A2-94F1-42BD-F034-3604811C807D}]
c:\windows\system32\zmjderb.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-11-29 160592]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-10-20 1693184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 114688]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-14 57344]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"HostManager"="c:\program files\Common Files\AOL\1259463101\ee\AOLSoftware.exe" [2009-07-20 41264]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-8-14 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C4BF49A2-94F1-42BD-F034-3604811C807D}"= "c:\windows\system32\zmjderb.dll" [BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1259463101\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/16/2010 8:08 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/16/2010 8:10 PM 112592]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [1/15/2010 7:28 PM 266240]
S3 diskmgr;diskmgr;c:\windows\system32\diskmgr.sys [8/10/2004 6:00 AM 2304]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/16/2010 8:08 PM 359624]
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-03 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{647d9f91-5999-469c-ae5d-fbcc058ea018} - c:\windows\system32\bafovudu.dll
SSODL-pafidigof-{647d9f91-5999-469c-ae5d-fbcc058ea018} - c:\windows\system32\bafovudu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-23 14:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2120)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ALCXMNTR.EXE
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-01-23 15:03:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-23 21:03
ComboFix2.txt 2010-01-22 18:35

Pre-Run: 180,583,120,896 bytes free
Post-Run: 180,542,861,312 bytes free

- - End Of File - - DBDD8887A685BC775019BA974E47CE59
--------------------------------------------------------------------------------
KAPERSKY
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, January 23, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, January 23, 2010 20:29:52
Records in database: 3362849
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 55842
Threats found: 9
Infected objects found: 33
Suspicious objects found: 0
Scan duration: 00:50:39


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe.vir Infected: P2P-Worm.Win32.Agent.xo 1
C:\Qoobox\Quarantine\C\Program Files\Malware Defense\mdext.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\Program Files\Malware Defense\uninstall.exe.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir Infected: Backdoor.Win32.Agent.anyz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bafovudu.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\H8SRThtpayglotm.sys.vir Infected: Trojan.Win32.Tdss.avpq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTdomlxbxnjy.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTkjskeibudl.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTlkveyrndep.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTpabutewlot.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Iasv32.dll.vir Infected: Backdoor.Win32.Agent.aoep 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdsock.dll.vir Infected: Trojan.Win32.Zapchast.aix 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mshlps.dll.vir Infected: Trojan.Win32.Zapchast.aix 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pumepegi.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\siyayobu.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zefozawu.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\[4]-Submit_2010-01-23_14.51.14.zip Infected: P2P-Worm.Win32.Agent.xo 1
C:\Qoobox\Quarantine\[4]-Submit_2010-01-23_14.51.14.zip Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\[4]-Submit_2010-01-23_14.51.14.zip Infected: Trojan-Dropper.Win32.Agent.blao 1
C:\Qoobox\Quarantine\[4]-Submit_2010-01-23_14.51.14.zip Infected: Packed.Win32.TDSS.aa 9
C:\Qoobox\Quarantine\[4]-Submit_2010-01-23_14.51.14.zip Infected: Backdoor.Win32.Bifrose.cbrp 1
C:\WINDOWS\system32\bokeneja.dll Infected: Packed.Win32.TDSS.aa 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHCVWX45\book[1].htm Infected: Packed.Win32.TDSS.aa 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHCVWX45\book[2].htm Infected: Packed.Win32.TDSS.aa 1
C:\WINDOWS\system32\safodaru.dll Infected: Packed.Win32.TDSS.aa 1

Selected area has been scanned.


DDS
DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 16:16:15.12 on Sat 01/23/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.707 [GMT -6:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\AOL\1259463101\ee\AOLSoftware.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: c:\windows\system32\zmjderb.dll: {c4bf49a2-94f1-42bd-f034-3604811c807d} - c:\windows\system32\zmjderb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [HostManager] c:\program files\common files\aol\1259463101\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259357999593
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
STS: c:\windows\system32\zmjderb.dll: {c4bf49a2-94f1-42bd-f034-3604811c807d} - c:\windows\system32\zmjderb.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-16 207792]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-16 112592]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-1-15 266240]
S3 diskmgr;diskmgr;c:\windows\system32\diskmgr.sys [2004-8-10 2304]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-16 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-16 1141712]

