Windows up date not working, pop ups and degraded performance

jdlucas · 04-29-2009, 09:50 AM

I have several bugs that I can't seem to get rid of. Virus scans detect them but don't seem to be getting rid of them. When I try to do a windows update it tells me theyare disabled. I am unable to set updates to automatic or download them manually. I also receive a lot of pop ups and my internet gaming program does not connect anymore. Any help would be appreciated. Hopefully I am posting the required information correctly.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jeffrey at 11:34:35.28 on Wed 04/29/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2298 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\windows\ld08.exe
C:\WINDOWS\system32\rundll32.exe
C:\windows\pp06.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Jeffrey\LOCALS~1\Temp\3500905500.exe
C:\Documents and Settings\Jeffrey\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ecipublic.org/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0070721
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: {86c7423f-c16f-4d5a-8fc7-2876c8462b2b} - c:\windows\system32\vejuweve.dll
BHO: : {ac714786-ac55-49a9-abdc-bd18b7d29627} - c:\windows\system32\vaadyhs.dll
BHO: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [prnet] "c:\windows\system32\prnet.tmp"
uRun: [Diagnostic Manager] c:\docume~1\jeffrey\locals~1\temp\3500905500.exe
uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
uRun: [dll32] dll32
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [razer] c:\program files\razer\razerhid.exe
mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [HelpCenter4.1] c:\program files\bellsouth\helpcenter40b\bin\sprtcmd.exe /P HelpCenter4.1
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatchTray11.exe"
mRun: [CPMonitor] "c:\program files\roxio creator 2009\5.0\CPMonitor.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [ccApp] -
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [prnet] "c:\windows\system32\prnet.tmp"
mRun: [niyubedeza] Rundll32.exe "c:\windows\system32\jodayodu.dll",s
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Framework Windows] frmwrk32.exe
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [pp] c:\windows\pp06.exe
mRun: [c05319b6] rundll32.exe "c:\windows\system32\mejetiwa.dll",b
mRun: [CPMc3602a2a] Rundll32.exe "c:\windows\system32\wisebiga.dll",a
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [A00F43D3952.exe] c:\windows\temp\_A00F43D3952.exe
dRun: [<NO NAME>] c:\windows\temp\jd6ukby74.exe
dRun: [Windows Resurections] c:\windows\temp\jd6ukby74.exe
dRun: [Diagnostic Manager] c:\windows\temp\641853828.exe
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\documents and settings\jeffrey\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\jeffrey\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\windows\temp\ntdll64.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: zodlrybo - vaadyhs.dll
Notify: __c0035B44 - c:\windows\system32\__c0035B44.dat
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\lofimazi.dll c:\windows\system32\wisebiga.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wisebiga.dll
STS: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\wisebiga.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\lofimazi.dll

============= SERVICES / DRIVERS ===============

R0 iopxnftf;iopxnftf;c:\windows\system32\drivers\iopxnftf.sys [2005-8-16 23424]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 olvqghst;MRESP50 NDIS Protocol Monitor;c:\windows\system32\svchost.exe -k netsvcs [2005-8-16 14336]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [2007-7-26 44800]
S1 505069ab;505069ab;c:\windows\system32\drivers\505069ab.sys --> c:\windows\system32\drivers\505069ab.sys [?]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\roxio creator 2009\digital home 11\RoxioUpnpService11.exe [2008-8-14 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxLiveShare11.exe [2008-8-14 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatch11.exe [2008-8-14 170480]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090419.005\naveng.sys [2009-4-19 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090419.005\navex15.sys [2009-4-19 876144]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2007-7-26 13225]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\roxio creator 2009\digital home 11\RoxioUPnPRenderer11.exe [2008-8-14 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxMediaDB11.exe [2008-8-14 1124848]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
S4 ccEvtMgr;Symantec Event Manager;- --> - [?]
S4 SAVRT;SAVRT;- --> - [?]

=============== Created Last 30 ================

2009-04-29 11:31 1,433,845 ---sh--- c:\windows\system32\awitejem.ini
2009-04-28 18:53 27,648 a------- c:\windows\system32\lmppcsetup.exe
2009-04-28 18:31 0 a------- c:\windows\mqcd.dbt
2009-04-28 18:30 15,360 a------- c:\windows\system32\dll32.exe
2009-04-28 18:30 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-04-28 18:30 10,752 ----h--- c:\windows\pp06.exe
2009-04-28 18:30 2 ----h--- c:\windows\t55ft2692f44.dat
2009-04-28 18:30 <DIR> --d----- c:\windows\system32\796525
2009-04-28 18:30 28,672 a------- c:\windows\system32\inqby.sr
2009-04-28 18:30 32,768 a------- c:\windows\system32\ferryl.cbv
2009-04-28 18:30 32,768 a------- c:\windows\system32\fairy.an
2009-04-28 18:30 79,360 a------- c:\windows\system32\ashl.nq
2009-04-28 18:30 28,672 a------- c:\windows\system32\dolman.zt
2009-04-28 18:28 24,064 a--sh--- c:\documents and settings\jeffrey\protect.dll
2009-04-28 18:28 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-28 18:24 16,384 ----h--- c:\windows\ld08.exe
2009-04-28 18:24 101,888 a------- C:\wwmeoblk.exe
2009-04-28 18:24 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-04-28 18:24 262,144 a------- c:\windows\system32\nvrsk.dll
2009-04-28 18:24 2 a------- C:\-1068295911
2009-04-28 18:24 115,712 a------- c:\windows\system32\azton.mt
2009-04-28 18:24 115,712 a------- C:\kggi.exe
2009-04-28 18:24 15,000 a------- c:\windows\system32\sjg9s8guigjs.dll
2009-04-27 18:44 4,785 a------- c:\windows\system32\warning.gif
2009-04-27 18:44 1,400 a------- c:\windows\system32\ahtn.htm
2009-04-27 18:44 439 a------- c:\windows\system32\win32hlp.cnf
2009-04-27 18:44 104,960 a------- c:\windows\system32\dllcache\userinit.exe
2009-04-27 18:44 1 a------- c:\windows\system32\uniq.tll
2009-04-27 18:44 29,696 a------- c:\windows\system32\loader49.exe
2009-04-27 18:30 46 a------- c:\windows\system32\p2hhr.bat
2009-04-27 18:29 15,000 a------- c:\windows\system32\yhs783ijfo3fe.dll
2009-04-27 18:14 27,648 a------- c:\windows\system32\__c0035B44.dat
2009-04-27 18:14 39,936 a------- c:\windows\system32\winglsetup.exe
2009-04-27 18:00 1,433,840 ---sh--- c:\windows\system32\otefupob.ini
2009-04-26 17:46 1,427,288 ---sh--- c:\windows\system32\onariyen.ini
2009-04-25 22:53 <DIR> --d----- c:\program files\WWShow
2009-04-25 22:48 <DIR> --d----- c:\program files\Jcore
2009-04-25 18:11 49,152 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-25 17:46 1,406,509 ---sh--- c:\windows\system32\oniwafiz.ini
2009-04-24 22:33 5,440 ---sh--- c:\windows\system32\wihalewo.dll
2009-04-24 22:33 5,440 ---sh--- c:\windows\system32\vofidato.dll
2009-04-24 22:33 2,713 ---sh--- c:\windows\system32\bogosara.exe
2009-04-24 22:30 87,040 a------- c:\windows\system32\nemihito.dll
2009-04-24 22:30 52,224 a------- c:\windows\system32\vihagiva.exe
2009-04-18 19:25 <DIR> --d----- c:\program files\iPod
2009-04-18 19:25 <DIR> --d----- c:\program files\iTunes
2009-04-18 19:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-18 16:27 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-18 16:27 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-18 16:27 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-12 10:47 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-04-11 12:10 <DIR> --d----- C:\576e53d794bdf7a2a884d6d03d510b98
2009-04-11 12:10 <DIR> --d----- c:\windows\SxsCaPendDel
2009-04-04 15:58 21,504 a------- c:\windows\jestertb.dll
2009-04-03 13:46 0 a------- c:\windows\vpc32.INI
2009-04-03 13:42 0 a------- c:\windows\system32\drivers\UACd.sys

==================== Find3M ====================

2009-04-29 11:31 88,064 a--sh--- c:\windows\system32\wisebiga.dll
2009-04-29 11:31 80,384 a--sh--- c:\windows\system32\mejetiwa.dll
2009-04-28 18:24 578,560 a------- c:\windows\system32\user32.DLL
2009-04-28 18:24 87,552 a--sh--- c:\windows\system32\goradoja.dll
2009-04-28 18:24 80,896 a--sh--- c:\windows\system32\yunukino.dll
2009-04-27 18:44 104,960 a------- c:\windows\system32\userinit.exe
2009-04-27 18:00 88,576 a--sh--- c:\windows\system32\sizebave.dll.vir
2009-04-27 18:00 79,360 -------- c:\windows\system32\bopufeto.dll
2009-04-27 18:00 50,688 a--sh--- c:\windows\system32\ludiwemi.exe
2009-04-26 17:46 88,064 a--sh--- c:\windows\system32\veriwada.dll
2009-04-26 17:46 52,224 a--sh--- c:\windows\system32\yevalofa.exe
2009-04-26 17:46 79,872 -------- c:\windows\system32\neyirano.dll
2009-04-26 05:46 88,576 a--sh--- c:\windows\system32\bozakita.dll
2009-04-26 05:46 79,872 a--sh--- c:\windows\system32\pohubeli.dll
2009-04-26 05:46 51,712 a--sh--- c:\windows\system32\yozuyosa.exe
2009-04-25 17:47 48,640 a--sh--- c:\windows\system32\dazizoru.dll
2009-04-25 17:46 88,064 a--sh--- c:\windows\system32\vujabafo.dll
2009-04-25 17:46 50,688 a--sh--- c:\windows\system32\rinebali.exe
2009-04-25 17:46 79,360 -------- c:\windows\system32\zifawino.dll
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-02-02 19:34 90,112 a------- c:\windows\DUMP32a8.tmp
2008-05-19 18:09 53,934 a------- c:\program files\INSTALL.LOG
2008-03-27 18:45 490 a---h--- c:\documents and settings\jeffrey\hpothb07.dat
2009-01-25 17:47 48,640 a--sh--- c:\windows\system32\jodayodu.dll
2009-01-25 17:47 48,640 a--sh--- c:\windows\system32\lofimazi.dll
2009-01-25 17:47 48,640 a--sh--- c:\windows\system32\vejuweve.dll

============= FINISH: 11:35:13.31 ===============

Attach.zip

ark.zip

CatByte · 04-30-2009, 05:39 AM

Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread.
Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

CatByte · 04-30-2009, 09:28 AM

Hi jdlucas,

Please do the following:

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Double click on ComboFix.exe & follow the prompts.

NEXT

Open notepad and copy/paste the text inside the quotebox below into it:

Quote:

DDS::
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

jdlucas · 04-30-2009, 03:09 PM

After I ran the combofix I was unable to connect to any web pages. I rebooted and am still unable to connect to anything so I am doing these posts from another system. Attached is the combofix log.

ComboFix 09-04-30.02 - Jeffrey 04/30/2009 16:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2514 [GMT -4:00]
Running from: c:\documents and settings\Jeffrey\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Jeffrey\LOCALS~1\Temp\h86m1qdq.exe
c:\documents and settings\Jeffrey\Local Settings\Temp\h86m1qdq.exe
c:\documents and settings\Jeffrey\reader_s.exe
c:\windows\ld08.exe
c:\windows\system32\796525
c:\windows\system32\796525\796525.dll
c:\windows\system32\azton.mt
c:\windows\system32\dl32.exe
c:\windows\system32\nvrsk.dll
c:\windows\system32\sjg9s8guigjs.dll
c:\windows\temp\1642042980.exe
.
---- Previous Run -------
.
c:\docume~1\Jeffrey\LOCALS~1\Temp\mousehook.dll
c:\docume~1\Jeffrey\LOCALS~1\Temp\ntdll64.dll
c:\documents and settings\Home\protect.dll
c:\documents and settings\Home\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Home\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Jeffrey\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Jeffrey\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Jeffrey\protect.dll
c:\documents and settings\Jeffrey\reader_s.exe
c:\documents and settings\Jeffrey\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Jeffrey\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\program files\INSTALL.LOG
c:\windows\dat.txt
c:\windows\jestertb.dll
c:\windows\ld08.exe
c:\windows\mqcd.dbt
c:\windows\pp06.exe
c:\windows\rs.txt
c:\windows\search_res.txt
c:\windows\system32\__c0035B44.dat
c:\windows\system32\796525
c:\windows\system32\796525\796525.dll
c:\windows\system32\ahtn.htm
c:\windows\system32\ashl.nq
c:\windows\system32\autochk.dll
c:\windows\system32\awitejem.ini
c:\windows\system32\azton.mt
c:\windows\system32\bogosara.exe
c:\windows\system32\bozakita.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\dazizoru.dll
c:\windows\system32\dl32.exe
c:\windows\system32\dll32.exe
c:\windows\system32\dolman.zt
c:\windows\system32\drivers\ovfsthrnqrckgvcmxmdaphktwbjnqdybrkuwkg.sys
c:\windows\system32\fairy.an
c:\windows\system32\ferryl.cbv
c:\windows\system32\goradoja.dll
c:\windows\system32\inqby.sr
c:\windows\system32\jodayodu.dll
c:\windows\system32\loader49.exe
c:\windows\system32\lofimazi.dll
c:\windows\system32\ludiwemi.exe
c:\windows\system32\mejetiwa.dll
c:\windows\system32\nemihito.dll
c:\windows\system32\neyirano.dll
c:\windows\system32\nvrsk.dll
c:\windows\system32\onariyen.ini
c:\windows\system32\oniwafiz.ini
c:\windows\system32\otefupob.ini
c:\windows\system32\ovfsthdrnuwlpgvfhcjlobuicqmuodbojcntvf.dll
c:\windows\system32\ovfsthimcvxqsspfnjsephxhajvwqvvewcvmou.dat
c:\windows\system32\ovfsthjmsigvgjeiugcigfynrmkwkqxbjmamqt.dat
c:\windows\system32\ovfsththbxfyydsdhgwnxlwnngiflmqobvhyll.dll
c:\windows\system32\ovfsthtstyieioopsdncuskahaoruldklpxohp.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\pofusido.dll
c:\windows\system32\pohubeli.dll
c:\windows\system32\reader_s.exe
c:\windows\system32\rinebali.exe
c:\windows\system32\sjg9s8guigjs.dll
c:\windows\system32\uniq.tll
c:\windows\system32\vejuweve.dll
c:\windows\system32\veriwada.dll
c:\windows\system32\vujabafo.dll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winglsetup.exe
c:\windows\system32\yhs783ijfo3fe.dll
c:\windows\system32\yozuyosa.exe
c:\windows\system32\yunukino.dll
c:\windows\system32\zifawino.dll
c:\windows\Tasks\At1.job
c:\windows\Temp\1992372518.exe
c:\windows\Temp\3420974664.exe
c:\windows\Temp\4167849664.exe
c:\windows\Temp\4169724664.exe
c:\windows\Temp\417791328.exe
c:\windows\Temp\4204255914.exe
c:\windows\Temp\496697578.exe
c:\windows\Temp\641853828.exe
c:\windows\TEMP\ntdll64.dll
c:\windows\system32\vaadyhs.dll . . . . failed to delete

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthvxiaaxbmviecueumepcjvnmbisjixhiv
-------\Legacy_fci
-------\Legacy_olvqghst
-------\Service_FCI
-------\Service_olvqghst

((((((((((((((((((((((((( Files Created from 2009-03-28 to 2009-04-30 )))))))))))))))))))))))))))))))
.

