Virtumonde-New Thread-As Per request
- Thread starter TomZT
- Start date
UBCD Update
Hi Blade,
I am having some problems creating the UBCD (errors and warnings during the build). Apparently there are a few known snags and fixes needed when using a Dell XP CD as the build source. I'm getting some help over on the UBCD4WIN forum and will post back here when I get these problems straightened out. I hope you're enjoying the time off! <BG>
Tom
Hi Blade,
I am having some problems creating the UBCD (errors and warnings during the build). Apparently there are a few known snags and fixes needed when using a Dell XP CD as the build source. I'm getting some help over on the UBCD4WIN forum and will post back here when I get these problems straightened out. I hope you're enjoying the time off! <BG>
Tom
Ubcd success
Hello Blade!
I finally have some good news to report. In fact I have GREAT news to report. I successfully created a UBCD Boot CD. After spending a lot of time and a lot of tries, I eventually gave up on using the DELL XP CD as the build source for the boot CD... too many problems in getting that to work. As you suggested, I borrowed a friend's MS XP CD to use as the source and the CD image file was created successfully on my first attempt. I don't know how familiar you are with the UBCD4WIN program but all I can say is "UBCD4WIN ROCKS!"
I can now start the problem machine from the CD and can access MyComputer, get to all the folders and files on the hard drive, with no passwords, and no more Blue Screens. The boot disk also includes a number of Plugins which make available a number of built in tools and utilities like ERUNT, HJT. etc. For the first time in two weeks now, I really feel like we may get this computer cleaned up and running again without formatting the drive and starting from scratch.
I also verified what I think probably caused the problem we had when we tried the ERUNT restore. As I mentioned in a previous post. I did in fact save my original ERUNT registry backup in a subfolder folder named 11_17_09_A, thinking I may want to try another backup later that day and save it in a folder like 11-17_09_B. So when we restored from C:Windows\erdnt\subs and then on the second try C:\Windows\erdnt\hiv-subs, we probably restored something other than my backup. I'm guessing we may have restored an ERUNT sample registry (with an Administrator Password) which normally would have been overwritten by my own backup had I put it in the right folder. Does this make sense?
I am ready to proceed again with your guidance and do look forward to your next reply!
Also, if you wouldn't mind... Can you explain why, when we first started out, we didn't begin by doing a regular Window System Restore to a point prior to the date of infection? I've been wondering about that all along.
Tom
Hello Blade!
I finally have some good news to report. In fact I have GREAT news to report. I successfully created a UBCD Boot CD. After spending a lot of time and a lot of tries, I eventually gave up on using the DELL XP CD as the build source for the boot CD... too many problems in getting that to work. As you suggested, I borrowed a friend's MS XP CD to use as the source and the CD image file was created successfully on my first attempt. I don't know how familiar you are with the UBCD4WIN program but all I can say is "UBCD4WIN ROCKS!"
I can now start the problem machine from the CD and can access MyComputer, get to all the folders and files on the hard drive, with no passwords, and no more Blue Screens. The boot disk also includes a number of Plugins which make available a number of built in tools and utilities like ERUNT, HJT. etc. For the first time in two weeks now, I really feel like we may get this computer cleaned up and running again without formatting the drive and starting from scratch.
I also verified what I think probably caused the problem we had when we tried the ERUNT restore. As I mentioned in a previous post. I did in fact save my original ERUNT registry backup in a subfolder folder named 11_17_09_A, thinking I may want to try another backup later that day and save it in a folder like 11-17_09_B. So when we restored from C:Windows\erdnt\subs and then on the second try C:\Windows\erdnt\hiv-subs, we probably restored something other than my backup. I'm guessing we may have restored an ERUNT sample registry (with an Administrator Password) which normally would have been overwritten by my own backup had I put it in the right folder. Does this make sense?
I am ready to proceed again with your guidance and do look forward to your next reply!
Also, if you wouldn't mind... Can you explain why, when we first started out, we didn't begin by doing a regular Window System Restore to a point prior to the date of infection? I've been wondering about that all along.
Tom
Good to hear that you got the media created 
Now that you have access to hard drive contents could you check c:\qoobox\quarantine\c\windows\system32\drivers folder to see if there's pciide.sys.vir file there?
It's probably correct one. Anyway, we may give one of those another try if needed.
We didn't restore to older point cos those seldom work. Usually infection has rendered them useless and symptoms won't disappear.
Now that you have access to hard drive contents could you check c:\qoobox\quarantine\c\windows\system32\drivers folder to see if there's pciide.sys.vir file there?
Hi
Click start->run->type cmd.exe and enter to access command prompt. Then type following command there:
Verify that output says 1 file(s) copied and if it does, reboot the system and see if it can start normally now.
Click start->run->type cmd.exe and enter to access command prompt. Then type following command there:
Code:
copy /y c:\qoobox\quarantine\c\windows\system32\drivers\pciide.sys.vir c:\windows\system32\drivers\pciide.sysVerify that output says 1 file(s) copied and if it does, reboot the system and see if it can start normally now.
pciide.sys.vir
The command line
copy /y c:\qoobox\quarantine\c\windows\system32\drivers\pciide.sys.vir c:\windows\system32\drivers\pciide.sys
did not run.
Message says...
"Windows cannot find 'copy'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click Search.