=============== Created Last 30 ================

2010-01-23 20:51:37 15360 -c--a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-01-23 20:51:37 15360 ------w- c:\windows\system32\ctfmon.exe
2010-01-23 20:27:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-23 20:22:37 0 d-----w- c:\windows\system32\appmgmt
2010-01-23 03:37:35 0 d-----w- C:\BJPrinter
2010-01-23 00:13:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-23 00:13:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-22 17:55:35 0 d-sha-r- C:\cmdcons
2010-01-22 17:54:14 98816 ----a-w- c:\windows\sed.exe
2010-01-22 17:54:14 77312 ----a-w- c:\windows\MBR.exe
2010-01-22 17:54:14 261632 ----a-w- c:\windows\PEV.exe
2010-01-22 17:54:14 161792 ----a-w- c:\windows\SWREG.exe
2010-01-22 11:33:27 0 ---ha-w- c:\windows\system32\BIT13.tmp
2010-01-17 04:13:49 0 d-----w- c:\program files\Trend Micro
2010-01-17 02:48:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 02:48:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-17 02:10:37 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-17 02:10:36 883 ----a-w- c:\windows\RegSDImport.xml
2010-01-17 02:10:36 880 ----a-w- c:\windows\RegISSImport.xml
2010-01-17 02:10:36 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-17 02:10:36 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-17 02:10:36 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-17 02:10:36 131 ----a-w- c:\windows\IDB.zip
2010-01-17 02:10:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-17 02:08:17 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-17 02:08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-17 02:08:11 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-17 02:08:11 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-17 02:08:11 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-17 02:08:11 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-17 02:08:06 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-01-17 02:08:06 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-17 02:08:01 0 d-----w- c:\program files\Spyware Doctor
2010-01-17 02:08:01 0 d-----w- c:\program files\common files\PC Tools
2010-01-17 02:08:01 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-17 02:08:01 0 d-----w- c:\docume~1\admini~1\applic~1\PC Tools
2010-01-17 01:27:06 0 d-----w- c:\windows\system32\LogFiles
2010-01-16 01:28:28 266240 ----a-w- c:\windows\system32\CSHelper.exe
2010-01-16 01:28:28 225280 ----a-w- c:\windows\system32\CSInstru.DLL
2010-01-13 05:59:23 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:02:14 0 d-----w- C:\.jagex_cache_32
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\SET6.tmp
2010-01-05 10:00:28 233472 ----a-w- c:\windows\system32\SET7.tmp
2010-01-05 10:00:28 1168384 ----a-w- c:\windows\system32\SET8.tmp
2010-01-05 10:00:28 105984 ----a-w- c:\windows\system32\SET9.tmp
2010-01-05 10:00:26 3599360 ------w- c:\windows\system32\SETF.tmp
2010-01-05 10:00:25 52224 ----a-w- c:\windows\system32\SET10.tmp
2010-01-05 10:00:24 459264 ----a-w- c:\windows\system32\SET11.tmp
2010-01-05 10:00:24 268288 ----a-w- c:\windows\system32\SET15.tmp
2010-01-05 10:00:23 6067200 ----a-w- c:\windows\system32\SET19.tmp
2010-01-05 10:00:21 63488 ----a-w- c:\windows\system32\SET20.tmp
2010-01-05 10:00:21 380928 ----a-w- c:\windows\system32\SET1B.tmp
2010-01-05 10:00:20 124928 ----a-w- c:\windows\system32\SET24.tmp
2010-01-03 08:23:41 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-03 08:23:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-29 20:14:04 69 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences2.dat
2009-12-29 20:13:00 39 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2009-12-29 20:12:49 0 d-----w- c:\windows\.jagex_cache_32

==================== Find3M ====================

2010-01-23 20:26:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-21 23:25:55 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-27 21:10:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll
2009-10-28 14:38:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-28 14:38:46 499712 ----a-w- c:\windows\system32\msvcp71.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\bokeneja.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\mipolawe.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\safodaru.dll

============= FINISH: 16:16:36.93 ===============

 

[Blade81]

Hi Haley,

Please upload C:\Qoobox\Quarantine\[4]-Submit_2010-01-23_14.51.14.zip file to this website: http://www.bleepingcomputer.com/submit-malware.php?channel=4

Kindly include a link to this topic in the message.


Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\bokeneja.dll
c:\windows\system32\mipolawe.dll
c:\windows\system32\safodaru.dll
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHCVWX45\book[1].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHCVWX45\book[2].htm
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4BF49A2-94F1-42BD-F034-3604811C807D}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C4BF49A2-94F1-42BD-F034-3604811C807D}"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds log.

 

[beautygirlhaley]

file not found??

When I try to upload that file to bleepingcomputer.com, it tells me that the file is not found? I have not run combofix again yet.

 

[Blade81]

Maybe protection software nuked the zip. Could you take a look in C:\Qoobox\Quarantine folder and see if the file is present? If it isn't then skip uploading part and continue with other steps.

 

[beautygirlhaley]

dds won't run?

Ok, the quarantine file is definitely not there. Don't know where that sucker went. I ran combofix and the log is posted below. When I tried to run dds, the window came up asking if I wanted to run , but after I clicked it nothing happened???