2009-04-30 20:46 . 2009-04-30 20:52 94204 ----a-w c:\windows\system32\drivers\3122ef45.sys
2009-04-30 20:46 . 2009-04-30 20:46 7680 ----a-w C:\okex.exe
2009-04-30 20:44 . 2009-04-30 20:44 14848 ----a-w c:\windows\st_1241142708.exe
2009-04-30 20:43 . 2009-04-30 20:44 94204 ----a-w c:\windows\system32\drivers\6e16c1a.sys
2009-04-30 20:41 . 2009-04-30 20:41 212224 ----a-w c:\windows\system32\dllcache\ndis.sys
2009-04-30 20:41 . 2009-04-30 20:41 94204 ----a-w c:\windows\system32\drivers\d4d20574.sys
2009-04-30 20:20 . 2009-04-30 20:46 101888 ----a-w C:\ohkbrkoo.exe
2009-04-30 20:20 . 2009-04-30 20:46 705 ----a-w C:\xmrgycj.exe
2009-04-30 20:20 . 2009-04-30 20:46 113664 ----a-w C:\xipr.exe
2009-04-30 20:19 . 2009-04-30 20:52 94204 ----a-w c:\windows\system32\drivers\7276c804.sys
2009-04-30 20:19 . 2009-04-30 20:19 705 ----a-w C:\pdtivk.exe
2009-04-30 20:19 . 2009-04-30 20:19 7680 ----a-w C:\celkadaa.exe
2009-04-30 20:19 . 2009-04-30 20:19 9216 ----a-w c:\windows\instsp2.exe
2009-04-29 21:04 . 2009-04-29 21:04 -------- d-----w c:\documents and settings\Jeffrey\Application Data\qsruvvcs
2009-04-29 21:04 . 2009-04-29 21:04 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\qsruvvcs
2009-04-29 20:54 . 2009-04-29 20:54 2 ---h--w c:\windows\t55ft2695f44.dat
2009-04-29 20:54 . 2009-04-29 20:54 2 ---h--w c:\windows\t55ft2667f44.dat
2009-04-29 02:43 . 2009-04-29 02:43 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Dell
2009-04-29 01:16 . 2007-07-21 13:27 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Google
2009-04-28 22:30 . 2009-04-28 22:30 2 ---h--w c:\windows\t55ft2692f44.dat
2009-04-28 22:24 . 2009-04-30 20:19 101888 ----a-w C:\wwmeoblk.exe
2009-04-28 22:24 . 2009-04-30 20:51 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-04-28 22:24 . 2009-04-30 20:19 115712 ----a-w C:\kggi.exe
2009-04-26 13:24 . 2009-04-26 13:24 -------- d-----w c:\program files\Windows Defender
2009-04-26 04:33 . 2009-04-27 01:00 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-26 02:53 . 2009-04-26 03:01 -------- d-----w c:\program files\WWShow
2009-04-26 02:48 . 2009-04-27 02:09 -------- d-----w c:\program files\Jcore
2009-04-25 22:11 . 2009-04-25 22:13 49152 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-25 02:33 . 2009-04-25 02:33 5440 --sh--w c:\windows\system32\wihalewo.dll
2009-04-25 02:33 . 2009-04-25 02:33 5440 --sh--w c:\windows\system32\vofidato.dll
2009-04-25 02:30 . 2009-04-25 03:33 52224 ----a-w c:\windows\system32\vihagiva.exe
2009-04-20 01:53 . 2009-04-20 01:53 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Help
2009-04-19 21:58 . 2009-04-19 21:58 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iPod
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iTunes
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-18 20:28 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-18 20:28 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-18 20:28 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-18 20:28 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-18 20:28 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-18 20:28 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 20:28 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 20:28 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-18 20:28 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-18 20:28 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-18 20:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-18 20:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 16:10 . 2009-04-11 16:10 -------- d-----w C:\576e53d794bdf7a2a884d6d03d510b98
2009-04-11 16:10 . 2009-04-11 16:47 -------- d-----w c:\windows\SxsCaPendDel
2009-04-03 18:07 . 2009-04-03 18:07 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-03 17:42 . 2009-04-19 21:57 0 ----a-w c:\windows\system32\drivers\UACd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 20:51 . 2005-08-16 09:18 578560 ----a-w c:\windows\system32\user32.dll
2009-04-30 20:47 . 2005-08-16 09:18 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-30 20:41 . 2005-08-16 09:18 212224 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-30 20:37 . 2005-08-16 09:18 103424 ----a-w c:\windows\system32\xsmzygj.dll
2009-04-30 20:19 . 2009-01-30 20:19 51712 --sha-w c:\windows\system32\tineraka.exe
2009-04-30 20:19 . 2009-01-30 20:19 87552 --sha-w c:\windows\system32\wegabalu.dll
2009-04-29 15:31 . 2009-01-29 15:31 88064 --sha-w c:\windows\system32\wisebiga.dll.vir
2009-04-27 22:00 . 2009-01-27 22:00 88576 --sha-w c:\windows\system32\sizebave.dll.vir
2009-04-26 21:46 . 2009-01-26 21:46 52224 --sha-w c:\windows\system32\yevalofa.exe
2009-04-25 02:27 . 2008-12-18 22:30 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-19 22:02 . 2007-07-21 13:30 47944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 23:25 . 2007-10-12 02:26 -------- d-----w c:\program files\Common Files\Apple
2009-04-11 15:48 . 2008-02-23 03:40 8 ----a-w c:\windows\system32\nvModes.dat
2009-03-19 20:32 . 2009-02-23 22:48 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-15 00:45 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2009-02-23 22:47 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 09:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 09:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 09:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 09:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 09:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 09:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-03 16:34 . 2009-02-02 23:52 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-02 23:34 . 2007-07-21 13:06 90112 ----a-w c:\windows\DUMP32a8.tmp
.
Infected c:\windows\system32\user32.dll hex repaired

------- Sigcheck -------

[-] 2004-08-10 10:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-04-30 20:41 212224 C0BE631D61A797ADC0C7259DCDAD4771 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-30 20:41 212224 AB59F65D57D1C69370D57BCE6F45FD65 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC714786-AC55-49A9-ABDC-BD18B7D29627}]
2004-08-10 10:00 103424 ----a-w c:\windows\system32\vaadyhs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"="DL32" [X]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-21 169984]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2007-08-10 146432]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"HelpCenter4.1"="c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"CPMc3602a2a"="c:\windows\system32\wegabalu.dll" [2009-04-30 87552]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-04 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\wegabalu.dll" [2009-04-30 87552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wegabalu.dll [2009-04-30 87552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wegabalu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpohmr08.exe"=

R1 505069ab;505069ab; [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-03-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4196535192.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2009-04-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-prnet - c:\windows\system32\prnet.tmp
HKCU-Run-12ZFG94-F641-2SF-K31P-5N1ER6H6L2 - c:\recycler\S-1-5-21-8530580483-9548864536-172631430-0311\service.exe
HKLM-Run-prnet - c:\windows\system32\prnet.tmp
HKU-Default-Run-A00F43D3952.exe - c:\windows\TEMP\_A00F43D3952.exe
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\jd6ukby74.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\3420974664.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
Notify-__c0035B44 - c:\windows\system32\__c0035B44.dat

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ecipublic.org/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 16:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-1685921231-4013998947-3120363910-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8a,56,95,7c,6b,61,e3,13,59,71,17,a2,c4,48,50,97,1b,fd,a5,92,a7,11,5e,
37,72,1c,e9,0b,2f,7e,d8,dc,b3,0c,b3,41,12,ed,ff,47,dc,c1,5e,3d,f9,82,e8,14,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
Completion time: 2009-04-30 16:53
ComboFix-quarantined-files.txt 2009-04-30 20:53

Pre-Run: 266,224,050,176 bytes free
Post-Run: 266,220,351,488 bytes free

347 --- E O F --- 2009-04-20 20:58

CatByte · 04-30-2009, 08:07 PM

Hi,

I recognize you are no longer able to connect to the internet and that is something we can address but there is a more important issue to attend to first.

Your machine is still very heavily infected. While you are disconnected from the internet it actually works in our favour while we clean off the infections.

Please delete the version of ComboFix you already have on your computer thenfrom another computer - download this version of ComboFix from this link HERE onto a USB

MAKE CERTAIN you DO NOT allow this program to update. If you are asked to update - select NO.

Run ComboFix and copy the resulting log into the thread.

Just to be certain you don't infect the clean computer from your USB, please disinfect your USB with this program.

Download Flash_Disinfector.exe from HERE and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

jdlucas · 05-01-2009, 04:13 AM

Here is the current Combofix log. Still unable to connect to the internet with IE* but again mail works fine.

ComboFix 09-04-30.056 - Jeffrey 05/01/2009 6:00.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2453 [GMT -4:00]
Running from: c:\documents and settings\Jeffrey\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys
.
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-05-01 09:58 . 2009-05-01 09:58 -------- d-----w C:\KittyFix
2009-04-30 20:46 . 2009-05-01 10:05 94204 ----a-w c:\windows\system32\drivers\3122ef45.sys
2009-04-30 20:46 . 2009-04-30 20:46 7680 ----a-w C:\okex.exe
2009-04-30 20:44 . 2009-04-30 20:44 14848 ----a-w c:\windows\st_1241142708.exe
2009-04-30 20:43 . 2009-04-30 20:44 94204 ----a-w c:\windows\system32\drivers\6e16c1a.sys
2009-04-30 20:41 . 2009-04-30 20:41 94204 ----a-w c:\windows\system32\drivers\d4d20574.sys
2009-04-30 20:20 . 2009-04-30 20:46 101888 ----a-w C:\ohkbrkoo.exe
2009-04-30 20:20 . 2009-04-30 20:46 705 ----a-w C:\xmrgycj.exe
2009-04-30 20:20 . 2009-04-30 20:46 113664 ----a-w C:\xipr.exe
2009-04-30 20:19 . 2009-05-01 10:05 94204 ----a-w c:\windows\system32\drivers\7276c804.sys
2009-04-30 20:19 . 2009-04-30 20:19 705 ----a-w C:\pdtivk.exe
2009-04-30 20:19 . 2009-04-30 20:19 7680 ----a-w C:\celkadaa.exe
2009-04-30 20:19 . 2009-04-30 20:19 9216 ----a-w c:\windows\instsp2.exe
2009-04-29 21:04 . 2009-04-29 21:04 -------- d-----w c:\documents and settings\Jeffrey\Application Data\qsruvvcs
2009-04-29 21:04 . 2009-04-29 21:04 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\qsruvvcs
2009-04-29 20:54 . 2009-04-29 20:54 2 ---h--w c:\windows\t55ft2695f44.dat
2009-04-29 20:54 . 2009-04-29 20:54 2 ---h--w c:\windows\t55ft2667f44.dat
2009-04-29 02:43 . 2009-04-29 02:43 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Dell
2009-04-29 01:16 . 2007-07-21 13:27 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Google
2009-04-28 22:30 . 2009-04-28 22:30 2 ---h--w c:\windows\t55ft2692f44.dat
2009-04-28 22:24 . 2009-04-30 20:19 101888 ----a-w C:\wwmeoblk.exe
2009-04-28 22:24 . 2009-04-30 20:51 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-04-28 22:24 . 2009-04-30 20:19 115712 ----a-w C:\kggi.exe
2009-04-26 13:24 . 2009-04-26 13:24 -------- d-----w c:\program files\Windows Defender
2009-04-26 04:33 . 2009-04-27 01:00 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-26 02:53 . 2009-04-26 03:01 -------- d-----w c:\program files\WWShow
2009-04-26 02:48 . 2009-04-27 02:09 -------- d-----w c:\program files\Jcore
2009-04-25 22:11 . 2009-04-25 22:13 49152 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-25 02:33 . 2009-04-25 02:33 5440 --sh--w c:\windows\system32\wihalewo.dll
2009-04-25 02:33 . 2009-04-25 02:33 5440 --sh--w c:\windows\system32\vofidato.dll
2009-04-25 02:30 . 2009-04-25 03:33 52224 ----a-w c:\windows\system32\vihagiva.exe
2009-04-20 01:53 . 2009-04-20 01:53 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Help
2009-04-19 21:58 . 2009-04-19 21:58 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iPod
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iTunes
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-18 20:28 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-18 20:28 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-18 20:28 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-18 20:28 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-18 20:28 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-18 20:28 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 20:28 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 20:28 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-18 20:28 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-18 20:28 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-18 20:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-18 20:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 16:10 . 2009-04-11 16:10 -------- d-----w C:\576e53d794bdf7a2a884d6d03d510b98
2009-04-11 16:10 . 2009-04-11 16:47 -------- d-----w c:\windows\SxsCaPendDel
2009-04-03 18:07 . 2009-04-03 18:07 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-03 17:42 . 2009-04-19 21:57 0 ----a-w c:\windows\system32\drivers\UACd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 10:02 . 2005-08-16 09:18 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-30 20:51 . 2005-08-16 09:18 578560 ----a-w c:\windows\system32\user32.dll
2009-04-30 20:47 . 2005-08-16 09:18 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-30 20:37 . 2005-08-16 09:18 103424 ----a-w c:\windows\system32\xsmzygj.dll
2009-04-30 20:19 . 2009-01-30 20:19 51712 --sha-w c:\windows\system32\tineraka.exe
2009-04-30 20:19 . 2009-01-30 20:19 87552 --sha-w c:\windows\system32\wegabalu.dll
2009-04-29 15:31 . 2009-01-29 15:31 88064 --sha-w c:\windows\system32\wisebiga.dll.vir
2009-04-27 22:00 . 2009-01-27 22:00 88576 --sha-w c:\windows\system32\sizebave.dll.vir
2009-04-26 21:46 . 2009-01-26 21:46 52224 --sha-w c:\windows\system32\yevalofa.exe
2009-04-25 02:27 . 2008-12-18 22:30 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-19 22:02 . 2007-07-21 13:30 47944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 23:25 . 2007-10-12 02:26 -------- d-----w c:\program files\Common Files\Apple
2009-04-11 15:48 . 2008-02-23 03:40 8 ----a-w c:\windows\system32\nvModes.dat
2009-03-19 20:32 . 2009-02-23 22:48 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-15 00:45 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2009-02-23 22:47 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 09:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 09:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 09:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 09:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 09:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 09:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-03 16:34 . 2009-02-02 23:52 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-02 23:34 . 2007-07-21 13:06 90112 ----a-w c:\windows\DUMP32a8.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_20.52.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-26 21:48 . 2009-05-01 09:59 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-26 21:48 . 2009-04-30 20:43 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-07-26 21:48 . 2009-05-01 09:59 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-07-26 21:48 . 2009-04-30 20:43 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-30 20:18 . 2009-05-01 09:59 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-04-30 20:18 . 2009-04-30 20:43 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2007-07-26 21:48 . 2009-05-01 09:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-07-26 21:48 . 2009-04-30 20:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-08-16 09:18 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC714786-AC55-49A9-ABDC-BD18B7D29627}]
2004-08-10 10:00 103424 ----a-w c:\windows\system32\vaadyhs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"="DL32" [X]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-21 169984]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2007-08-10 146432]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"HelpCenter4.1"="c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"CPMc3602a2a"="c:\windows\system32\wegabalu.dll" [2009-04-30 87552]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-04 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\wegabalu.dll" [2009-04-30 87552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wegabalu.dll [2009-04-30 87552]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpohmr08.exe"=