Should there be a ":" after the "c" between quarantine\ & \windows?
The command line
copy /y c:\qoobox\quarantine\c\windows\system32\drivers\pciide.sys.vir c:\windows\system32\drivers\pciide.sys
did not run.
Message says...
"Windows cannot find 'copy'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click Search.
Should there be a ":" after the "c" between quarantine\ & \windows?
Sorry
Sorry! My mistake... I did not first enter and run the "cmd.exe" to get to the dos type prompt.
When I tried again, I now come to the Black dos screen prompt...
X:\I386\system32>__ (Is the "X:\" because we're booted from the CD?)
Should I still type...
c:
cd windows\system32
And Then the command line: copy /y...
Sorry! My mistake... I did not first enter and run the "cmd.exe" to get to the dos type prompt.
When I tried again, I now come to the Black dos screen prompt...
X:\I386\system32>__ (Is the "X:\" because we're booted from the CD?)
Should I still type...
c:
cd windows\system32
And Then the command line: copy /y...
Restart
Removed CD and shut down then back on...
Black screen with start mode options... I chose Normal
Windows started ... long welcome screen... then desktop and icons displayed...
Then two popup warnings...
TITLE BAR: RUNDLL
Error loading c:\windows\system32\diahema.dll
The specified module cannot be found.
OK
and...
TITLE BAR: RUNDLL
Error loading kodatewe.dll
The specified module cannot be found.
OK
Normal tray icons appeared but...
AVG Tray Icon has an Exclamation Point (maybe because updates not current?)
plus a Red Shield with balloon that says...
"Your computer might be at risk"
No firewall is turned on
AVG Anti-Virus Free is turned off
Click this balloon to fix this problem
Please Note: The machine is not connected to the network or internet
I have not clicked on either of the PopUps or the Balloon
Tom
Removed CD and shut down then back on...
Black screen with start mode options... I chose Normal
Windows started ... long welcome screen... then desktop and icons displayed...
Then two popup warnings...
TITLE BAR: RUNDLL
Error loading c:\windows\system32\diahema.dll
The specified module cannot be found.
OK
and...
TITLE BAR: RUNDLL
Error loading kodatewe.dll
The specified module cannot be found.
OK
Normal tray icons appeared but...
AVG Tray Icon has an Exclamation Point (maybe because updates not current?)
plus a Red Shield with balloon that says...
"Your computer might be at risk"
No firewall is turned on
AVG Anti-Virus Free is turned off
Click this balloon to fix this problem
Please Note: The machine is not connected to the network or internet
I have not clicked on either of the PopUps or the Balloon
Tom
new DDS log
Hi Blade,
Here is the new DDS log... DDS.txt
PLMK if you want me to post (or attach) the DDS_Attach.txt ???
Tom
DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 2:41:07.46 on Wed 11/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.305 [GMT -6:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {107563d4-6b90-4055-8501-45cbeb7af0a6} - tevaziva.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
mRun: [11220814] c:\documents and settings\all users\application data\11220814\11220814.exe
mRun: [jepedonug] Rundll32.exe "c:\windows\system32\diyahema.dll",a
mRun: [jokimuruha] Rundll32.exe "kodatewe.dll",s
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: vuzuwuhif - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
SSODL: jumikuwif - {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
STS: kupuhivus: {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
STS: kupuhivus: {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
LSA: Notification Packages = scecli cPRASO.dll kodatewe.dll lofiketo.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]
=============== Created Last 30 ================
2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
2009-11-20 21:54:19 0 d-s---w- C:\ComboFix
2009-11-17 21:29:33 1209915 --sh--w- c:\windows\system32\savohofu.exe
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-10 19:27:54 6456 ---ha-w- c:\windows\system32\virasuza
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-10 02:58:33 52736 ----a-w- C:\luobk.exe
2009-11-10 02:58:20 0 --sha-w- C:\15226409
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software
==================== Find3M ====================
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat
============= FINISH: 2:43:23.35 ===============
Hi Blade,
Here is the new DDS log... DDS.txt
PLMK if you want me to post (or attach) the DDS_Attach.txt ???
Tom
DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 2:41:07.46 on Wed 11/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.305 [GMT -6:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {107563d4-6b90-4055-8501-45cbeb7af0a6} - tevaziva.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
mRun: [11220814] c:\documents and settings\all users\application data\11220814\11220814.exe
mRun: [jepedonug] Rundll32.exe "c:\windows\system32\diyahema.dll",a
mRun: [jokimuruha] Rundll32.exe "kodatewe.dll",s
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: vuzuwuhif - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
SSODL: jumikuwif - {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
STS: kupuhivus: {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
STS: kupuhivus: {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
LSA: Notification Packages = scecli cPRASO.dll kodatewe.dll lofiketo.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]
=============== Created Last 30 ================
2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
2009-11-20 21:54:19 0 d-s---w- C:\ComboFix
2009-11-17 21:29:33 1209915 --sh--w- c:\windows\system32\savohofu.exe
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-10 19:27:54 6456 ---ha-w- c:\windows\system32\virasuza
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-10 02:58:33 52736 ----a-w- C:\luobk.exe
2009-11-10 02:58:20 0 --sha-w- C:\15226409
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software
==================== Find3M ====================
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat
============= FINISH: 2:43:23.35 ===============