ComboFix 10-01-24.05 - Administrator 01/25/2010 10:41:04.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.545 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\haleysfix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\bokeneja.dll"
"c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHCVWX45\book[1].htm"
"c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHCVWX45\book[2].htm"
"c:\windows\system32\mipolawe.dll"
"c:\windows\system32\safodaru.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mipolawe.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-23 20:51 . 2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-01-23 20:51 . 2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
2010-01-23 20:34 . 2010-01-23 20:34 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-23 20:34 . 2010-01-23 20:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-23 20:33 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-23 20:33 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-23 20:33 . 2010-01-23 20:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-23 20:32 . 2010-01-23 20:32 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-23 20:27 . 2010-01-23 20:27 -------- d-----w- c:\program files\Common Files\Java
2010-01-23 20:27 . 2010-01-23 20:27 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23d147d4-n\msvcp71.dll
2010-01-23 20:27 . 2010-01-23 20:27 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23d147d4-n\jmc.dll
2010-01-23 20:27 . 2010-01-23 20:27 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23d147d4-n\msvcr71.dll
2010-01-23 20:27 . 2010-01-23 20:27 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65ce984d-n\decora-sse.dll
2010-01-23 20:27 . 2010-01-23 20:27 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65ce984d-n\decora-d3d.dll
2010-01-23 20:26 . 2010-01-23 20:26 -------- d-----w- c:\program files\Java
2010-01-23 20:15 . 2010-01-23 20:15 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-23 20:15 . 2010-01-23 20:15 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-23 03:37 . 2010-01-23 03:37 -------- d-----w- C:\BJPrinter
2010-01-23 03:23 . 2010-01-23 03:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2010-01-23 00:13 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-23 00:13 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 04:13 . 2010-01-17 04:13 -------- d-----w- c:\program files\Trend Micro
2010-01-17 04:10 . 2010-01-17 04:11 -------- d-----w- c:\program files\ERUNT
2010-01-17 02:48 . 2010-01-23 00:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 02:48 . 2010-01-17 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-01-17 02:07 . 2010-01-25 00:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-17 01:27 . 2010-01-17 01:27 -------- d-----w- c:\windows\system32\LogFiles
2010-01-16 01:28 . 2010-01-16 01:28 266240 ----a-w- c:\windows\system32\CSHelper.exe
2010-01-16 01:28 . 2010-01-16 01:28 225280 ----a-w- c:\windows\system32\CSInstru.DLL
2010-01-13 05:59 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:02 . 2010-01-06 22:02 -------- d-----w- C:\.jagex_cache_32
2010-01-03 08:23 . 2010-01-03 08:23 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-03 08:23 . 2010-01-25 06:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-29 20:14 . 2010-01-14 23:07 69 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences2.dat
2009-12-29 20:13 . 2010-01-14 23:06 39 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2009-12-29 20:12 . 2009-12-29 22:03 -------- d-----w- c:\windows\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 20:49 . 2009-12-01 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-23 20:26 . 2009-12-24 21:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-22 11:33 . 2010-01-22 11:33 0 ---ha-w- c:\windows\system32\BIT13.tmp
2010-01-21 23:25 . 2004-08-10 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-21 21:28 . 2010-01-17 02:08 -------- d-----w- c:\program files\Spyware Doctor
2010-01-17 02:10 . 2010-01-17 02:08 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-14 17:12 . 2009-11-29 02:38 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00 . 2004-08-10 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 00:12 . 2009-11-28 00:56 17768 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 16:19 . 2009-12-21 16:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-12-21 15:53 . 2009-12-21 15:53 -------- d-----w- c:\program files\MSECache
2009-12-20 22:16 . 2009-12-20 22:16 -------- d-----w- c:\program files\Wisdom-soft ScreenHunter 5 Free
2009-12-05 02:43 . 2009-11-29 02:51 -------- d-----w- c:\program files\Common Files\aol
2009-12-03 16:42 . 2009-12-03 16:42 423464 ----a-w- c:\documents and settings\Administrator\Application Data\E-centives\BSTIEPrintCtl1.dll
2009-12-03 16:42 . 2009-12-03 16:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\E-centives
2009-12-02 17:14 . 2009-12-02 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\WeatherBug
2009-12-02 17:14 . 2009-12-02 17:14 18944 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A16301.exe
2009-12-02 17:14 . 2009-12-02 17:14 11264 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A1630.exe
2009-12-02 17:14 . 2009-12-02 17:14 -------- d-----w- c:\program files\AWS
2009-12-02 15:04 . 2009-12-02 14:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\ICAClient
2009-12-02 14:37 . 2009-12-02 14:37 -------- d-----w- c:\program files\Citrix
2009-11-30 15:31 . 2009-11-29 02:51 -------- d-----w- c:\program files\AOL 9.5
2009-11-30 05:03 . 2009-11-29 02:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-11-29 03:47 . 2009-11-29 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-11-29 03:46 . 2009-11-29 03:46 -------- d-----w- c:\program files\Siber Systems
2009-11-29 02:54 . 2009-11-29 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-29 02:53 . 2009-11-29 02:51 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-29 02:53 . 2009-11-29 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-29 02:53 . 2009-11-29 02:53 -------- d-----w- c:\program files\Viewpoint
2009-11-29 02:52 . 2009-11-29 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-11-29 02:49 . 2009-11-29 02:47 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2009-11-29 02:47 . 2009-11-29 02:47 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2009-11-29 02:47 . 2009-11-29 02:47 335 ----a-w- c:\windows\nsreg.dat
2009-11-29 02:47 . 2009-11-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-11-29 02:36 . 2009-11-29 02:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-28 00:57 . 2009-11-27 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-11-28 00:57 . 2009-11-27 23:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-11-28 00:55 . 2009-11-28 00:55 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-11-28 00:55 . 2009-11-28 00:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-11-28 00:51 . 2009-11-28 00:51 -------- d-----w- c:\program files\MSBuild
2009-11-28 00:51 . 2009-11-28 00:51 -------- d-----w- c:\program files\Reference Assemblies
2009-11-28 00:41 . 2009-11-28 00:41 -------- d-----w- c:\program files\CCleaner
2009-11-28 00:36 . 2009-11-28 00:35 -------- d-----w- c:\program files\ATI Technologies
2009-11-28 00:36 . 2009-11-28 00:22 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-28 00:36 . 2009-11-28 00:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-28 00:23 . 2009-11-28 00:23 -------- d-----w- c:\program files\Realtek AC97
2009-11-27 23:32 . 2009-11-27 23:32 -------- d-----w- c:\program files\LSI SoftModem
2009-11-27 22:02 . 2009-11-27 21:18 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-27 21:19 . 2009-11-27 21:19 -------- d-----w- c:\program files\microsoft frontpage
2009-11-27 21:10 . 2009-11-27 21:10 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-27 21:09 . 2009-11-27 21:09 -------- d-----w- c:\program files\Windows Plus
2009-11-21 15:51 . 2004-08-10 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-10 16:28 . 2010-01-17 02:10 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-10 16:28 . 2010-01-17 02:10 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-10 16:28 . 2010-01-17 02:10 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-10 16:26 . 2010-01-17 02:10 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-09 17:20 . 2010-01-17 02:08 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-30 17:11 . 2010-01-17 02:08 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-28 14:38 . 2009-10-28 14:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-28 14:38 . 2009-10-28 14:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-28 07:36 . 2010-01-17 02:10 1152444 ----a-w- c:\windows\UDB.zip
.