R1 505069ab;505069ab; [x]
R2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe [2008-08-14 367088]
R2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [2008-08-14 309744]
R2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [2008-08-14 170480]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\Drivers\Razerlow.sys [2005-04-25 13225]
R3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [2008-08-14 313840]
R3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [2008-08-14 1124848]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
S0 iopxnftf;iopxnftf;c:\windows\system32\drivers\iopxnftf.sys [2004-08-10 23424]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2006-09-27 44800]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-03-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4196535192.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2009-05-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ecipublic.org/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 06:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-1685921231-4013998947-3120363910-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8a,56,95,7c,6b,61,e3,13,59,71,17,a2,c4,48,50,97,1b,fd,a5,92,a7,11,5e,
37,72,1c,e9,0b,2f,7e,d8,dc,b3,0c,b3,41,12,ed,ff,47,dc,c1,5e,3d,f9,82,e8,14,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2500)
c:\windows\system32\wegabalu.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CTXFISPI.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\Razer\razerofa.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2009-05-01 6:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 10:08
ComboFix2.txt 2009-04-30 20:53

Pre-Run: 266,217,390,080 bytes free
Post-Run: 266,210,553,856 bytes free

284 --- E O F --- 2009-04-20 20:58

CatByte · 05-01-2009, 09:15 AM

Hi,

Please do the following:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/371549-windows-up-date-not-working-pop-ups-degraded-performance.html#post2112474

Collect::
c:\windows\system32\drivers\3122ef45.sys
C:\okex.exe
c:\windows\st_1241142708.exe
C:\ohkbrkoo.exe
C:\xmrgycj.exe
C:\xipr.exe
C:\wwmeoblk.exe
C:\kggi.exe
c:\windows\system32\wihalewo.dll
c:\windows\system32\vihagiva.exe
c:\windows\system32\wegabalu.dll

File::
c:\windows\system32\drivers\6e16c1a.sys
c:\windows\system32\drivers\d4d20574.sys
c:\windows\system32\drivers\7276c804.sys
c:\windows\t55ft2695f44.dat
c:\windows\t55ft2667f44.dat
c:\windows\t55ft2692f44.dat
C:\pdtivk.exe
C:\celkadaa.exe
c:\windows\instsp2.exe
c:\windows\system32\xsmzygj.dll
c:\windows\system32\tineraka.exe
c:\windows\system32\wisebiga.dll.vir
c:\windows\system32\sizebave.dll.vir
c:\windows\system32\yevalofa.exe
c:\windows\system32\vofidato.dll
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\drivers\iopxnftf.sys
c:\windows\system32\ftp_non_crp.exe

Folder::
c:\documents and settings\Jeffrey\Application Data\qsruvvcs
c:\documents and settings\Jeffrey\Local Settings\Application Data\qsruvvcs
c:\program files\WWShow
c:\Program Files\Jcore

Driver::
iopxnftf
505069ab

DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"=- 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

jdlucas · 05-01-2009, 11:23 AM

Ran Combofix with the new script but when the log poped up I got a message that it could not create it. Notepad opened up and it was blank. I don't see any log file other than the ones previously done. However I am now posting this from my computer so something worked right. I am not rerunning Combofix in an attempt to get the log until you give me OK to do that.

CatByte · 05-01-2009, 01:59 PM

Hi,

Something interfered with the log writing process of the program.

Please do the following:

Make sure you disable all your security protection programs.

Double click on the ComboFix.exe once again,

allow it to update this time when ComboFix requests it,

then post the resulting log when it's done.

Thank-you

jdlucas · 05-01-2009, 03:11 PM

Current log file.

ComboFix 09-05-01.1 - Jeffrey 05/01/2009 17:04.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2496 [GMT -4:00]
Running from: c:\documents and settings\Jeffrey\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\vaadyhs.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-29 02:43 . 2009-04-29 02:43 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Dell
2009-04-29 01:16 . 2007-07-21 13:27 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Google
2009-04-28 22:24 . 2009-04-30 20:51 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-04-26 13:24 . 2009-04-26 13:24 -------- d-----w c:\program files\Windows Defender
2009-04-26 04:33 . 2009-04-27 01:00 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-20 01:53 . 2009-04-20 01:53 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Help
2009-04-19 21:58 . 2009-04-19 21:58 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iPod
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iTunes
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-18 20:28 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-18 20:28 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-18 20:28 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-18 20:28 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-18 20:28 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-18 20:28 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 20:28 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 20:28 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-18 20:28 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-18 20:28 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-18 20:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-18 20:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 16:10 . 2009-04-11 16:10 -------- d-----w C:\576e53d794bdf7a2a884d6d03d510b98
2009-04-11 16:10 . 2009-04-11 16:47 -------- d-----w c:\windows\SxsCaPendDel
2009-04-03 18:07 . 2009-04-03 18:07 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 17:07 . 2005-08-16 09:18 23424 ----a-w c:\windows\system32\drivers\npueqdud.sys
2009-05-01 10:02 . 2005-08-16 09:18 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-30 20:51 . 2005-08-16 09:18 578560 ----a-w c:\windows\system32\user32.dll
2009-04-30 20:47 . 2005-08-16 09:18 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-25 02:27 . 2008-12-18 22:30 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-19 22:02 . 2007-07-21 13:30 47944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 23:25 . 2007-10-12 02:26 -------- d-----w c:\program files\Common Files\Apple
2009-04-11 15:48 . 2008-02-23 03:40 8 ----a-w c:\windows\system32\nvModes.dat
2009-03-19 20:32 . 2009-02-23 22:48 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-15 00:45 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2009-02-23 22:47 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 09:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 09:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 09:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 09:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 09:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 09:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-03 16:34 . 2009-02-02 23:52 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-02 23:34 . 2007-07-21 13:06 90112 ----a-w c:\windows\DUMP32a8.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_20.52.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-26 21:48 . 2009-05-01 09:59 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-07-26 21:48 . 2009-04-30 20:43 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-30 20:18 . 2009-05-01 09:59 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-04-30 20:18 . 2009-04-30 20:43 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2007-07-26 21:48 . 2009-05-01 09:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-07-26 21:48 . 2009-04-30 20:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-08-16 09:18 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-21 169984]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2007-08-10 146432]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"HelpCenter4.1"="c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-04 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpohmr08.exe"=

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IOPXNFTF
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-03-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4196535192.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2009-05-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{AC714786-AC55-49A9-ABDC-BD18B7D29627} - c:\windows\system32\vaadyhs.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ecipublic.org/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 17:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

c:\windows\TEMP\TMP000000C635E387089E6E79DB 524288 bytes

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1685921231-4013998947-3120363910-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8a,56,95,7c,6b,61,e3,13,59,71,17,a2,c4,48,50,97,1b,fd,a5,92,a7,11,5e,
37,72,1c,e9,0b,2f,7e,d8,dc,b3,0c,b3,41,12,ed,ff,47,dc,c1,5e,3d,f9,82,e8,14,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
Completion time: 2009-05-01 17:09
ComboFix-quarantined-files.txt 2009-05-01 21:08
ComboFix2.txt 2009-05-01 17:16
ComboFix3.txt 2009-05-01 10:08
ComboFix4.txt 2009-04-30 20:53

Pre-Run: 266,185,326,592 bytes free
Post-Run: 266,189,017,088 bytes free

193 --- E O F --- 2009-04-20 20:58

CatByte · 05-01-2009, 06:16 PM

Hi,

Can you please advise how your system is running now, I take it the internet connection has been re-established successfully?

Please advise if there are any other issues at this time.

We still have a little more work to do, so please stay with me until I give you the all clear.

Please do the following:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:

KillAll::

File::
c:\windows\system32\drivers\npueqdud.sys

Driver::
iopxnftf

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you.
Please post the contents in your next reply.

jdlucas · 05-01-2009, 09:32 PM

All programs and systems seem to function normally now. I don't have any more random pop ups when using internet explorer and CPU usage is now running at normal levels. Looks like it is fixed to me. Below is the most recent log file

ComboFix 09-05-01.1 - Jeffrey 05/01/2009 23:18.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2337 [GMT -4:00]
Running from: c:\documents and settings\Jeffrey\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeffrey\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

FILE ::
c:\windows\system32\drivers\npueqdud.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npueqdud.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IOPXNFTF

((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-01 09:58 . 2009-05-01 09:58 -------- d-----w C:\KittyFix
2009-04-29 02:43 . 2009-04-29 02:43 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Dell
2009-04-29 01:16 . 2007-07-21 13:27 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Google
2009-04-28 22:24 . 2009-04-30 20:51 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-04-26 13:24 . 2009-04-26 13:24 -------- d-----w c:\program files\Windows Defender
2009-04-26 04:33 . 2009-04-27 01:00 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-20 01:53 . 2009-04-20 01:53 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Help
2009-04-19 21:58 . 2009-04-19 21:58 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iPod
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iTunes
2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-18 20:28 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-18 20:28 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-18 20:28 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-18 20:28 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-18 20:28 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-18 20:28 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 20:28 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 20:28 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-18 20:28 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-18 20:28 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-18 20:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-18 20:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 16:10 . 2009-04-11 16:10 -------- d-----w C:\576e53d794bdf7a2a884d6d03d510b98
2009-04-11 16:10 . 2009-04-11 16:47 -------- d-----w c:\windows\SxsCaPendDel
2009-04-03 18:07 . 2009-04-03 18:07 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 21:34 . 2008-05-19 22:09 -------- d-----w c:\program files\BellSouth
2009-05-01 10:02 . 2005-08-16 09:18 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-30 20:51 . 2005-08-16 09:18 578560 ----a-w c:\windows\system32\user32.dll
2009-04-30 20:47 . 2005-08-16 09:18 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-25 02:27 . 2008-12-18 22:30 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-23 16:49 . 2009-03-31 22:23 530083 ----a-w C:\HC4DecommissionScheduler.exe
2009-04-19 22:02 . 2007-07-21 13:30 47944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 23:25 . 2007-10-12 02:26 -------- d-----w c:\program files\Common Files\Apple
2009-04-11 15:48 . 2008-02-23 03:40 8 ----a-w c:\windows\system32\nvModes.dat
2009-03-19 20:32 . 2009-02-23 22:48 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-15 00:45 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2009-02-23 22:47 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 09:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 09:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 09:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 09:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 09:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 09:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-03 16:34 . 2009-02-02 23:52 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-02 23:34 . 2007-07-21 13:06 90112 ----a-w c:\windows\DUMP32a8.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_20.52.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-26 21:48 . 2009-05-01 09:59 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-07-26 21:48 . 2009-04-30 20:43 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-30 20:18 . 2009-05-01 09:59 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-04-30 20:18 . 2009-04-30 20:43 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2007-07-26 21:48 . 2009-05-01 09:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-07-26 21:48 . 2009-04-30 20:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-08-16 09:18 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-21 169984]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2007-08-10 146432]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"HelpCenter4.1"="c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-04 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpohmr08.exe"=

R2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe [2008-08-14 367088]
R2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [2008-08-14 309744]
R2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [2008-08-14 170480]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\Drivers\Razerlow.sys [2005-04-25 13225]
R3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [2008-08-14 313840]
R3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [2008-08-14 1124848]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2006-09-27 44800]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-03-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4196535192.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2009-05-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Download - c:\program files\Bellsouth\HelpCenter\ssGet.exe 120 http://patttbc.att.motive.com/motive..._Installer.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ecipublic.org/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 23:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

c:\windows\TEMP\TMP00000030A8DDD82688890EF1 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1685921231-4013998947-3120363910-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8a,56,95,7c,6b,61,e3,13,59,71,17,a2,c4,48,50,97,1b,fd,a5,92,a7,11,5e,
37,72,1c,e9,0b,2f,7e,d8,dc,b3,0c,b3,41,12,ed,ff,47,dc,c1,5e,3d,f9,82,e8,14,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2900)
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CTXFISPI.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\Razer\razerofa.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\windows\system32\rundll32.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2009-05-02 23:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 03:28
ComboFix2.txt 2009-05-01 21:09
ComboFix3.txt 2009-05-01 17:16
ComboFix4.txt 2009-05-01 10:08
ComboFix5.txt 2009-05-02 03:18

Pre-Run: 266,128,363,520 bytes free
Post-Run: 266,221,027,328 bytes free

251 --- E O F --- 2009-05-02 03:27

CatByte · 05-01-2009, 09:54 PM

Hi,

Things are looking much better, but there is a little more I would like to do before I give you the final all clear and tidy up of our tools.

