Many issues - google redirect, No Disk errors, etc

[donald112]

Hi,

It looks like my kids have gotten this computer completely infected.

I have run SpyBot and removed a lot. My McAfee Anti virus does not seem to be working correctly. I am getting many strange behaviors including clicking on links in a google search gets redirected, firefox starting on its own going to casino websites. I am getting Window No Disk errors sometimes. I am getting svchost errors on start up. I followed the directions and here are the files.

Thanks for any help.

DDS.txt


DDS (Ver_09-03-16.01) - NTFSx86
Run by Donald Whisenhunt at 20:38:25.81 on Tue 04/28/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1263 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\VetMsgNT.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\reader_s.exe
C:\windows\ld08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Donald Whisenhunt\reader_s.exe
C:\WINDOWS\system32\dll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tpsaxyd.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
svchost.exe C:\WINDOWS\TEMP\VRT6B.tmp
c:\program Files\ThunMail\testabd.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Java\jre6\bin\jucheck.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\aim toolbar\aimtbServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\dncyool64.sys
C:\Documents and Settings\Donald Whisenhunt\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: c:\windows\system32\kjsdiowq8oikf.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll
BHO: {debc2448-7334-45dd-bad3-afaf3b0b6616} - c:\windows\system32\higubuli.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTog0.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [reader_s] c:\documents and settings\donald whisenhunt\reader_s.exe
uRun: [autochk] rundll32.exe c:\docume~1\donald~1\protect.dll,_IWMPEvents@16
uRun: [dll32] dll32
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [MCAgentExe] c:\program files\mcafee.com\agent\mcagent.exe
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [\\DONALDOFFICE\EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p45 "\\donaldoffice\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [Auto EPSON Stylus Photo R300 Series on DONALDOFFICE] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p51 "auto epson stylus photo r300 series on donaldoffice" /o23 "\\donaldoffice\EPSONSty" /M "Stylus Photo R300"
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [Auto EPSON Stylus Photo R300 Series on DONALDOFFICE (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p60 "auto epson stylus photo r300 series on donaldoffice (copy 1)" /o30 "\\donaldoffice\EPSONSty_Donald" /M "Stylus Photo R300"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [prnet] "c:\windows\system32\prnet.tmp"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
mRun: [pp] c:\windows\pp06.exe
mRun: [ruragisuze] Rundll32.exe "c:\windows\system32\jiremeye.dll",s
mRun: [70e3a650] rundll32.exe "c:\windows\system32\sayobeva.dll",b
mRun: [CPM73d095cc] Rundll32.exe "c:\windows\system32\dukurare.dll",a
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
dRun: [svc] c:\program files\thunmail\testabd.exe
dRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
dRun: [<NO NAME>] c:\windows\temp\qtyam26e9.exe
dRun: [Windows Resurections] c:\windows\temp\qtyam26e9.exe
dRun: [Diagnostic Manager] c:\windows\temp\3025865372.exe
dRun: [reader_s] c:\documents and settings\localservice\reader_s.exe
StartupFolder: c:\documents and settings\donald whisenhunt\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\donald~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 8.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\program files\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ezfire~1.lnk - c:\program files\ca\etrust ez armor\etrust ez firewall\ca.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quickenw\QWDLLS.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\uleadp~1.lnk - c:\program files\ulead systems\ulead photo express 4.0 se\CalCheck.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://www.activation.rr.com/install/download/tgctlcm.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yvwrctl.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll c:\windows\system32\tenagoki.dll c:\windows\system32\dukurare.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dukurare.dll
STS: c:\windows\system32\kjsdiowq8oikf.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\dukurare.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
LSA: Notification Packages = scecli c:\windows\system32\tenagoki.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\donald~1\applic~1\mozilla\firefox\profiles\ocrya2c7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\donald whisenhunt\application data\mozilla\firefox\profiles\ocrya2c7.default\extensions\npzorap@zorap.com\plugins\npZorap.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-4-27 18944]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2003-12-6 4064]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2004-4-16 17557]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2004-4-16 15252]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2004-4-16 99269]
R1 VETMONNT;VET File and Macro Monitor;c:\windows\system32\drivers\VetMonNT.sys [2004-4-16 512133]
R2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-27 256512]
R2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 34816]
R2 VETMSGNT;VET Message Service;c:\windows\system32\VetMsgNT.exe [2004-4-16 61440]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-28 45132]
R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-4-16 177312]
R2 X4HS32;X4HS32;c:\program files\exetender\X4HS32.sys [2004-4-17 21627]
S1 ebt339f;ebt339f;c:\windows\system32\drivers\ebt339f.sys [2009-4-28 17376]
S1 ethbqutv;ethbqutv;c:\windows\system32\drivers\ethbqutv.sys [2009-4-27 136224]
S2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2003-9-26 114688]
S2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe --> c:\windows\system32\sopidkc.exe [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-9-26 23296]
S3 RIOXDRV;SONICblue Rio generic driver XP+;c:\windows\system32\drivers\RIOXDRV.sys [2003-12-25 18304]