((((((((((((((((((((((((((((( SnapShot@2010-01-22_18.32.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-25 00:21 . 2010-01-25 00:21 16384 c:\windows\Temp\Perflib_Perfdata_788.dat
- 2004-08-10 12:00 . 2009-10-29 07:46 44544 c:\windows\system32\pngfilt.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 44544 c:\windows\system32\pngfilt.dll
+ 2004-08-10 12:00 . 2008-04-14 00:12 69120 c:\windows\system32\notepad.exe
- 2007-08-14 02:54 . 2009-10-29 07:46 52224 c:\windows\system32\msfeedsbs.dll
+ 2007-08-14 02:54 . 2010-01-05 10:00 52224 c:\windows\system32\msfeedsbs.dll
+ 2010-01-23 20:37 . 2010-01-23 20:37 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2004-08-10 12:00 . 2009-10-29 07:46 27648 c:\windows\system32\jsproxy.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 27648 c:\windows\system32\jsproxy.dll
+ 2007-08-14 02:39 . 2009-12-31 15:33 13824 c:\windows\system32\ieudinit.exe
- 2007-08-14 02:39 . 2009-10-28 14:36 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-10 12:00 . 2010-01-05 10:00 44544 c:\windows\system32\iernonce.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 44544 c:\windows\system32\iernonce.dll
- 2004-08-10 12:00 . 2009-10-28 14:36 70656 c:\windows\system32\ie4uinit.exe
+ 2004-08-10 12:00 . 2009-12-31 15:33 70656 c:\windows\system32\ie4uinit.exe
- 2007-08-14 02:36 . 2009-10-29 07:46 63488 c:\windows\system32\icardie.dll
+ 2007-08-14 02:36 . 2010-01-05 10:00 63488 c:\windows\system32\icardie.dll
+ 2007-08-14 02:36 . 2010-01-05 10:00 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2007-08-14 02:36 . 2009-10-29 07:46 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2009-11-27 23:11 . 2009-10-29 07:46 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-11-27 23:11 . 2010-01-05 10:00 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-08-14 02:54 . 2009-10-29 07:46 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-08-14 02:54 . 2010-01-05 10:00 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2009-11-27 23:11 . 2009-10-28 14:36 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2009-11-27 23:11 . 2009-12-31 15:33 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2007-08-14 02:39 . 2010-01-05 10:00 44544 c:\windows\system32\dllcache\iernonce.dll
- 2007-08-14 02:39 . 2009-10-29 07:46 44544 c:\windows\system32\dllcache\iernonce.dll
- 2009-09-25 05:37 . 2009-10-29 07:46 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2009-09-25 05:37 . 2010-01-05 10:00 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2007-08-14 02:39 . 2009-12-31 15:33 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-14 02:39 . 2009-10-28 14:36 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-11-27 23:11 . 2010-01-05 10:00 63488 c:\windows\system32\dllcache\icardie.dll
- 2009-11-27 23:11 . 2009-10-29 07:46 63488 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-14 02:42 . 2010-01-05 10:00 17408 c:\windows\system32\dllcache\corpol.dll
- 2007-08-14 02:42 . 2009-10-29 07:46 17408 c:\windows\system32\dllcache\corpol.dll
+ 2010-01-23 20:33 . 2010-01-23 20:33 24576 c:\windows\Installer\2e40e.msi
+ 2010-01-23 20:33 . 2010-01-23 20:33 27648 c:\windows\Installer\2e3fa.msi
+ 2010-01-23 21:01 . 2009-10-29 07:46 44544 c:\windows\ie7updates\KB978207-IE7\pngfilt.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 52224 c:\windows\ie7updates\KB978207-IE7\msfeedsbs.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 27648 c:\windows\ie7updates\KB978207-IE7\jsproxy.dll
+ 2010-01-23 21:01 . 2009-10-28 14:36 13824 c:\windows\ie7updates\KB978207-IE7\ieudinit.exe
+ 2010-01-23 21:01 . 2009-10-29 07:46 44544 c:\windows\ie7updates\KB978207-IE7\iernonce.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 78336 c:\windows\ie7updates\KB978207-IE7\ieencode.dll
+ 2010-01-23 21:01 . 2009-10-28 14:36 70656 c:\windows\ie7updates\KB978207-IE7\ie4uinit.exe
+ 2010-01-23 21:01 . 2009-10-29 07:46 63488 c:\windows\ie7updates\KB978207-IE7\icardie.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 17408 c:\windows\ie7updates\KB978207-IE7\corpol.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 233472 c:\windows\system32\webcheck.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 233472 c:\windows\system32\webcheck.dll
+ 2009-11-27 21:01 . 2008-04-14 00:12 126464 c:\windows\system32\wbem\wmiapsrv.exe
+ 2004-08-10 12:00 . 2010-01-05 10:00 105984 c:\windows\system32\url.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 105984 c:\windows\system32\url.dll
+ 2009-12-01 00:06 . 2004-02-03 13:00 119808 c:\windows\system32\spool\drivers\w32x86\3\CNMSM58.EXE
- 2004-08-10 12:00 . 2009-10-29 07:46 102912 c:\windows\system32\occache.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 102912 c:\windows\system32\occache.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 671232 c:\windows\system32\mstime.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 671232 c:\windows\system32\mstime.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 193024 c:\windows\system32\msrating.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 193024 c:\windows\system32\msrating.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 477696 c:\windows\system32\mshtmled.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 477696 c:\windows\system32\mshtmled.dll
- 2007-08-14 02:54 . 2009-10-29 07:46 459264 c:\windows\system32\msfeeds.dll
+ 2007-08-14 02:54 . 2010-01-05 10:00 459264 c:\windows\system32\msfeeds.dll