Please do the following:

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you.
Please post the contents in your next reply.

jdlucas · 05-02-2009, 06:02 AM

Requested report.
2009-05-02 03:28:02 . 2009-05-02 03:28:02 257 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Download.reg.dat
2009-05-02 03:18:39 . 2009-05-02 03:18:39 0 ----a-w C:\Qoobox\Quarantine\catchme.txt
2009-05-01 21:07:20 . 2009-05-01 21:07:21 523 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{AC714786-AC55-49A9-ABDC-BD18B7D29627}.reg.dat
2009-05-01 17:16:20 . 2009-05-01 17:16:20 152 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CPMc3602a2a.reg.dat
2009-05-01 17:09:26 . 2009-05-01 17:09:26 74 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_7276c804.reg.dat
2009-05-01 17:09:26 . 2009-05-01 17:09:26 74 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_3122ef45.reg.dat
2009-05-01 17:09:16 . 2009-05-01 17:09:16 7,168 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_iopxnftf.reg.dat
2009-05-01 17:09:16 . 2009-05-01 17:09:16 486 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_505069ab.reg.dat
2009-05-01 17:09:16 . 2009-05-02 03:20:15 1,104 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_IOPXNFTF.reg.dat
2009-05-01 17:07:07 . 2009-05-01 17:07:07 62,685 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_xsmzygj_.dll.zip
2009-05-01 17:07:02 . 2009-05-01 17:07:02 11,437 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_iopxnftf_.sys.zip
2009-05-01 17

59 . 2009-05-01 17

59 70,112 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_7276c804_.sys.zip
2009-05-01 17

56 . 2009-05-01 17

56 70,112 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_3122ef45_.sys.zip
2009-05-01 17

33 . 2009-05-01 17

35 638,208 ----a-w C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip
2009-05-01 10:02:23 . 2009-05-01 10:02:23 212,224 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir
2009-04-30 20:52:38 . 2009-04-30 20:52:38 554 ----a-w C:\Qoobox\Quarantine\Registry_backups\Notify-__c0035B44.reg.dat
2009-04-30 20:52:33 . 2009-04-30 20:52:33 158 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-autochk.reg.dat
2009-04-30 20:52:33 . 2009-04-30 20:52:33 139 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Diagnostic Manager.reg.dat
2009-04-30 20:52:33 . 2009-04-30 20:52:33 138 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-A00F43D3952.exe.reg.dat
2009-04-30 20:52:33 . 2009-04-30 20:52:33 140 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Windows Resurections.reg.dat
2009-04-30 20:52:32 . 2009-04-30 20:52:32 128 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-prnet.reg.dat
2009-04-30 20:52:28 . 2009-04-30 20:52:28 190 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-12ZFG94-F641-2SF-K31P-5N1ER6H6L2.reg.dat
2009-04-30 20:52:28 . 2009-04-30 20:52:28 127 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-prnet.reg.dat
2009-04-30 20:46:34 . 2009-05-01 17:11:12 94,204 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\3122ef45.sys.vir
2009-04-30 20:46:22 . 2009-05-01 17

13 7,680 ----a-w C:\Qoobox\Quarantine\C\okex.exe.vir
2009-04-30 20:46:15 . 2009-04-30 20:46:15 15,001 ----a-w C:\Qoobox\Quarantine\C\DOCUME~1\Jeffrey\LOCALS~1\Temp\h86m1qdq.exe.vir
2009-04-30 20:44:04 . 2009-04-30 20:44:04 14,848 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\DL32.exe.vir
2009-04-30 20:44:04 . 2009-05-01 17

16 14,848 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\st_1241142708.exe.vir
2009-04-30 20:44:01 . 2009-04-30 20:44:01 15,360 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\796525\796525.dll.vir
2009-04-30 20:43:57 . 2009-04-30 20:43:57 34,817 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Temp\1642042980.exe.vir
2009-04-30 20:43:46 . 2009-04-30 20:44:02 94,204 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\6e16c1a.sys.vir
2009-04-30 20:43:31 . 2009-04-30 20:46:19 113,664 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\azton.mt.vir
2009-04-30 20:43:28 . 2009-04-30 20:43:28 15,000 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\sjg9s8guigjs.dll.vir
2009-04-30 20:41:04 . 2009-04-30 20:46:38 24,576 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\reader_s.exe.vir
2009-04-30 20:41:04 . 2009-04-30 20:46:38 16,384 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\ld08.exe.vir
2009-04-30 20:41:02 . 2009-04-30 20:41:18 94,204 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\d4d20574.sys.vir
2009-04-30 20:40:44 . 2009-04-30 20:46:23 262,144 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\nvrsk.dll.vir
2009-04-30 20:39:57 . 2009-04-30 20:39:57 201,919 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_vaadyhs_.dll.zip
2009-04-30 20:37:57 . 2009-04-30 20:37:57 2,152 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_olvqghst.reg.dat
2009-04-30 20:37:57 . 2009-04-30 20:37:57 2,578 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_FCI.reg.dat
2009-04-30 20:37:57 . 2009-04-30 20:37:57 1,080 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_olvqghst.reg.dat
2009-04-30 20:37:57 . 2009-04-30 20:37:57 766 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_fci.reg.dat
2009-04-30 20:37:47 . 2009-05-02 03:20:11 6,020 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-30 20:37:14 . 2009-04-30 20:37:14 23,772 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\___c0035B44_.dat.zip
2009-04-30 20:27:16 . 2009-04-30 20:27:16 2,245 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_ovfsthvxiaaxbmviecueumepcjvnmbisjixhiv.reg.dat
2009-04-30 20:23:26 . 2009-05-02 03:18:02 2,321 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-04-30 20:20:18 . 2009-04-30 20:46:35 101,888 ----a-w C:\Qoobox\Quarantine\C\ohkbrkoo.exe.vir
2009-04-30 20:20:18 . 2009-04-30 20:46:31 705 ----a-w C:\Qoobox\Quarantine\C\xmrgycj.exe.vir
2009-04-30 20:20:08 . 2009-05-01 17

33 113,664 ----a-w C:\Qoobox\Quarantine\C\xipr.exe.vir
2009-04-30 20:19:47 . 2009-04-30 20:19:47 24,576 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\reader_s.exe.vir
2009-04-30 20:19:47 . 2009-04-30 20:19:47 24,576 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\reader_s.exe.vir
2009-04-30 20:19:46 . 2009-05-01 17:11:12 94,204 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\7276c804.sys.vir
2009-04-30 20:19:43 . 2009-04-30 20:19:44 705 ----a-w C:\Qoobox\Quarantine\C\pdtivk.exe.vir
2009-04-30 20:19:38 . 2009-04-30 20:19:38 7,680 ----a-w C:\Qoobox\Quarantine\C\celkadaa.exe.vir
2009-04-30 20:19:38 . 2009-04-30 20:19:38 34,817 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Temp\4204255914.exe.vir
2009-04-30 20:19:35 . 2009-04-30 20:19:35 34,817 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Temp\4167849664.exe.vir
2009-04-30 20:19:33 . 2009-04-30 20:19:33 34,817 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Temp\4169724664.exe.vir
2009-04-30 20:19:24 . 2009-04-30 20:19:24 9,216 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\instsp2.exe.vir
2009-04-30 20:18:19 . 2009-04-30 20:18:19 34,817 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Temp\3420974664.exe.vir
2009-04-29 21:05:46 . 2009-04-29 21:05:46 570 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\localstore.rdf.vir
2009-04-29 21:04:53 . 2009-04-29 21:04:54 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\formhistory.sqlite.vir
2009-04-29 21:04:50 . 2009-04-29 21:22:34 0 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\places.sqlite-journal.vir
2009-04-29 21:04:50 . 2009-04-29 21:04:50 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\places.sqlite.vir
2009-04-29 21:04:50 . 2009-04-29 21:33:49 32,768 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Local Settings\Application Data\qsruvvcs\Profiles\wenh25bj.default\urlclassifier3.sqlite.vir
2009-04-29 21:04:50 . 2009-04-29 21:04:50 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\key3.db.vir
2009-04-29 21:04:50 . 2009-04-29 21:04:50 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\cert8.db.vir
2009-04-29 21:04:49 . 2009-04-29 21:04:49 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\secmod.db.vir
2009-04-29 21:04:49 . 2009-04-29 21:04:49 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\cookies.sqlite.vir
2009-04-29 21:04:42 . 2009-04-29 21:04:42 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\permissions.sqlite.vir
2009-04-29 21:04:42 . 2009-04-29 21:04:42 367 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\prefs.js.vir
2009-04-29 21:04:41 . 2009-04-29 21:04:41 127,820 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\compreg.dat.vir
2009-04-29 21:04:41 . 2009-04-29 21:05:19 438,160 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Local Settings\Application Data\qsruvvcs\Profiles\wenh25bj.default\XPC.mfl.vir
2009-04-29 21:04:38 . 2009-04-29 21:04:38 96,173 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\xpti.dat.vir
2009-04-29 21:04:38 . 2009-04-29 21:04:38 207 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\Profiles\wenh25bj.default\compatibility.ini.vir
2009-04-29 21:04:38 . 2009-04-29 21:04:38 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Application Data\qsruvvcs\profiles.ini.vir
2009-04-29 20:54:40 . 2009-04-29 20:54:40 2 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\t55ft2695f44.dat.vir
2009-04-29 20:54:37 . 2009-04-29 20:54:38 2 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\t55ft2667f44.dat.vir
2009-04-29 15:31:37 . 2009-04-30 20:18:00 1,433,831 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\awitejem.ini.vir
2009-04-29 01:24:46 . 2009-04-29 01:24:47 24,064 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Home\Start Menu\Programs\Startup\ChkDisk.dll.vir
2009-04-29 01:24:46 . 2009-04-29 01:24:49 647 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Home\Start Menu\Programs\Startup\ChkDisk.lnk.vir
2009-04-29 01:24:45 . 2009-04-29 01:24:45 24,064 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Home\protect.dll.vir
2009-04-28 23:15:48 . 2009-04-28 23:15:48 24,064 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\protect.dll.vir
2009-04-28 22:31:20 . 2009-04-28 22:31:20 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\mqcd.dbt.vir
2009-04-28 22:30:37 . 2009-04-28 22:30:37 10,752 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\pp06.exe.vir
2009-04-28 22:30:37 . 2009-04-28 22:30:37 2 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\t55ft2692f44.dat.vir
2009-04-28 22:30:37 . 2009-04-28 22:30:37 15,360 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\dll32.exe.vir
2009-04-28 22:30:22 . 2009-04-30 20:19:46 28,672 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\inqby.sr.vir
2009-04-28 22:30:21 . 2009-04-30 20:19:46 32,768 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ferryl.cbv.vir
2009-04-28 22:30:21 . 2009-04-30 20:19:45 32,768 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\fairy.an.vir
2009-04-28 22:30:20 . 2009-04-30 20:19:45 28,672 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\dolman.zt.vir
2009-04-28 22:30:20 . 2009-04-30 20:19:44 79,360 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ashl.nq.vir
2009-04-28 22:28:38 . 2009-04-28 22:28:38 24,064 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir
2009-04-28 22:28:31 . 2009-04-28 22:28:32 24,064 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Start Menu\Programs\Startup\ChkDisk.dll.vir
2009-04-28 22:28:31 . 2009-04-28 22:28:36 653 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Start Menu\Programs\Startup\ChkDisk.lnk.vir
2009-04-28 22:28:31 . 2009-04-28 22:28:31 24,064 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\protect.dll.vir
2009-04-28 22:28:25 . 2009-04-28 22:28:25 24,064 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir
2009-04-28 22:28:25 . 2009-04-28 22:53:11 24,064 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir
2009-04-28 22:24:58 . 2009-04-28 22:24:58 34,817 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Temp\641853828.exe.vir
2009-04-28 22:24:48 . 2009-04-28 22:24:49 434 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At1.job.vir
2009-04-28 22:24:39 . 2009-04-30 20:19:47 101,888 ----a-w C:\Qoobox\Quarantine\C\wwmeoblk.exe.vir
2009-04-28 22:24:39 . 2009-04-28 22:24:39 34,817 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Temp\496697578.exe.vir
2009-04-28 22:24:36 . 2009-04-28 22:24:36 34,817 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Temp\417791328.exe.vir
2009-04-28 22:24:29 . 2009-05-01 17