=============== Created Last 30 ================

2009-04-28 20:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-28 19:59 1,433,119 ---sh--- c:\windows\system32\aveboyas.ini
2009-04-28 19:55 27,648 a------- c:\windows\system32\lmppcsetup.exe
2009-04-28 19:46 61,440 a------- c:\windows\system32\71.tmp
2009-04-28 19:45 17,376 a------- c:\windows\system32\drivers\ebt339f.sys
2009-04-28 19:45 19,420 a------- c:\windows\system32\6F.tmp
2009-04-28 19:45 124 a------- c:\windows\system32\6D.tmp
2009-04-28 07:00 1,433,119 ---sh--- c:\windows\system32\ovowedep.ini
2009-04-27 22:19 50,176 a------- c:\windows\system32\loader49.exe
2009-04-27 22:06 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-04-27 22:06 33,792 ----h--- c:\windows\pp06.exe
2009-04-27 22:06 2 ----h--- c:\windows\t55ft2692f44.dat
2009-04-27 22:05 0 a------- C:\26.tmp
2009-04-27 22:05 54,784 a------- C:\25.tmp
2009-04-27 22:05 0 a------- C:\24.tmp
2009-04-27 22:04 36,352 a------- c:\documents and settings\donald whisenhunt\reader_s.exe
2009-04-27 21:59 24,064 a--sh--- c:\documents and settings\donald whisenhunt\protect.dll
2009-04-27 21:31 0 a------- C:\D.tmp
2009-04-27 21:31 0 a------- C:\C.tmp
2009-04-27 21:30 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-04-27 21:30 0 a------- c:\windows\system32\A.tmp
2009-04-27 21:30 61,440 a------- c:\windows\system32\9.tmp
2009-04-27 21:30 136,224 a------- c:\windows\system32\drivers\ethbqutv.sys
2009-04-27 21:30 153,088 a------- c:\windows\system32\7.tmp
2009-04-27 21:30 124 a------- c:\windows\system32\6.tmp
2009-04-27 19:21 15,000 a------- c:\windows\system32\jksahfo93wjfkd.dll
2009-04-27 16:55 <DIR> --d----- c:\windows\system32\3361
2009-04-27 16:55 <DIR> --d----- c:\windows\dhcp
2009-04-27 16:20 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-27 16:05 46 a------- c:\windows\system32\p2hhr.bat
2009-04-27 16:04 15,000 a------- c:\windows\system32\yhs783ijfo3fe.dll
2009-04-27 16:04 65,024 a------- c:\windows\system32\ak1.exe
2009-04-27 15:57 39,424 a------- c:\windows\system32\dll32.exe
2009-04-27 15:56 <DIR> --d----- c:\windows\system32\796525
2009-04-27 15:55 0 a------- c:\windows\mqcd.dbt
2009-04-27 15:55 36,864 a------- c:\windows\system32\dpcxool64.sys
2009-04-27 15:55 8 a------- c:\windows\system32\comsa32.sys
2009-04-27 15:55 <DIR> --dshr-- c:\program files\ThunMail
2009-04-27 15:55 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-04-27 15:55 39,936 ----h--- c:\windows\ld08.exe
2009-04-27 15:48 182,911 a------- c:\windows\system32\prnet.tmp
2009-04-19 18:58 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-19 18:58 55,808 -------- c:\windows\system32\dllcache\sc.exe
2009-04-19 18:58 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-19 18:58 131,072 -------- c:\windows\system32\dllcache\services.exe
2009-04-19 18:58 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-19 18:57 248,320 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 18:57 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 18:57 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 18:57 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-19 18:57 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-19 18:54 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-19 18:54 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 18:54 236,032 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-12 15:39 <DIR> --d----- c:\documents and settings\donald whisenhunt\jmeeting