+ 2009-11-03 00:24 . 2009-11-03 00:24 257440 c:\windows\system32\Macromed\Flash\FlashUtil10d.exe
+ 2004-08-10 12:00 . 2008-04-14 00:12 514560 c:\windows\system32\logonui.exe
+ 2010-01-23 20:27 . 2010-01-23 20:26 153376 c:\windows\system32\javaws.exe
- 2009-12-24 21:51 . 2009-12-24 21:51 145184 c:\windows\system32\javaw.exe
+ 2010-01-23 20:27 . 2010-01-23 20:26 145184 c:\windows\system32\javaw.exe
- 2009-12-24 21:51 . 2009-12-24 21:51 145184 c:\windows\system32\java.exe
+ 2010-01-23 20:27 . 2010-01-23 20:26 145184 c:\windows\system32\java.exe
+ 2007-08-14 02:34 . 2010-01-05 10:00 268288 c:\windows\system32\iertutil.dll
- 2007-08-14 02:34 . 2009-10-29 07:46 268288 c:\windows\system32\iertutil.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 192512 c:\windows\system32\iepeers.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 385024 c:\windows\system32\iedkcs32.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 385024 c:\windows\system32\iedkcs32.dll
- 2007-07-11 20:27 . 2009-10-29 07:46 380928 c:\windows\system32\ieapfltr.dll
+ 2007-07-11 20:27 . 2010-01-05 10:00 380928 c:\windows\system32\ieapfltr.dll
- 2004-08-10 12:00 . 2009-10-28 06:52 161792 c:\windows\system32\ieakui.dll
+ 2004-08-10 12:00 . 2009-12-18 13:04 161792 c:\windows\system32\ieakui.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 230400 c:\windows\system32\ieaksie.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 153088 c:\windows\system32\ieakeng.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 133120 c:\windows\system32\extmgr.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 133120 c:\windows\system32\extmgr.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 347136 c:\windows\system32\dxtmsft.dll
+ 2009-09-25 05:37 . 2010-01-05 10:00 832512 c:\windows\system32\dllcache\wininet.dll
- 2009-09-25 05:37 . 2009-10-29 07:46 832512 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-14 02:54 . 2010-01-05 10:00 233472 c:\windows\system32\dllcache\webcheck.dll
- 2007-08-14 02:54 . 2009-10-29 07:46 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2007-08-14 02:44 . 2010-01-05 10:00 105984 c:\windows\system32\dllcache\url.dll
- 2007-08-14 02:44 . 2009-10-29 07:46 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-14 02:44 . 2010-01-05 10:00 102912 c:\windows\system32\dllcache\occache.dll
- 2007-08-14 02:44 . 2009-10-29 07:46 102912 c:\windows\system32\dllcache\occache.dll
+ 2007-08-14 02:54 . 2010-01-05 10:00 671232 c:\windows\system32\dllcache\mstime.dll
- 2007-08-14 02:54 . 2009-10-29 07:46 671232 c:\windows\system32\dllcache\mstime.dll
- 2007-08-14 02:44 . 2009-10-29 07:46 193024 c:\windows\system32\dllcache\msrating.dll
+ 2007-08-14 02:44 . 2010-01-05 10:00 193024 c:\windows\system32\dllcache\msrating.dll
- 2007-08-14 02:54 . 2009-10-29 07:46 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-08-14 02:54 . 2010-01-05 10:00 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-11-27 23:11 . 2010-01-05 10:00 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2009-11-27 23:11 . 2009-10-29 07:46 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-08-14 02:43 . 2009-12-18 13:05 634648 c:\windows\system32\dllcache\iexplore.exe
+ 2009-11-27 23:11 . 2010-01-05 10:00 268288 c:\windows\system32\dllcache\iertutil.dll
- 2009-11-27 23:11 . 2009-10-29 07:46 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-08-14 02:54 . 2010-01-05 10:00 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-14 02:39 . 2010-01-05 10:00 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-14 02:39 . 2009-10-29 07:46 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-11-27 23:11 . 2009-10-29 07:46 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2009-11-27 23:11 . 2010-01-05 10:00 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2004-08-10 12:00 . 2009-10-28 06:52 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-10 12:00 . 2009-12-18 13:04 161792 c:\windows\system32\dllcache\ieakui.dll
- 2007-08-14 02:39 . 2009-10-29 07:46 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2007-08-14 02:39 . 2010-01-05 10:00 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2007-08-14 02:39 . 2009-10-29 07:46 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2007-08-14 02:39 . 2010-01-05 10:00 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2007-08-14 02:54 . 2010-01-05 10:00 133120 c:\windows\system32\dllcache\extmgr.dll
- 2007-08-14 02:54 . 2009-10-29 07:46 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2007-08-14 02:35 . 2010-01-05 10:00 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2007-08-14 02:35 . 2009-10-29 07:46 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2007-08-14 02:35 . 2009-10-29 07:46 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-08-14 02:35 . 2010-01-05 10:00 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-08-14 02:39 . 2010-01-05 10:00 124928 c:\windows\system32\dllcache\advpack.dll
- 2007-08-14 02:39 . 2009-10-29 07:46 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 124928 c:\windows\system32\advpack.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 124928 c:\windows\system32\advpack.dll
+ 2010-01-23 20:27 . 2010-01-23 20:27 178176 c:\windows\Installer\2e2ed.msi
+ 2010-01-23 20:26 . 2010-01-23 20:26 576000 c:\windows\Installer\2e2e8.msi