08 115,712 ----a-w C:\Qoobox\Quarantine\C\kggi.exe.vir
2009-04-28 22:24:00 . 2009-04-28 22:24:00 27,648 ----a-w C:\Qoobox\Quarantine\C\DOCUME~1\Jeffrey\LOCALS~1\Temp\mousehook.dll.vir
2009-04-28 22:23:59 . 2009-04-28 22:23:59 57,856 ----a-w C:\Qoobox\Quarantine\C\DOCUME~1\Jeffrey\LOCALS~1\Temp\ntdll64.dll.vir
2009-04-28 02:53:34 . 2009-04-28 02:53:34 34,817 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Temp\1992372518.exe.vir
2009-04-27 22:44:48 . 2009-04-27 22:44:48 1,400 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ahtn.htm.vir
2009-04-27 22:44:48 . 2009-04-27 22:44:48 4,785 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\warning.gif.vir
2009-04-27 22:44:47 . 2009-04-30 20:17:54 439 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\win32hlp.cnf.vir
2009-04-27 22:44:43 . 2009-04-27 22:44:43 57,856 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Temp\ntdll64.dll.vir
2009-04-27 22:44:38 . 2009-04-27 22:44:38 1 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\uniq.tll.vir
2009-04-27 22:44:35 . 2009-04-27 22:44:36 29,696 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\loader49.exe.vir
2009-04-27 22:30:35 . 2009-04-27 22:30:35 46 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\p2hhr.bat.vir
2009-04-27 22:29:35 . 2009-04-27 22:29:35 15,000 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\yhs783ijfo3fe.dll.vir
2009-04-27 22:14:33 . 2009-04-30 20:37:15 27,648 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0035B44.dat.vir
2009-04-27 22:14:32 . 2009-04-27 22:14:33 39,936 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\winglsetup.exe.vir
2009-04-27 22:00:42 . 2009-04-28 23:17:01 1,433,840 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\otefupob.ini.vir
2009-04-26 21:46:54 . 2009-04-27 21:59:49 1,427,288 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\onariyen.ini.vir
2009-04-26 02:58:42 . 2009-04-26 02:58:42 4,095 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\bestwiner.stt.vir
2009-04-25 22:11:41 . 2009-04-25 22:13:28 49,152 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ftp_non_crp.exe.vir
2009-04-25 21:46:50 . 2009-04-25 22:09:50 1,406,509 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\oniwafiz.ini.vir
2009-04-25 02:42:23 . 2009-04-25 02:42:23 4,095 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\fbk.sts.vir
2009-04-25 02:33:23 . 2009-05-01 17

27 5,440 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\wihalewo.dll.vir
2009-04-25 02:33:23 . 2009-04-25 02:33:23 2,713 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\bogosara.exe.vir
2009-04-25 02:33:23 . 2009-04-25 02:33:23 5,440 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\vofidato.dll.vir
2009-04-25 02:30:24 . 2009-04-25 03:33:24 87,040 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\nemihito.dll.vir
2009-04-25 02:30:21 . 2009-05-01 17

21 52,224 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\vihagiva.exe.vir
2009-04-25 02:28:49 . 2009-04-30 20:17:52 43 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthimcvxqsspfnjsephxhajvwqvvewcvmou.dat.vir
2009-04-25 02:27:48 . 2009-04-25 02:27:48 18,944 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthdrnuwlpgvfhcjlobuicqmuodbojcntvf.dll.vir
2009-04-25 02:27:48 . 2009-04-25 02:27:48 18,432 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsththbxfyydsdhgwnxlwnngiflmqobvhyll.dll.vir
2009-04-25 02:27:48 . 2009-04-30 20:31:45 64,883 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthjmsigvgjeiugcigfynrmkwkqxbjmamqt.dat.vir
2009-04-25 02:27:48 . 2009-04-25 02:27:48 60,928 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthtstyieioopsdncuskahaoruldklpxohp.dll.vir
2009-04-25 02:27:48 . 2009-04-27 02:09:10 83,968 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthrnqrckgvcmxmdaphktwbjnqdybrkuwkg.sys.vir
2009-04-04 19:58:18 . 2009-04-04 19:58:18 21,504 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\jestertb.dll.vir
2009-04-03 17:42:14 . 2009-04-19 21:57:14 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACd.sys.vir
2009-01-30 20:19:25 . 2009-04-30 20:19:25 51,712 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\tineraka.exe.vir
2009-01-30 20:19:24 . 2009-04-30 20:19:24 79,360 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\pofusido.dll.vir
2009-01-30 20:19:24 . 2009-05-01 17

24 87,552 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\wegabalu.dll.vir
2009-01-29 15:31:28 . 2009-04-29 15:31:29 80,384 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\mejetiwa.dll.vir
2009-01-29 15:31:28 . 2009-04-29 15:31:29 88,064 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\wisebiga.dll.vir.vir
2009-01-28 22:24:23 . 2009-04-28 22:24:24 87,552 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\goradoja.dll.vir
2009-01-28 22:24:23 . 2009-04-28 22:24:24 80,896 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\yunukino.dll.vir
2009-01-27 22:00:33 . 2009-04-27 22:00:34 88,576 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\sizebave.dll.vir.vir
2009-01-27 22:00:32 . 2009-04-27 22:00:32 50,688 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ludiwemi.exe.vir
2009-01-26 21:46:47 . 2009-04-26 21:46:48 52,224 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\yevalofa.exe.vir
2009-01-26 21:46:46 . 2009-04-26 21:46:48 88,064 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\veriwada.dll.vir
2009-01-26 21:46:46 . 2009-04-26 21:46:47 79,872 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\neyirano.dll.vir
2009-01-26 09:46:40 . 2009-04-26 09:46:41 79,872 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\pohubeli.dll.vir
2009-01-26 09:46:40 . 2009-04-26 09:46:40 51,712 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\yozuyosa.exe.vir
2009-01-26 09:46:40 . 2009-04-26 09:46:41 88,576 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\bozakita.dll.vir
2009-01-25 21:47:09 . 2009-01-25 21:47:09 48,640 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\lofimazi.dll.vir
2009-01-25 21:47:09 . 2009-01-25 21:47:09 48,640 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\vejuweve.dll.vir
2009-01-25 21:47:09 . 2009-01-25 21:47:09 48,640 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\jodayodu.dll.vir
2009-01-25 21:46:38 . 2009-04-25 21:47:09 48,640 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\dazizoru.dll.vir
2009-01-25 21:46:38 . 2009-04-25 21:46:39 88,064 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\vujabafo.dll.vir
2009-01-25 21:46:38 . 2009-04-25 21:46:39 79,360 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\zifawino.dll.vir
2009-01-25 21:46:38 . 2009-04-25 21:46:39 50,688 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\rinebali.exe.vir
2008-05-19 22:09:47 . 2008-05-19 22:09:48 53,934 ----a-w C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2007-10-12 02:22:21 . 2007-10-12 22:17:35 74 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\search_res.txt.vir
2007-10-12 02:21:48 . 2007-10-12 22:29:22 257 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\dat.txt.vir
2007-10-12 02:21:48 . 2007-10-12 02:21:48 18,250 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\rs.txt.vir
2005-08-16 09:18:42 . 2009-04-27 22:44:43 104,960 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir
2005-08-16 09:18:42 . 2009-04-30 20:43:38 578,560 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir.vir
2005-08-16 09:18:30 . 2004-08-10 10:00:00 23,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iopxnftf.sys.vir
2005-08-16 09:18:30 . 2009-05-01 17:07:03 23,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npueqdud.sys.vir
2005-08-16 09:18:30 . 2004-08-10 10:00:00 103,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\vaadyhs.dll.vir
2005-08-16 09:18:30 . 2009-04-30 20:37:32 103,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\xsmzygj.dll.vir

CatByte · 05-02-2009, 09:37 AM

Hi,

We need to upload a file for analysis.

Please do the following:

Please visit this site and copy/paste the following bolded text into the 'browse to file to submit' box:

C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip

Click 'Send File'

Please return here and let me know when that file has been uploaded.

jdlucas · 05-02-2009, 12:12 PM

file uploaded at 1411 EST.

CatByte · 05-02-2009, 01:35 PM

Hi,

Please do the following:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and AppletsTrace and Log Files
- Click OK on Delete Temporary Files Window
  
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

STEP #2

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

STEP #3

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

In your next reply please include

MBAM Log
Kaspersky report

jdlucas · 05-02-2009, 06:17 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2067
Windows 5.1.2600 Service Pack 3

5/2/2009 6:15:32 PM
mbam-log-2009-05-02 (18-15-32).txt

Scan type: Quick Scan
Objects scanned: 101445
Time elapsed: 2 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf5c6a80-c938-478c-bc8b-8d7b00788154} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Trojan.KoobFace) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 2, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 03, 2009 00:07:44
Records in database: 2121628
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 162874
Threat name: 28
Infected objects: 95
Suspicious objects: 0
Duration of the scan: 01:31:37

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000\4BFE752F.VBN Infected: Trojan-Downloader.Win32.Agent.bfjx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\154C0001.VBN Infected: Rootkit.Win32.Agent.iuw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\175C0001.VBN Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Home\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Home\Start Menu\Programs\Startup\ChkDisk.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\reader_s.exe.vir Infected: Trojan.Win32.Agent.cdcn 1
C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Start Menu\Programs\Startup\ChkDisk.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\pdtivk.exe.vir Infected: Trojan.Win32.Agent2.hoc 1
C:\Qoobox\Quarantine\C\WINDOWS\ld08.exe.vir Infected: Net-Worm.Win32.Koobface.hn 1
C:\Qoobox\Quarantine\C\WINDOWS\pp06.exe.vir Infected: Net-Worm.Win32.Koobface.hu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\796525\796525.dll.vir Infected: Trojan-Downloader.Win32.BHO.lfm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\reader_s.exe.vir Infected: Trojan.Win32.Agent.cdcn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\DL32.exe.vir Infected: Trojan.Win32.Agent2.iwh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dll32.exe.vir Infected: Trojan-Proxy.Win32.Agent.blm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthrnqrckgvcmxmdaphktwbjnqdybrkuwkg.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_iopxnftf_.sys.zip Infected: Trojan.Win32.BHO.ext 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvrsk.dll.vir Infected: Worm.Win32.Pinit.dc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthdrnuwlpgvfhcjlobuicqmuodbojcntvf.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsththbxfyydsdhgwnxlwnngiflmqobvhyll.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthtstyieioopsdncuskahaoruldklpxohp.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pofusido.dll.vir Infected: Trojan.Win32.Monder.byqu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\reader_s.exe.vir Infected: Trojan.Win32.Agent.cdcn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sjg9s8guigjs.dll.vir Infected: Trojan.Win32.Agent.cdbr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winglsetup.exe.vir Infected: Trojan-Dropper.Win32.Agent.anrj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yevalofa.exe.vir Infected: Trojan-Downloader.Win32.Agent.bujb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yunukino.dll.vir Infected: Trojan.Win32.Monder.byqu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\___c0035B44_.dat.zip Infected: Trojan-Downloader.Win32.Agent.bunv 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1642042980.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1992372518.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\3420974664.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\4167849664.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\4169724664.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\417791328.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\4204255914.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\496697578.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\641853828.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\xmrgycj.exe.vir Infected: Trojan.Win32.Agent2.hoc 1
C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip Infected: Trojan-Dropper.Win32.Agent.ansc 2
C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip Infected: Trojan-Downloader.Win32.Agent.bskq 1
C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip Infected: Trojan.Win32.Agent2.iwh 1
C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip Infected: Trojan.Win32.Agent2.hoc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000024.exe Infected: Trojan.Win32.Inject.xmi 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000026.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000027.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000028.exe Infected: Trojan.Win32.Agent2.iwh 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000029.exe Infected: Trojan-Proxy.Win32.Agent.blm 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000031.dll Infected: Worm.Win32.Pinit.dc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000033.exe Infected: Trojan.Win32.Agent.cdcn 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000034.exe Infected: Trojan-Dropper.Win32.Agent.anrj 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000037.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000038.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000040.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000041.exe Infected: Trojan.Win32.Agent.cdcn 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000042.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000044.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000045.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000046.exe Infected: Net-Worm.Win32.Koobface.hn 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000047.exe Infected: Net-Worm.Win32.Koobface.hu 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000048.exe Infected: Trojan.Win32.Agent.cdcn 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000052.dll Infected: Trojan-Downloader.Win32.BHO.lfm 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000065.dll Infected: Trojan.Win32.Monder.byqu 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000067.dll Infected: Trojan.Win32.Agent.cdbr 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000072.dll Infected: Trojan.Win32.Monder.byqu 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000109.exe Infected: Trojan-Downloader.Win32.Agent.bskq 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000110.exe Infected: Trojan.Win32.Agent2.hoc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000111.exe Infected: Trojan-Dropper.Win32.Agent.ansc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001097.exe Infected: Trojan.Win32.Inject.xmi 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001098.exe Infected: Trojan-Downloader.Win32.Agent.bskq 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001099.dll Infected: Worm.Win32.Pinit.dc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001102.exe Infected: Trojan.Win32.Agent2.hoc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001103.exe Infected: Trojan-Dropper.Win32.Agent.ansc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001105.exe Infected: Trojan.Win32.Agent.cdcn 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001106.exe Infected: Net-Worm.Win32.Koobface.hn 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001107.exe Infected: Trojan.Win32.Agent.cdcn 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002095.exe Infected: Trojan.Win32.Agent2.hxw 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002098.exe Infected: Trojan.Win32.Inject.xmi 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002099.dll Infected: Worm.Win32.Pinit.dc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002100.exe Infected: Trojan.Win32.Agent2.hoc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002101.exe Infected: Trojan-Dropper.Win32.Agent.ansc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002103.exe Infected: Trojan.Win32.Agent.cdcn 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002104.exe Infected: Net-Worm.Win32.Koobface.hn 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002105.exe Infected: Trojan.Win32.Agent.cdcn 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002177.exe Infected: Trojan.Win32.Agent2.iwh 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002184.dll Infected: Trojan-Downloader.Win32.BHO.lfm 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002185.dll Infected: Trojan.Win32.Agent.cdbr 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002193.exe Infected: Worm.Win32.Agent.lz 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002515.exe Infected: Trojan.Win32.Agent2.hoc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002527.exe Infected: Trojan-Downloader.Win32.Agent.bujb 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002530.exe Infected: Trojan.Win32.Agent2.hoc 1

The selected area was scanned.