==================== Find3M ====================

2009-04-28 20:38 109,308 a------- c:\windows\system32\drivers\b5fdcb09.sys
2009-04-28 19:59 80,896 a--sh--- c:\windows\system32\sayobeva.dll
2009-04-28 19:59 88,064 a--sh--- c:\windows\system32\dukurare.dll
2009-04-28 16:39 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-04-28 16:39 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-04-28 07:00 48,640 a--sh--- c:\windows\system32\gubebusi.dll
2009-04-28 07:00 88,576 a--sh--- c:\windows\system32\luyiwiya.dll
2009-04-28 07:00 80,384 -------- c:\windows\system32\pedewovo.dll
2009-04-27 22:04 15,000 a------- c:\windows\system32\kjsdiowq8oikf.dll
2009-04-27 22:04 61,440 a------- c:\windows\system32\16.tmp
2009-04-27 22:04 152,064 a------- c:\windows\system32\12.tmp
2009-04-27 15:55 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-27 15:54 55,296 a------- c:\windows\system32\reader_s.exe
2009-04-27 15:54 43,520 a------- C:\pdtivk.exe
2009-04-27 15:54 578,560 a------- c:\windows\system32\user32.DLL
2009-04-27 15:54 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-04-27 15:54 262,144 a------- c:\windows\system32\nvrsk.dll
2009-04-27 15:54 290,304 a------- C:\kggi.exe
2009-04-27 15:54 15,000 a------- c:\windows\system32\sjg9s8guigjs.dll
2009-04-27 15:54 79,360 a--sh--- c:\windows\system32\koyatona.dll
2009-04-27 15:54 32,768 a------- c:\windows\instsp2.exe
2009-04-27 15:54 88,576 a--sh--- c:\windows\system32\rahomesu.dll
2009-04-27 15:54 74,240 a--sh--- c:\windows\system32\sutajubu.exe
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 91,136 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 34,304 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-14 18:07 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 55,808 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-12-14 19:18 31 a------- c:\documents and settings\donald whisenhunt\jagex_runescape_preferences.dat
2004-12-29 20:53 922,982 a------- c:\program files\19 Lord in NYC_no_gap.mp3
2005-11-17 23:57 27,661 ---sh--- c:\windows\system32\awvvw.dll
2005-11-17 23:54 27,661 ---sh--- c:\windows\system32\ddccd.dll
2009-01-27 15:49 49,152 a--sh--- c:\windows\system32\kuruwoze.dll.vir
2005-11-20 22:34 540,724 ---sh--- c:\windows\system32\pmkjj.dll
2005-11-17 23:55 27,661 ---sh--- c:\windows\system32\ssqpq.dll

============= FINISH: 20:41:49.39 ===============

[chemist]

Hello and Welcome to TSF.

Please go to: VirusTotal

• On the page you'll find a Browse button.
  
• Next to the Browse button you'll see a box to enter text.
• Please copy/paste the following bolded text into the box:
  
  C:\WINDOWS\Explorer.EXE
  
  
• Then click the Send File button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analysed: click Reanalyse file now
• Once scanned, copy and paste the results in your next reply.
• Please repeat for the following file:
  
  C:\WINDOWS\system32\userinit.exe

------------------------------------------------------

[donald112]

Thanks so much for the response.

I can't get to that page. I get an error when I click on the link in firefox. It gives a page load error. As a side note my browser is going through a proxy - which I don't remember ever setting. I am on a home wireless internet. The main computer that has the router is fine. This one is using a wireless card. I had to turn off the proxy to get back to this page this evening. With proxy on I get an error that the proxy is not responding. The proxy is HTTP proxy localhost 7171.

I will keep trying -- any other suggestions?

Thanks,
Donald

[chemist]

See if this helps:

For IE, go Tools > Internet Options > Connections > LAN settings, and uncheck 'Use a proxy server for your LAN' or restore your previous settings and click OK.

For Firefox3, go Tools > Options > Advanced > Network > Settings, and check 'No proxy' or restore your previous settings and click OK.

------------------------------------------------------

[donald112]

I was able to turn off the proxy but I still can't get to that website (browser can't find host server). I can barely get back to here without being re-directed or just having firefox shut down. I have access to non-infected computers but I guess that will not help with what you want me to do. I assume the virus is blocking certain sites.

Any other ideas?
Thanks,
Donald

[chemist]

Quote:

It looks like my kids have gotten this computer completely infected.

I hate to be the bearer of bad news, but your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Read here and here

Virut is also a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

------------------------------------------------------

You will have to wipe all your drives and reformat.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares), screensavers (*.scr), .htm, .html, .iso, .asp, or .php files. It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

If you need help with a clean reformat and reinstall of Windows, I suggest you seek expert advice in our Windows XP Support Forum

They are more knowledgeable about this procedure and can answer your questions or help you in case something goes wrong.

Remember to immediately install an antivirus program and to then reinstall all the Windows Updates.

These infections are usually picked up from cracksites/warezsites.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• How to Prevent Malware by miekiemoes

------------------------------------------------------

[donald112]

Thanks for the info. Fortunately it is only the kids stuff not my computer with the important info. They do have a number of itunes stuff (movies and music). Can this be burned to CD before I wipe the drive (a new experience for me) and then re-import into itunes?

Thanks again,
Donald

[chemist]

That should be OK. Just none of the previously mentioned files.

You're welcome!