+ 2010-01-23 21:01 . 2009-10-29 07:46 832512 c:\windows\ie7updates\KB978207-IE7\wininet.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 233472 c:\windows\ie7updates\KB978207-IE7\webcheck.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 105984 c:\windows\ie7updates\KB978207-IE7\url.dll
+ 2010-01-23 21:01 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB978207-IE7\spuninst\updspapi.dll
+ 2010-01-23 21:01 . 2009-05-26 11:40 231288 c:\windows\ie7updates\KB978207-IE7\spuninst\spuninst.exe
+ 2010-01-23 21:01 . 2009-10-29 07:46 102912 c:\windows\ie7updates\KB978207-IE7\occache.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 671232 c:\windows\ie7updates\KB978207-IE7\mstime.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 193024 c:\windows\ie7updates\KB978207-IE7\msrating.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 477696 c:\windows\ie7updates\KB978207-IE7\mshtmled.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 459264 c:\windows\ie7updates\KB978207-IE7\msfeeds.dll
+ 2010-01-23 21:01 . 2009-10-28 06:54 634632 c:\windows\ie7updates\KB978207-IE7\iexplore.exe
+ 2010-01-23 21:01 . 2009-10-29 07:46 268288 c:\windows\ie7updates\KB978207-IE7\iertutil.dll
+ 2010-01-23 21:01 . 2007-08-14 02:54 191488 c:\windows\ie7updates\KB978207-IE7\iepeers.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 385024 c:\windows\ie7updates\KB978207-IE7\iedkcs32.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 380928 c:\windows\ie7updates\KB978207-IE7\ieapfltr.dll
+ 2010-01-23 21:01 . 2009-10-28 06:52 161792 c:\windows\ie7updates\KB978207-IE7\ieakui.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 230400 c:\windows\ie7updates\KB978207-IE7\ieaksie.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 153088 c:\windows\ie7updates\KB978207-IE7\ieakeng.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 133120 c:\windows\ie7updates\KB978207-IE7\extmgr.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 214528 c:\windows\ie7updates\KB978207-IE7\dxtrans.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 347136 c:\windows\ie7updates\KB978207-IE7\dxtmsft.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 124928 c:\windows\ie7updates\KB978207-IE7\advpack.dll
+ 2010-01-25 00:22 . 2010-01-25 00:22 176128 c:\windows\ERDNT\AutoBackup\1-24-2010\Users\00000002\UsrClass.dat
+ 2010-01-25 00:22 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\1-24-2010\ERDNT.EXE
+ 2010-01-23 20:25 . 2010-01-23 20:25 172032 c:\windows\ERDNT\AutoBackup\1-23-2010\Users\00000002\UsrClass.dat
+ 2010-01-23 20:25 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\1-23-2010\ERDNT.EXE
+ 2004-08-10 12:00 . 2010-01-05 10:00 1168384 c:\windows\system32\urlmon.dll
- 2004-08-10 12:00 . 2009-10-29 07:46 1168384 c:\windows\system32\urlmon.dll
+ 2004-08-10 12:00 . 2010-01-05 10:00 3599360 c:\windows\system32\mshtml.dll
- 2007-08-14 02:54 . 2009-10-29 07:46 6067200 c:\windows\system32\ieframe.dll
+ 2007-08-14 02:54 . 2010-01-05 10:00 6067200 c:\windows\system32\ieframe.dll
- 2009-09-25 05:37 . 2009-10-29 07:46 1168384 c:\windows\system32\dllcache\urlmon.dll
+ 2009-09-25 05:37 . 2010-01-05 10:00 1168384 c:\windows\system32\dllcache\urlmon.dll
+ 2009-09-25 05:37 . 2010-01-05 10:00 3599360 c:\windows\system32\dllcache\mshtml.dll
- 2009-11-27 23:11 . 2009-10-29 07:46 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2009-11-27 23:11 . 2010-01-05 10:00 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2010-01-23 20:34 . 2010-01-23 20:34 3940352 c:\windows\Installer\2e413.msi
+ 2010-01-23 21:01 . 2009-10-29 07:46 1168384 c:\windows\ie7updates\KB978207-IE7\urlmon.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 3598336 c:\windows\ie7updates\KB978207-IE7\mshtml.dll
+ 2010-01-23 21:01 . 2009-10-29 07:46 6067200 c:\windows\ie7updates\KB978207-IE7\ieframe.dll
+ 2010-01-25 00:22 . 2010-01-25 00:22 1839104 c:\windows\ERDNT\AutoBackup\1-24-2010\Users\00000001\NTUSER.DAT
+ 2010-01-23 20:25 . 2010-01-23 20:25 1839104 c:\windows\ERDNT\AutoBackup\1-23-2010\Users\00000001\NTUSER.DAT
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-11-29 160592]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-10-20 1693184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 114688]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-14 57344]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"HostManager"="c:\program files\Common Files\AOL\1259463101\ee\AOLSoftware.exe" [2009-07-20 41264]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-8-14 57344]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1259463101\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/16/2010 8:08 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/16/2010 8:10 PM 112592]
S1 fserpuup;fserpuup;\??\c:\windows\system32\drivers\fserpuup.sys --> c:\windows\system32\drivers\fserpuup.sys [?]
S1 mlvothdr;mlvothdr;\??\c:\windows\system32\drivers\mlvothdr.sys --> c:\windows\system32\drivers\mlvothdr.sys [?]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [1/15/2010 7:28 PM 266240]
S3 diskmgr;diskmgr;c:\windows\system32\diskmgr.sys [8/10/2004 6:00 AM 2304]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/16/2010 8:08 PM 359624]
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-03 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 10:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-01-25 10:46:54
ComboFix-quarantined-files.txt 2010-01-25 16:46
ComboFix2.txt 2010-01-23 21:03
ComboFix3.txt 2010-01-22 18:35