CatByte · 05-02-2009, 08:50 PM

Hi,

I would like you to do the following:

Please run GMER once again, using these instructions.
Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then proceed as indicated below to set it up for a more complete scan.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

NEXT

I would like you to run another DDS scan:

Disable any script blocking protection
Double click dds.pif to run the tool.
When done, two DDS.txt's will open.
Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

In your next reply please attach the GMER and DDS Logs as well as describe how your computer is running now and if there are any outstanding issues.

jdlucas · 05-03-2009, 07:33 AM

System seems to be running normally with no pop ups and the performace is back to normal. The only thing I can see that doesn't appear correct is the Symantec program. When I right click to enable auto protect in the system tray nothing happens and it remains disabled.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-03 09:18:58
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB1DCECB0]
SSDT 89007428 ZwQueryValueKey
SSDT 8A7146F8 ZwResumeThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB1DCEF10]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \Fat ACC7AD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000024.exe:ext.exe 32256 bytes executable
ADS C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001097.exe:ext.exe 32256 bytes executable
ADS C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002098.exe:ext.exe 32256 bytes executable

---- EOF - GMER 1.0.15 ----

DDS.txt

Attach.txt

04-29-2009, 09:50 AM	#1 (permalink)
jdlucas Registered User Join Date: Apr 2009 Posts: 11 OS: Windows XP	Windows up date not working, pop ups and degraded performance I have several bugs that I can't seem to get rid of. Virus scans detect them but don't seem to be getting rid of them. When I try to do a windows update it tells me theyare disabled. I am unable to set updates to automatic or download them manually. I also receive a lot of pop ups and my internet gaming program does not connect anymore. Any help would be appreciated. Hopefully I am posting the required information correctly. DDS (Ver_09-03-16.01) - NTFSx86 Run by Jeffrey at 11:34:35.28 on Wed 04/29/2009 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2298 [GMT -4:00] AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\VentSrv\ventrilo_svc.exe C:\Program Files\VentSrv\ventrilo_srv.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\alg.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Razer\razerhid.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe C:\Program Files\Razer\razerofa.exe C:\Program Files\Brother\ControlCenter3\brccMCtl.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Defender\MSASCui.exe C:\windows\ld08.exe C:\WINDOWS\system32\rundll32.exe C:\windows\pp06.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\dll32.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Common Files\Real\Update_OB\rndal.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Jeffrey\LOCALS~1\Temp\3500905500.exe C:\Documents and Settings\Jeffrey\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.ecipublic.org/ uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0070721 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local;<local> uInternet Settings,ProxyServer = http=localhost:7171 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us BHO: {86c7423f-c16f-4d5a-8fc7-2876c8462b2b} - c:\windows\system32\vejuweve.dll BHO: : {ac714786-ac55-49a9-abdc-bd18b7d29627} - c:\windows\system32\vaadyhs.dll BHO: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter uRun: [prnet] "c:\windows\system32\prnet.tmp" uRun: [Diagnostic Manager] c:\docume~1\jeffrey\locals~1\temp\3500905500.exe uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16 uRun: [dll32] dll32 uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [CTHelper] CTHELPER.EXE mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE" mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll" mRun: [UpdReg] c:\windows\UpdReg.EXE mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [razer] c:\program files\razer\razerhid.exe mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter mRun: [HelpCenter4.1] c:\program files\bellsouth\helpcenter40b\bin\sprtcmd.exe /P HelpCenter4.1 mRun: [<NO NAME>] mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatchTray11.exe" mRun: [CPMonitor] "c:\program files\roxio creator 2009\5.0\CPMonitor.exe" mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun mRun: [ccApp] - mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [prnet] "c:\windows\system32\prnet.tmp" mRun: [niyubedeza] Rundll32.exe "c:\windows\system32\jodayodu.dll",s mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [Framework Windows] frmwrk32.exe mRun: [sysldtray] c:\windows\ld08.exe mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16 mRun: [pp] c:\windows\pp06.exe mRun: [c05319b6] rundll32.exe "c:\windows\system32\mejetiwa.dll",b mRun: [CPMc3602a2a] Rundll32.exe "c:\windows\system32\wisebiga.dll",a dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe dRun: [A00F43D3952.exe] c:\windows\temp\_A00F43D3952.exe dRun: [<NO NAME>] c:\windows\temp\jd6ukby74.exe dRun: [Windows Resurections] c:\windows\temp\jd6ukby74.exe dRun: [Diagnostic Manager] c:\windows\temp\641853828.exe dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16 StartupFolder: c:\documents and settings\jeffrey\start menu\programs\startup\ChkDisk.dll StartupFolder: c:\docume~1\jeffrey\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe uPolicies-explorer: NoFolderOptions = 1 (0x1) uPolicies-system: DisableRegistryTools = 1 (0x1) dPolicies-explorer: NoFolderOptions = 1 (0x1) dPolicies-explorer: NoSetActiveDesktop = 1 (0x1) dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) dPolicies-system: DisableRegistryTools = 1 (0x1) dPolicies-system: DisableTaskMgr = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL LSP: c:\windows\temp\ntdll64.dll DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll Notify: zodlrybo - vaadyhs.dll Notify: __c0035B44 - c:\windows\system32\__c0035B44.dat AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\lofimazi.dll c:\windows\system32\wisebiga.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wisebiga.dll STS: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\wisebiga.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll LSA: Notification Packages = scecli c:\windows\system32\lofimazi.dll ============= SERVICES / DRIVERS =============== R0 iopxnftf;iopxnftf;c:\windows\system32\drivers\iopxnftf.sys [2005-8-16 23424] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 olvqghst;MRESP50 NDIS Protocol Monitor;c:\windows\system32\svchost.exe -k netsvcs [2005-8-16 14336] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936] R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [2007-7-26 44800] S1 505069ab;505069ab;c:\windows\system32\drivers\505069ab.sys --> c:\windows\system32\drivers\505069ab.sys [?] S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\roxio creator 2009\digital home 11\RoxioUpnpService11.exe [2008-8-14 367088] S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxLiveShare11.exe [2008-8-14 309744] S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatch11.exe [2008-8-14 170480] S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090419.005\naveng.sys [2009-4-19 89104] S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090419.005\navex15.sys [2009-4-19 876144] S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2007-7-26 13225] S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\roxio creator 2009\digital home 11\RoxioUPnPRenderer11.exe [2008-8-14 313840] S3 RoxMediaDB11;RoxMediaDB11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxMediaDB11.exe [2008-8-14 1124848] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952] S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408] S4 ccEvtMgr;Symantec Event Manager;- --> - [?] S4 SAVRT;SAVRT;- --> - [?] =============== Created Last 30 ================ 2009-04-29 11:31 1,433,845 ---sh--- c:\windows\system32\awitejem.ini 2009-04-28 18:53 27,648 a------- c:\windows\system32\lmppcsetup.exe 2009-04-28 18:31 0 a------- c:\windows\mqcd.dbt 2009-04-28 18:30 15,360 a------- c:\windows\system32\dll32.exe 2009-04-28 18:30 1 a------- c:\windows\9g2234wesdf3dfgjf23 2009-04-28 18:30 10,752 ----h--- c:\windows\pp06.exe 2009-04-28 18:30 2 ----h--- c:\windows\t55ft2692f44.dat 2009-04-28 18:30 <DIR> --d----- c:\windows\system32\796525 2009-04-28 18:30 28,672 a------- c:\windows\system32\inqby.sr 2009-04-28 18:30 32,768 a------- c:\windows\system32\ferryl.cbv 2009-04-28 18:30 32,768 a------- c:\windows\system32\fairy.an 2009-04-28 18:30 79,360 a------- c:\windows\system32\ashl.nq 2009-04-28 18:30 28,672 a------- c:\windows\system32\dolman.zt 2009-04-28 18:28 24,064 a--sh--- c:\documents and settings\jeffrey\protect.dll 2009-04-28 18:28 24,064 a--sh--- c:\windows\system32\autochk.dll 2009-04-28 18:24 16,384 ----h--- c:\windows\ld08.exe 2009-04-28 18:24 101,888 a------- C:\wwmeoblk.exe 2009-04-28 18:24 578,560 a------- c:\windows\system32\dllcache\user32.dll 2009-04-28 18:24 262,144 a------- c:\windows\system32\nvrsk.dll 2009-04-28 18:24 2 a------- C:\-1068295911 2009-04-28 18:24 115,712 a------- c:\windows\system32\azton.mt 2009-04-28 18:24 115,712 a------- C:\kggi.exe 2009-04-28 18:24 15,000 a------- c:\windows\system32\sjg9s8guigjs.dll 2009-04-27 18:44 4,785 a------- c:\windows\system32\warning.gif 2009-04-27 18:44 1,400 a------- c:\windows\system32\ahtn.htm 2009-04-27 18:44 439 a------- c:\windows\system32\win32hlp.cnf 2009-04-27 18:44 104,960 a------- c:\windows\system32\dllcache\userinit.exe 2009-04-27 18:44 1 a------- c:\windows\system32\uniq.tll 2009-04-27 18:44 29,696 a------- c:\windows\system32\loader49.exe 2009-04-27 18:30 46 a------- c:\windows\system32\p2hhr.bat 2009-04-27 18:29 15,000 a------- c:\windows\system32\yhs783ijfo3fe.dll 2009-04-27 18:14 27,648 a------- c:\windows\system32\__c0035B44.dat 2009-04-27 18:14 39,936 a------- c:\windows\system32\winglsetup.exe 2009-04-27 18:00 1,433,840 ---sh--- c:\windows\system32\otefupob.ini 2009-04-26 17:46 1,427,288 ---sh--- c:\windows\system32\onariyen.ini 2009-04-25 22:53 <DIR> --d----- c:\program files\WWShow 2009-04-25 22:48 <DIR> --d----- c:\program files\Jcore 2009-04-25 18:11 49,152 a------- c:\windows\system32\ftp_non_crp.exe 2009-04-25 17:46 1,406,509 ---sh--- c:\windows\system32\oniwafiz.ini 2009-04-24 22:33 5,440 ---sh--- c:\windows\system32\wihalewo.dll 2009-04-24 22:33 5,440 ---sh--- c:\windows\system32\vofidato.dll 2009-04-24 22:33 2,713 ---sh--- c:\windows\system32\bogosara.exe 2009-04-24 22:30 87,040 a------- c:\windows\system32\nemihito.dll 2009-04-24 22:30 52,224 a------- c:\windows\system32\vihagiva.exe 2009-04-18 19:25 <DIR> --d----- c:\program files\iPod 2009-04-18 19:25 <DIR> --d----- c:\program files\iTunes 2009-04-18 19:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-18 16:27 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb 2009-04-18 16:27 215,552 -------- c:\windows\system32\dllcache\wordpad.exe 2009-04-18 16:27 2,560 -------- c:\windows\system32\xpsp4res.dll 2009-04-12 10:47 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat 2009-04-11 12:10 <DIR> --d----- C:\576e53d794bdf7a2a884d6d03d510b98 2009-04-11 12:10 <DIR> --d----- c:\windows\SxsCaPendDel 2009-04-04 15:58 21,504 a------- c:\windows\jestertb.dll 2009-04-03 13:46 0 a------- c:\windows\vpc32.INI 2009-04-03 13:42 0 a------- c:\windows\system32\drivers\UACd.sys ==================== Find3M ==================== 2009-04-29 11:31 88,064 a--sh--- c:\windows\system32\wisebiga.dll 2009-04-29 11:31 80,384 a--sh--- c:\windows\system32\mejetiwa.dll 2009-04-28 18:24 578,560 a------- c:\windows\system32\user32.DLL 2009-04-28 18:24 87,552 a--sh--- c:\windows\system32\goradoja.dll 2009-04-28 18:24 80,896 a--sh--- c:\windows\system32\yunukino.dll 2009-04-27 18:44 104,960 a------- c:\windows\system32\userinit.exe 2009-04-27 18:00 88,576 a--sh--- c:\windows\system32\sizebave.dll.vir 2009-04-27 18:00 79,360 -------- c:\windows\system32\bopufeto.dll 2009-04-27 18:00 50,688 a--sh--- c:\windows\system32\ludiwemi.exe 2009-04-26 17:46 88,064 a--sh--- c:\windows\system32\veriwada.dll 2009-04-26 17:46 52,224 a--sh--- c:\windows\system32\yevalofa.exe 2009-04-26 17:46 79,872 -------- c:\windows\system32\neyirano.dll 2009-04-26 05:46 88,576 a--sh--- c:\windows\system32\bozakita.dll 2009-04-26 05:46 79,872 a--sh--- c:\windows\system32\pohubeli.dll 2009-04-26 05:46 51,712 a--sh--- c:\windows\system32\yozuyosa.exe 2009-04-25 17:47 48,640 a--sh--- c:\windows\system32\dazizoru.dll 2009-04-25 17:46 88,064 a--sh--- c:\windows\system32\vujabafo.dll 2009-04-25 17:46 50,688 a--sh--- c:\windows\system32\rinebali.exe 2009-04-25 17:46 79,360 -------- c:\windows\system32\zifawino.dll 2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll 2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll 2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll 2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll 2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys 2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll 2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll 2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe 2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe 2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe 2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll 2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll 2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll 2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll 2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll 2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll 2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll 2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll 2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll 2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll 2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll 2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys 2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys 2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe 2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe 2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe 2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe 2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe 2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe 2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe 2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe 2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe 2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll 2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll 2009-02-02 19:34 90,112 a------- c:\windows\DUMP32a8.tmp 2008-05-19 18:09 53,934 a------- c:\program files\INSTALL.LOG 2008-03-27 18:45 490 a---h--- c:\documents and settings\jeffrey\hpothb07.dat 2009-01-25 17:47 48,640 a--sh--- c:\windows\system32\jodayodu.dll 2009-01-25 17:47 48,640 a--sh--- c:\windows\system32\lofimazi.dll 2009-01-25 17:47 48,640 a--sh--- c:\windows\system32\vejuweve.dll ============= FINISH: 11:35:13.31 =============== Attach.zip ark.zip

04-30-2009, 05:39 AM	#2 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,144 OS: XP sp3	Re: Windows up date not working, pop ups and degraded performance Hello, and welcome to TSF. I am currently reviewing your log. I will be back with a fix for your problem as soon as possible. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please be patient with me during this time. __________________ ASAP & UNITE Member

04-30-2009, 03:09 PM	#4 (permalink)
jdlucas Registered User Join Date: Apr 2009 Posts: 11 OS: Windows XP	Re: Windows up date not working, pop ups and degraded performance After I ran the combofix I was unable to connect to any web pages. I rebooted and am still unable to connect to anything so I am doing these posts from another system. Attached is the combofix log. ComboFix 09-04-30.02 - Jeffrey 04/30/2009 16:50.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2514 [GMT -4:00] Running from: c:\documents and settings\Jeffrey\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\Jeffrey\LOCALS~1\Temp\h86m1qdq.exe c:\documents and settings\Jeffrey\Local Settings\Temp\h86m1qdq.exe c:\documents and settings\Jeffrey\reader_s.exe c:\windows\ld08.exe c:\windows\system32\796525 c:\windows\system32\796525\796525.dll c:\windows\system32\azton.mt c:\windows\system32\dl32.exe c:\windows\system32\nvrsk.dll c:\windows\system32\sjg9s8guigjs.dll c:\windows\temp\1642042980.exe . ---- Previous Run ------- . c:\docume~1\Jeffrey\LOCALS~1\Temp\mousehook.dll c:\docume~1\Jeffrey\LOCALS~1\Temp\ntdll64.dll c:\documents and settings\Home\protect.dll c:\documents and settings\Home\Start Menu\Programs\Startup\ChkDisk.dll c:\documents and settings\Home\Start Menu\Programs\Startup\ChkDisk.lnk c:\documents and settings\Jeffrey\Local Settings\Temporary Internet Files\bestwiner.stt c:\documents and settings\Jeffrey\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\Jeffrey\protect.dll c:\documents and settings\Jeffrey\reader_s.exe c:\documents and settings\Jeffrey\Start Menu\Programs\Startup\ChkDisk.dll c:\documents and settings\Jeffrey\Start Menu\Programs\Startup\ChkDisk.lnk c:\documents and settings\LocalService\protect.dll c:\documents and settings\NetworkService\protect.dll c:\program files\INSTALL.LOG c:\windows\dat.txt c:\windows\jestertb.dll c:\windows\ld08.exe c:\windows\mqcd.dbt c:\windows\pp06.exe c:\windows\rs.txt c:\windows\search_res.txt c:\windows\system32\__c0035B44.dat c:\windows\system32\796525 c:\windows\system32\796525\796525.dll c:\windows\system32\ahtn.htm c:\windows\system32\ashl.nq c:\windows\system32\autochk.dll c:\windows\system32\awitejem.ini c:\windows\system32\azton.mt c:\windows\system32\bogosara.exe c:\windows\system32\bozakita.dll c:\windows\system32\config\systemprofile\protect.dll c:\windows\system32\config\systemprofile\reader_s.exe c:\windows\system32\dazizoru.dll c:\windows\system32\dl32.exe c:\windows\system32\dll32.exe c:\windows\system32\dolman.zt c:\windows\system32\drivers\ovfsthrnqrckgvcmxmdaphktwbjnqdybrkuwkg.sys c:\windows\system32\fairy.an c:\windows\system32\ferryl.cbv c:\windows\system32\goradoja.dll c:\windows\system32\inqby.sr c:\windows\system32\jodayodu.dll c:\windows\system32\loader49.exe c:\windows\system32\lofimazi.dll c:\windows\system32\ludiwemi.exe c:\windows\system32\mejetiwa.dll c:\windows\system32\nemihito.dll c:\windows\system32\neyirano.dll c:\windows\system32\nvrsk.dll c:\windows\system32\onariyen.ini c:\windows\system32\oniwafiz.ini c:\windows\system32\otefupob.ini c:\windows\system32\ovfsthdrnuwlpgvfhcjlobuicqmuodbojcntvf.dll c:\windows\system32\ovfsthimcvxqsspfnjsephxhajvwqvvewcvmou.dat c:\windows\system32\ovfsthjmsigvgjeiugcigfynrmkwkqxbjmamqt.dat c:\windows\system32\ovfsththbxfyydsdhgwnxlwnngiflmqobvhyll.dll c:\windows\system32\ovfsthtstyieioopsdncuskahaoruldklpxohp.dll c:\windows\system32\p2hhr.bat c:\windows\system32\pofusido.dll c:\windows\system32\pohubeli.dll c:\windows\system32\reader_s.exe c:\windows\system32\rinebali.exe c:\windows\system32\sjg9s8guigjs.dll c:\windows\system32\uniq.tll c:\windows\system32\vejuweve.dll c:\windows\system32\veriwada.dll c:\windows\system32\vujabafo.dll c:\windows\system32\warning.gif c:\windows\system32\win32hlp.cnf c:\windows\system32\winglsetup.exe c:\windows\system32\yhs783ijfo3fe.dll c:\windows\system32\yozuyosa.exe c:\windows\system32\yunukino.dll c:\windows\system32\zifawino.dll c:\windows\Tasks\At1.job c:\windows\Temp\1992372518.exe c:\windows\Temp\3420974664.exe c:\windows\Temp\4167849664.exe c:\windows\Temp\4169724664.exe c:\windows\Temp\417791328.exe c:\windows\Temp\4204255914.exe c:\windows\Temp\496697578.exe c:\windows\Temp\641853828.exe c:\windows\TEMP\ntdll64.dll c:\windows\system32\vaadyhs.dll . . . . failed to delete Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ovfsthvxiaaxbmviecueumepcjvnmbisjixhiv -------\Legacy_fci -------\Legacy_olvqghst -------\Service_FCI -------\Service_olvqghst ((((((((((((((((((((((((( Files Created from 2009-03-28 to 2009-04-30 ))))))))))))))))))))))))))))))) . 2009-04-30 20:46 . 2009-04-30 20:52 94204 ----a-w c:\windows\system32\drivers\3122ef45.sys 2009-04-30 20:46 . 2009-04-30 20:46 7680 ----a-w C:\okex.exe 2009-04-30 20:44 . 2009-04-30 20:44 14848 ----a-w c:\windows\st_1241142708.exe 2009-04-30 20:43 . 2009-04-30 20:44 94204 ----a-w c:\windows\system32\drivers\6e16c1a.sys 2009-04-30 20:41 . 2009-04-30 20:41 212224 ----a-w c:\windows\system32\dllcache\ndis.sys 2009-04-30 20:41 . 2009-04-30 20:41 94204 ----a-w c:\windows\system32\drivers\d4d20574.sys 2009-04-30 20:20 . 2009-04-30 20:46 101888 ----a-w C:\ohkbrkoo.exe 2009-04-30 20:20 . 2009-04-30 20:46 705 ----a-w C:\xmrgycj.exe 2009-04-30 20:20 . 2009-04-30 20:46 113664 ----a-w C:\xipr.exe 2009-04-30 20:19 . 2009-04-30 20:52 94204 ----a-w c:\windows\system32\drivers\7276c804.sys 2009-04-30 20:19 . 2009-04-30 20:19 705 ----a-w C:\pdtivk.exe 2009-04-30 20:19 . 2009-04-30 20:19 7680 ----a-w C:\celkadaa.exe 2009-04-30 20:19 . 2009-04-30 20:19 9216 ----a-w c:\windows\instsp2.exe 2009-04-29 21:04 . 2009-04-29 21:04 -------- d-----w c:\documents and settings\Jeffrey\Application Data\qsruvvcs 2009-04-29 21:04 . 2009-04-29 21:04 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\qsruvvcs 2009-04-29 20:54 . 2009-04-29 20:54 2 ---h--w c:\windows\t55ft2695f44.dat 2009-04-29 20:54 . 2009-04-29 20:54 2 ---h--w c:\windows\t55ft2667f44.dat 2009-04-29 02:43 . 2009-04-29 02:43 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Dell 2009-04-29 01:16 . 2007-07-21 13:27 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Google 2009-04-28 22:30 . 2009-04-28 22:30 2 ---h--w c:\windows\t55ft2692f44.dat 2009-04-28 22:24 . 2009-04-30 20:19 101888 ----a-w C:\wwmeoblk.exe 2009-04-28 22:24 . 2009-04-30 20:51 578560 ----a-w c:\windows\system32\dllcache\user32.dll 2009-04-28 22:24 . 2009-04-30 20:19 115712 ----a-w C:\kggi.exe 2009-04-26 13:24 . 2009-04-26 13:24 -------- d-----w c:\program files\Windows Defender 2009-04-26 04:33 . 2009-04-27 01:00 -------- d-----w c:\program files\Windows Live Safety Center 2009-04-26 02:53 . 2009-04-26 03:01 -------- d-----w c:\program files\WWShow 2009-04-26 02:48 . 2009-04-27 02:09 -------- d-----w c:\program files\Jcore 2009-04-25 22:11 . 2009-04-25 22:13 49152 ----a-w c:\windows\system32\ftp_non_crp.exe 2009-04-25 02:33 . 2009-04-25 02:33 5440 --sh--w c:\windows\system32\wihalewo.dll 2009-04-25 02:33 . 2009-04-25 02:33 5440 --sh--w c:\windows\system32\vofidato.dll 2009-04-25 02:30 . 2009-04-25 03:33 52224 ----a-w c:\windows\system32\vihagiva.exe 2009-04-20 01:53 . 2009-04-20 01:53 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Help 2009-04-19 21:58 . 2009-04-19 21:58 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iPod 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iTunes 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-18 20:28 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-18 20:28 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-04-18 20:28 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-18 20:28 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-18 20:28 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-18 20:28 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-18 20:28 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-18 20:28 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-18 20:28 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-18 20:28 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-18 20:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-18 20:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-04-11 16:10 . 2009-04-11 16:10 -------- d-----w C:\576e53d794bdf7a2a884d6d03d510b98 2009-04-11 16:10 . 2009-04-11 16:47 -------- d-----w c:\windows\SxsCaPendDel 2009-04-03 18:07 . 2009-04-03 18:07 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google 2009-04-03 17:42 . 2009-04-19 21:57 0 ----a-w c:\windows\system32\drivers\UACd.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-30 20:51 . 2005-08-16 09:18 578560 ----a-w c:\windows\system32\user32.dll 2009-04-30 20:47 . 2005-08-16 09:18 14336 ----a-w c:\windows\system32\svchost.exe 2009-04-30 20:41 . 2005-08-16 09:18 212224 ----a-w c:\windows\system32\drivers\ndis.sys 2009-04-30 20:37 . 2005-08-16 09:18 103424 ----a-w c:\windows\system32\xsmzygj.dll 2009-04-30 20:19 . 2009-01-30 20:19 51712 --sha-w c:\windows\system32\tineraka.exe 2009-04-30 20:19 . 2009-01-30 20:19 87552 --sha-w c:\windows\system32\wegabalu.dll 2009-04-29 15:31 . 2009-01-29 15:31 88064 --sha-w c:\windows\system32\wisebiga.dll.vir 2009-04-27 22:00 . 2009-01-27 22:00 88576 --sha-w c:\windows\system32\sizebave.dll.vir 2009-04-26 21:46 . 2009-01-26 21:46 52224 --sha-w c:\windows\system32\yevalofa.exe 2009-04-25 02:27 . 2008-12-18 22:30 -------- d-----w c:\program files\Symantec AntiVirus 2009-04-19 22:02 . 2007-07-21 13:30 47944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-18 23:25 . 2007-10-12 02:26 -------- d-----w c:\program files\Common Files\Apple 2009-04-11 15:48 . 2008-02-23 03:40 8 ----a-w c:\windows\system32\nvModes.dat 2009-03-19 20:32 . 2009-02-23 22:48 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-06 03:59 . 2009-03-15 00:45 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-03-06 03:59 . 2009-02-23 22:47 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 12:10 . 2005-08-16 09:18 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2005-08-16 09:18 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2005-08-16 09:18 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2005-08-16 09:18 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-06 11:11 . 2005-08-16 09:18 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:06 . 2005-08-16 09:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe 2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll 2009-02-03 16:34 . 2009-02-02 23:52 664 ----a-w c:\windows\system32\d3d9caps.dat 2009-02-02 23:34 . 2007-07-21 13:06 90112 ----a-w c:\windows\DUMP32a8.tmp . Infected c:\windows\system32\user32.dll hex repaired ------- Sigcheck ------- [-] 2004-08-10 10:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys [7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys [-] 2009-04-30 20:41 212224 C0BE631D61A797ADC0C7259DCDAD4771 c:\windows\system32\dllcache\ndis.sys [-] 2009-04-30 20:41 212224 AB59F65D57D1C69370D57BCE6F45FD65 c:\windows\system32\drivers\ndis.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC714786-AC55-49A9-ABDC-BD18B7D29627}] 2004-08-10 10:00 103424 ----a-w c:\windows\system32\vaadyhs.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DL32"="DL32" [X] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="-" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-21 169984] "razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2007-08-10 146432] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "HelpCenter4.1"="c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112] "CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592] "SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13574144] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 86016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "CPMc3602a2a"="c:\windows\system32\wegabalu.dll" [2009-04-30 87552] "CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384] "CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-04 1630208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456] hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\wegabalu.dll" [2009-04-30 87552] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wegabalu.dll [2009-04-30 87552] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\wegabalu.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\att-nap\\McciBrowser.exe"= "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpohmr08.exe"= R1 505069ab;505069ab; [x] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936] . Contents of the 'Scheduled Tasks' folder 2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2008-03-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4196535192.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56] 2009-04-30 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . - - - - ORPHANS REMOVED - - - - HKCU-Run-prnet - c:\windows\system32\prnet.tmp HKCU-Run-12ZFG94-F641-2SF-K31P-5N1ER6H6L2 - c:\recycler\S-1-5-21-8530580483-9548864536-172631430-0311\service.exe HKLM-Run-prnet - c:\windows\system32\prnet.tmp HKU-Default-Run-A00F43D3952.exe - c:\windows\TEMP\_A00F43D3952.exe HKU-Default-Run-Windows Resurections - c:\windows\TEMP\jd6ukby74.exe HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\3420974664.exe HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll Notify-__c0035B44 - c:\windows\system32\__c0035B44.dat . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ecipublic.org/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=localhost:7171 uInternet Settings,ProxyOverride = .local;<local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-30 16:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\s-1-5-21-1685921231-4013998947-3120363910-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:8a,56,95,7c,6b,61,e3,13,59,71,17,a2,c4,48,50,97,1b,fd,a5,92,a7,11,5e, 37,72,1c,e9,0b,2f,7e,d8,dc,b3,0c,b3,41,12,ed,ff,47,dc,c1,5e,3d,f9,82,e8,14,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 . Completion time: 2009-04-30 16:53 ComboFix-quarantined-files.txt 2009-04-30 20:53 Pre-Run: 266,224,050,176 bytes free Post-Run: 266,220,351,488 bytes free 347 --- E O F --- 2009-04-20 20:58

04-30-2009, 08:07 PM	#5 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,144 OS: XP sp3	Re: Windows up date not working, pop ups and degraded performance Hi, I recognize you are no longer able to connect to the internet and that is something we can address but there is a more important issue to attend to first. Your machine is still very heavily infected. While you are disconnected from the internet it actually works in our favour while we clean off the infections. Please delete the version of ComboFix you already have on your computer thenfrom another computer - download this version of ComboFix from this link HERE onto a USB MAKE CERTAIN you DO NOT allow this program to update. If you are asked to update - select NO. Run ComboFix and copy the resulting log into the thread. Just to be certain you don't infect the clean computer from your USB, please disinfect your USB with this program. Download Flash_Disinfector.exe from HERE and save it to your desktop. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well. Wait until it has finished scanning and then exit the program. Reboot your computer when done. __________________ ASAP & UNITE Member Last edited by CatByte; 04-30-2009 at 08:09 PM.