Pre-Run: 180,271,689,728 bytes free
Post-Run: 180,428,173,312 bytes free

- - End Of File - - 65E55AA2510D391B303F8C4408E2291E

 

[Blade81]

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

Driver::
fserpuup
mlvothdr
File::
c:\windows\system32\drivers\fserpuup.sys
c:\windows\system32\drivers\mlvothdr.sys

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows, disable antivirus protection and refering to the picture above, drag CFScript into haleysfix.exe.
Then post the resultant log.

Reboot and see if you're able to run DDS.

 

[beautygirlhaley]

ok that worked better!

Alright. Combofix log and successful dds run log are posted below!

ComboFix 10-01-24.05 - Administrator 01/25/2010 11:12:32.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.471 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\haleysfix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\drivers\fserpuup.sys"
"c:\windows\system32\drivers\mlvothdr.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_fserpuup
-------\Service_mlvothdr


((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-23 20:51 . 2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-01-23 20:51 . 2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
2010-01-23 20:34 . 2010-01-23 20:34 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-23 20:34 . 2010-01-23 20:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-23 20:33 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-23 20:33 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-23 20:33 . 2010-01-23 20:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-23 20:32 . 2010-01-23 20:32 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-23 20:27 . 2010-01-23 20:27 -------- d-----w- c:\program files\Common Files\Java
2010-01-23 20:27 . 2010-01-23 20:27 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23d147d4-n\msvcp71.dll
2010-01-23 20:27 . 2010-01-23 20:27 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23d147d4-n\jmc.dll
2010-01-23 20:27 . 2010-01-23 20:27 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23d147d4-n\msvcr71.dll
2010-01-23 20:27 . 2010-01-23 20:27 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65ce984d-n\decora-sse.dll
2010-01-23 20:27 . 2010-01-23 20:27 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65ce984d-n\decora-d3d.dll
2010-01-23 20:26 . 2010-01-23 20:26 -------- d-----w- c:\program files\Java
2010-01-23 20:15 . 2010-01-23 20:15 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-23 20:15 . 2010-01-23 20:15 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-23 03:37 . 2010-01-23 03:37 -------- d-----w- C:\BJPrinter
2010-01-23 03:23 . 2010-01-23 03:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2010-01-23 00:13 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-23 00:13 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 04:13 . 2010-01-17 04:13 -------- d-----w- c:\program files\Trend Micro
2010-01-17 04:10 . 2010-01-17 04:11 -------- d-----w- c:\program files\ERUNT
2010-01-17 02:48 . 2010-01-23 00:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 02:48 . 2010-01-17 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-01-17 02:07 . 2010-01-25 17:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-17 01:27 . 2010-01-17 01:27 -------- d-----w- c:\windows\system32\LogFiles
2010-01-16 01:28 . 2010-01-16 01:28 266240 ----a-w- c:\windows\system32\CSHelper.exe
2010-01-16 01:28 . 2010-01-16 01:28 225280 ----a-w- c:\windows\system32\CSInstru.DLL
2010-01-13 05:59 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:02 . 2010-01-06 22:02 -------- d-----w- C:\.jagex_cache_32
2010-01-03 08:23 . 2010-01-03 08:23 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-03 08:23 . 2010-01-25 06:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-29 20:14 . 2010-01-14 23:07 69 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences2.dat
2009-12-29 20:13 . 2010-01-14 23:06 39 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2009-12-29 20:12 . 2009-12-29 22:03 -------- d-----w- c:\windows\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 20:49 . 2009-12-01 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-23 20:26 . 2009-12-24 21:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-22 11:33 . 2010-01-22 11:33 0 ---ha-w- c:\windows\system32\BIT13.tmp
2010-01-21 23:25 . 2004-08-10 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-21 21:28 . 2010-01-17 02:08 -------- d-----w- c:\program files\Spyware Doctor
2010-01-17 02:10 . 2010-01-17 02:08 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-14 17:12 . 2009-11-29 02:38 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00 . 2004-08-10 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 00:12 . 2009-11-28 00:56 17768 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 16:19 . 2009-12-21 16:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-12-21 15:53 . 2009-12-21 15:53 -------- d-----w- c:\program files\MSECache
2009-12-20 22:16 . 2009-12-20 22:16 -------- d-----w- c:\program files\Wisdom-soft ScreenHunter 5 Free
2009-12-05 02:43 . 2009-11-29 02:51 -------- d-----w- c:\program files\Common Files\aol
2009-12-03 16:42 . 2009-12-03 16:42 423464 ----a-w- c:\documents and settings\Administrator\Application Data\E-centives\BSTIEPrintCtl1.dll
2009-12-03 16:42 . 2009-12-03 16:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\E-centives
2009-12-02 17:14 . 2009-12-02 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\WeatherBug
2009-12-02 17:14 . 2009-12-02 17:14 18944 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A16301.exe
2009-12-02 17:14 . 2009-12-02 17:14 11264 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A1630.exe
2009-12-02 17:14 . 2009-12-02 17:14 -------- d-----w- c:\program files\AWS
2009-12-02 15:04 . 2009-12-02 14:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\ICAClient
2009-12-02 14:37 . 2009-12-02 14:37 -------- d-----w- c:\program files\Citrix
2009-11-30 15:31 . 2009-11-29 02:51 -------- d-----w- c:\program files\AOL 9.5
2009-11-30 05:03 . 2009-11-29 02:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-11-29 03:47 . 2009-11-29 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-11-29 03:46 . 2009-11-29 03:46 -------- d-----w- c:\program files\Siber Systems
2009-11-29 02:54 . 2009-11-29 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-29 02:53 . 2009-11-29 02:51 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-29 02:53 . 2009-11-29 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-29 02:53 . 2009-11-29 02:53 -------- d-----w- c:\program files\Viewpoint
2009-11-29 02:52 . 2009-11-29 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-11-29 02:49 . 2009-11-29 02:47 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2009-11-29 02:47 . 2009-11-29 02:47 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2009-11-29 02:47 . 2009-11-29 02:47 335 ----a-w- c:\windows\nsreg.dat
2009-11-29 02:47 . 2009-11-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-11-29 02:36 . 2009-11-29 02:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-28 00:57 . 2009-11-27 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-11-28 00:57 . 2009-11-27 23:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-11-28 00:55 . 2009-11-28 00:55 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-11-28 00:55 . 2009-11-28 00:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-11-28 00:51 . 2009-11-28 00:51 -------- d-----w- c:\program files\MSBuild
2009-11-28 00:51 . 2009-11-28 00:51 -------- d-----w- c:\program files\Reference Assemblies
2009-11-28 00:41 . 2009-11-28 00:41 -------- d-----w- c:\program files\CCleaner
2009-11-28 00:36 . 2009-11-28 00:35 -------- d-----w- c:\program files\ATI Technologies
2009-11-28 00:36 . 2009-11-28 00:22 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-28 00:36 . 2009-11-28 00:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-28 00:23 . 2009-11-28 00:23 -------- d-----w- c:\program files\Realtek AC97
2009-11-27 23:32 . 2009-11-27 23:32 -------- d-----w- c:\program files\LSI SoftModem
2009-11-27 22:02 . 2009-11-27 21:18 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-27 21:19 . 2009-11-27 21:19 -------- d-----w- c:\program files\microsoft frontpage
2009-11-27 21:10 . 2009-11-27 21:10 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-27 21:09 . 2009-11-27 21:09 -------- d-----w- c:\program files\Windows Plus
2009-11-21 15:51 . 2004-08-10 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-10 16:28 . 2010-01-17 02:10 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-10 16:28 . 2010-01-17 02:10 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-10 16:28 . 2010-01-17 02:10 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-10 16:26 . 2010-01-17 02:10 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-09 17:20 . 2010-01-17 02:08 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-30 17:11 . 2010-01-17 02:08 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-28 14:38 . 2009-10-28 14:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-28 14:38 . 2009-10-28 14:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-28 07:36 . 2010-01-17 02:10 1152444 ----a-w- c:\windows\UDB.zip
.

((((((((((((((((((((((((((((( SnapShot_2010-01-25_16.45.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-25 17:16 . 2010-01-25 17:16 16384 c:\windows\Temp\Perflib_Perfdata_114.dat
+ 2010-01-25 17:16 . 2010-01-25 17:16 176128 c:\windows\ERDNT\AutoBackup\1-25-2010\Users\00000002\UsrClass.dat
+ 2010-01-25 17:16 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\1-25-2010\ERDNT.EXE
+ 2010-01-25 17:16 . 2010-01-25 17:16 1839104 c:\windows\ERDNT\AutoBackup\1-25-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-11-29 160592]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-10-20 1693184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 114688]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-14 57344]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"HostManager"="c:\program files\Common Files\AOL\1259463101\ee\AOLSoftware.exe" [2009-07-20 41264]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-8-14 57344]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1259463101\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/16/2010 8:08 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/16/2010 8:10 PM 112592]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [1/15/2010 7:28 PM 266240]
S3 diskmgr;diskmgr;c:\windows\system32\diskmgr.sys [8/10/2004 6:00 AM 2304]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/16/2010 8:08 PM 359624]
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-03 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 11:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3056)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\ALCXMNTR.EXE
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-01-25 11:19:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 17:19
ComboFix2.txt 2010-01-25 16:46
ComboFix3.txt 2010-01-23 21:03
ComboFix4.txt 2010-01-22 18:35

Pre-Run: 180,536,360,960 bytes free
Post-Run: 180,488,192,000 bytes free

- - End Of File - - 21CCECC3A4E025C57539FDA9E0D95173



DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 11:20:37.23 on Mon 01/25/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.552 [GMT -6:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\AOL\1259463101\ee\AOLSoftware.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [HostManager] c:\program files\common files\aol\1259463101\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259357999593
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-16 207792]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-16 112592]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-1-15 266240]
S3 diskmgr;diskmgr;c:\windows\system32\diskmgr.sys [2004-8-10 2304]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-16 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-16 1141712]

=============== Created Last 30 ================

2010-01-23 20:51:37 15360 -c--a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-01-23 20:51:37 15360 ------w- c:\windows\system32\ctfmon.exe
2010-01-23 20:27:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-23 20:22:37 0 d-----w- c:\windows\system32\appmgmt
2010-01-23 03:37:35 0 d-----w- C:\BJPrinter
2010-01-23 00:13:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-23 00:13:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-22 17:55:35 0 d-sha-r- C:\cmdcons
2010-01-22 17:54:14 98816 ----a-w- c:\windows\sed.exe
2010-01-22 17:54:14 77312 ----a-w- c:\windows\MBR.exe
2010-01-22 17:54:14 261632 ----a-w- c:\windows\PEV.exe
2010-01-22 17:54:14 161792 ----a-w- c:\windows\SWREG.exe
2010-01-22 11:33:27 0 ---ha-w- c:\windows\system32\BIT13.tmp
2010-01-17 04:13:49 0 d-----w- c:\program files\Trend Micro
2010-01-17 02:48:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 02:48:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-17 02:10:37 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-17 02:10:36 883 ----a-w- c:\windows\RegSDImport.xml
2010-01-17 02:10:36 880 ----a-w- c:\windows\RegISSImport.xml
2010-01-17 02:10:36 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-17 02:10:36 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-17 02:10:36 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-17 02:10:36 131 ----a-w- c:\windows\IDB.zip
2010-01-17 02:10:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-17 02:08:17 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-17 02:08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-17 02:08:11 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-17 02:08:11 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-17 02:08:11 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-17 02:08:11 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-17 02:08:06 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-01-17 02:08:06 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-17 02:08:01 0 d-----w- c:\program files\Spyware Doctor
2010-01-17 02:08:01 0 d-----w- c:\program files\common files\PC Tools
2010-01-17 02:08:01 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-17 02:08:01 0 d-----w- c:\docume~1\admini~1\applic~1\PC Tools
2010-01-17 01:27:06 0 d-----w- c:\windows\system32\LogFiles
2010-01-16 01:28:28 266240 ----a-w- c:\windows\system32\CSHelper.exe
2010-01-16 01:28:28 225280 ----a-w- c:\windows\system32\CSInstru.DLL
2010-01-13 05:59:23 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:02:14 0 d-----w- C:\.jagex_cache_32
2010-01-03 08:23:41 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-03 08:23:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-29 20:14:04 69 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences2.dat
2009-12-29 20:13:00 39 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2009-12-29 20:12:49 0 d-----w- c:\windows\.jagex_cache_32

==================== Find3M ====================

2010-01-23 20:26:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-21 23:25:55 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-27 21:10:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-28 14:38:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-28 14:38:46 499712 ----a-w- c:\windows\system32\msvcp71.dll

============= FINISH: 11:20:44.23 ===============