05-01-2009, 04:13 AM	#6 (permalink)
jdlucas Registered User Join Date: Apr 2009 Posts: 11 OS: Windows XP	Re: Windows up date not working, pop ups and degraded performance Here is the current Combofix log. Still unable to connect to the internet with IE* but again mail works fine. ComboFix 09-04-30.056 - Jeffrey 05/01/2009 6:00.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2453 [GMT -4:00] Running from: c:\documents and settings\Jeffrey\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys . ((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 ))))))))))))))))))))))))))))))) . 2009-05-01 09:58 . 2009-05-01 09:58 -------- d-----w C:\KittyFix 2009-04-30 20:46 . 2009-05-01 10:05 94204 ----a-w c:\windows\system32\drivers\3122ef45.sys 2009-04-30 20:46 . 2009-04-30 20:46 7680 ----a-w C:\okex.exe 2009-04-30 20:44 . 2009-04-30 20:44 14848 ----a-w c:\windows\st_1241142708.exe 2009-04-30 20:43 . 2009-04-30 20:44 94204 ----a-w c:\windows\system32\drivers\6e16c1a.sys 2009-04-30 20:41 . 2009-04-30 20:41 94204 ----a-w c:\windows\system32\drivers\d4d20574.sys 2009-04-30 20:20 . 2009-04-30 20:46 101888 ----a-w C:\ohkbrkoo.exe 2009-04-30 20:20 . 2009-04-30 20:46 705 ----a-w C:\xmrgycj.exe 2009-04-30 20:20 . 2009-04-30 20:46 113664 ----a-w C:\xipr.exe 2009-04-30 20:19 . 2009-05-01 10:05 94204 ----a-w c:\windows\system32\drivers\7276c804.sys 2009-04-30 20:19 . 2009-04-30 20:19 705 ----a-w C:\pdtivk.exe 2009-04-30 20:19 . 2009-04-30 20:19 7680 ----a-w C:\celkadaa.exe 2009-04-30 20:19 . 2009-04-30 20:19 9216 ----a-w c:\windows\instsp2.exe 2009-04-29 21:04 . 2009-04-29 21:04 -------- d-----w c:\documents and settings\Jeffrey\Application Data\qsruvvcs 2009-04-29 21:04 . 2009-04-29 21:04 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\qsruvvcs 2009-04-29 20:54 . 2009-04-29 20:54 2 ---h--w c:\windows\t55ft2695f44.dat 2009-04-29 20:54 . 2009-04-29 20:54 2 ---h--w c:\windows\t55ft2667f44.dat 2009-04-29 02:43 . 2009-04-29 02:43 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Dell 2009-04-29 01:16 . 2007-07-21 13:27 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Google 2009-04-28 22:30 . 2009-04-28 22:30 2 ---h--w c:\windows\t55ft2692f44.dat 2009-04-28 22:24 . 2009-04-30 20:19 101888 ----a-w C:\wwmeoblk.exe 2009-04-28 22:24 . 2009-04-30 20:51 578560 ----a-w c:\windows\system32\dllcache\user32.dll 2009-04-28 22:24 . 2009-04-30 20:19 115712 ----a-w C:\kggi.exe 2009-04-26 13:24 . 2009-04-26 13:24 -------- d-----w c:\program files\Windows Defender 2009-04-26 04:33 . 2009-04-27 01:00 -------- d-----w c:\program files\Windows Live Safety Center 2009-04-26 02:53 . 2009-04-26 03:01 -------- d-----w c:\program files\WWShow 2009-04-26 02:48 . 2009-04-27 02:09 -------- d-----w c:\program files\Jcore 2009-04-25 22:11 . 2009-04-25 22:13 49152 ----a-w c:\windows\system32\ftp_non_crp.exe 2009-04-25 02:33 . 2009-04-25 02:33 5440 --sh--w c:\windows\system32\wihalewo.dll 2009-04-25 02:33 . 2009-04-25 02:33 5440 --sh--w c:\windows\system32\vofidato.dll 2009-04-25 02:30 . 2009-04-25 03:33 52224 ----a-w c:\windows\system32\vihagiva.exe 2009-04-20 01:53 . 2009-04-20 01:53 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Help 2009-04-19 21:58 . 2009-04-19 21:58 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iPod 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iTunes 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-18 20:28 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-18 20:28 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-04-18 20:28 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-18 20:28 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-18 20:28 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-18 20:28 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-18 20:28 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-18 20:28 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-18 20:28 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-18 20:28 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-18 20:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-18 20:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-04-11 16:10 . 2009-04-11 16:10 -------- d-----w C:\576e53d794bdf7a2a884d6d03d510b98 2009-04-11 16:10 . 2009-04-11 16:47 -------- d-----w c:\windows\SxsCaPendDel 2009-04-03 18:07 . 2009-04-03 18:07 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google 2009-04-03 17:42 . 2009-04-19 21:57 0 ----a-w c:\windows\system32\drivers\UACd.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-01 10:02 . 2005-08-16 09:18 182656 ----a-w c:\windows\system32\drivers\ndis.sys 2009-04-30 20:51 . 2005-08-16 09:18 578560 ----a-w c:\windows\system32\user32.dll 2009-04-30 20:47 . 2005-08-16 09:18 14336 ----a-w c:\windows\system32\svchost.exe 2009-04-30 20:37 . 2005-08-16 09:18 103424 ----a-w c:\windows\system32\xsmzygj.dll 2009-04-30 20:19 . 2009-01-30 20:19 51712 --sha-w c:\windows\system32\tineraka.exe 2009-04-30 20:19 . 2009-01-30 20:19 87552 --sha-w c:\windows\system32\wegabalu.dll 2009-04-29 15:31 . 2009-01-29 15:31 88064 --sha-w c:\windows\system32\wisebiga.dll.vir 2009-04-27 22:00 . 2009-01-27 22:00 88576 --sha-w c:\windows\system32\sizebave.dll.vir 2009-04-26 21:46 . 2009-01-26 21:46 52224 --sha-w c:\windows\system32\yevalofa.exe 2009-04-25 02:27 . 2008-12-18 22:30 -------- d-----w c:\program files\Symantec AntiVirus 2009-04-19 22:02 . 2007-07-21 13:30 47944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-18 23:25 . 2007-10-12 02:26 -------- d-----w c:\program files\Common Files\Apple 2009-04-11 15:48 . 2008-02-23 03:40 8 ----a-w c:\windows\system32\nvModes.dat 2009-03-19 20:32 . 2009-02-23 22:48 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-06 03:59 . 2009-03-15 00:45 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-03-06 03:59 . 2009-02-23 22:47 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 12:10 . 2005-08-16 09:18 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2005-08-16 09:18 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2005-08-16 09:18 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2005-08-16 09:18 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-06 11:11 . 2005-08-16 09:18 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:06 . 2005-08-16 09:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe 2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll 2009-02-03 16:34 . 2009-02-02 23:52 664 ----a-w c:\windows\system32\d3d9caps.dat 2009-02-02 23:34 . 2007-07-21 13:06 90112 ----a-w c:\windows\DUMP32a8.tmp . ((((((((((((((((((((((((((((( SnapShot@2009-04-30_20.52.15 ))))))))))))))))))))))))))))))))))))))))) . + 2007-07-26 21:48 . 2009-05-01 09:59 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2007-07-26 21:48 . 2009-04-30 20:43 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2007-07-26 21:48 . 2009-05-01 09:59 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2007-07-26 21:48 . 2009-04-30 20:43 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-04-30 20:18 . 2009-05-01 09:59 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat - 2009-04-30 20:18 . 2009-04-30 20:43 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat + 2007-07-26 21:48 . 2009-05-01 09:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2007-07-26 21:48 . 2009-04-30 20:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2005-08-16 09:18 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\ndis.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC714786-AC55-49A9-ABDC-BD18B7D29627}] 2004-08-10 10:00 103424 ----a-w c:\windows\system32\vaadyhs.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DL32"="DL32" [X] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="-" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-21 169984] "razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2007-08-10 146432] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "HelpCenter4.1"="c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112] "CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592] "SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13574144] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 86016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "CPMc3602a2a"="c:\windows\system32\wegabalu.dll" [2009-04-30 87552] "CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384] "CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-04 1630208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456] hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\wegabalu.dll" [2009-04-30 87552] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wegabalu.dll [2009-04-30 87552] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\att-nap\\McciBrowser.exe"= "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpohmr08.exe"= R1 505069ab;505069ab; [x] R2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe [2008-08-14 367088] R2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [2008-08-14 309744] R2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [2008-08-14 170480] R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\Drivers\Razerlow.sys [2005-04-25 13225] R3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [2008-08-14 313840] R3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [2008-08-14 1124848] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952] S0 iopxnftf;iopxnftf;c:\windows\system32\drivers\iopxnftf.sys [2004-08-10 23424] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936] S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2006-09-27 44800] . Contents of the 'Scheduled Tasks' folder 2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2008-03-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4196535192.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56] 2009-05-01 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ecipublic.org/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=localhost:7171 uInternet Settings,ProxyOverride = .local;<local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-01 06:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\s-1-5-21-1685921231-4013998947-3120363910-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY] "??"=hex:8a,56,95,7c,6b,61,e3,13,59,71,17,a2,c4,48,50,97,1b,fd,a5,92,a7,11,5e, 37,72,1c,e9,0b,2f,7e,d8,dc,b3,0c,b3,41,12,ed,ff,47,dc,c1,5e,3d,f9,82,e8,14,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2500) c:\windows\system32\wegabalu.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Symantec AntiVirus\DefWatch.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Common Files\Motive\McciCMService.exe c:\windows\system32\nvsvc32.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\VentSrv\ventrilo_svc.exe c:\program files\VentSrv\ventrilo_srv.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\windows\system32\CTXFISPI.EXE c:\windows\ehome\ehmsas.exe c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe c:\program files\Razer\razerofa.exe c:\program files\Brother\ControlCenter3\BrccMCtl.exe c:\windows\system32\rundll32.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe . ************************************************************************* . Completion time: 2009-05-01 6:08 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-01 10:08 ComboFix2.txt 2009-04-30 20:53 Pre-Run: 266,217,390,080 bytes free Post-Run: 266,210,553,856 bytes free 284 --- E O F --- 2009-04-20 20:58

05-01-2009, 09:15 AM	#7 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,144 OS: XP sp3	Re: Windows up date not working, pop ups and degraded performance Hi, Please do the following: Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Copy/paste the text inside the Codebox below into notepad: Here's how to do that: Click Start > Run type Notepad click OK. This will open an empty notepad file: Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy') Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/371549-windows-up-date-not-working-pop-ups-degraded-performance.html#post2112474 Collect:: c:\windows\system32\drivers\3122ef45.sys C:\okex.exe c:\windows\st_1241142708.exe C:\ohkbrkoo.exe C:\xmrgycj.exe C:\xipr.exe C:\wwmeoblk.exe C:\kggi.exe c:\windows\system32\wihalewo.dll c:\windows\system32\vihagiva.exe c:\windows\system32\wegabalu.dll File:: c:\windows\system32\drivers\6e16c1a.sys c:\windows\system32\drivers\d4d20574.sys c:\windows\system32\drivers\7276c804.sys c:\windows\t55ft2695f44.dat c:\windows\t55ft2667f44.dat c:\windows\t55ft2692f44.dat C:\pdtivk.exe C:\celkadaa.exe c:\windows\instsp2.exe c:\windows\system32\xsmzygj.dll c:\windows\system32\tineraka.exe c:\windows\system32\wisebiga.dll.vir c:\windows\system32\sizebave.dll.vir c:\windows\system32\yevalofa.exe c:\windows\system32\vofidato.dll c:\windows\system32\drivers\UACd.sys c:\windows\system32\drivers\iopxnftf.sys c:\windows\system32\ftp_non_crp.exe Folder:: c:\documents and settings\Jeffrey\Application Data\qsruvvcs c:\documents and settings\Jeffrey\Local Settings\Application Data\qsruvvcs c:\program files\WWShow c:\Program Files\Jcore Driver:: iopxnftf 505069ab DDS:: uInternet Settings,ProxyServer = http=localhost:7171 uInternet Settings,ProxyOverride = .local;<local> Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DL32"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" Now paste* the copied text into the open notepad - press CTRL+V (or right click and choose 'paste') Save this file to your desktop, Save this as "CFScript" Here's how to do that: 1.Click File; 2.Click Save As... Change the directory to your desktop; 3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript 5.Click Save ... Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. __________________ ASAP & UNITE Member

05-01-2009, 11:23 AM	#8 (permalink)
jdlucas Registered User Join Date: Apr 2009 Posts: 11 OS: Windows XP	Re: Windows up date not working, pop ups and degraded performance Ran Combofix with the new script but when the log poped up I got a message that it could not create it. Notepad opened up and it was blank. I don't see any log file other than the ones previously done. However I am now posting this from my computer so something worked right. I am not rerunning Combofix in an attempt to get the log until you give me OK to do that.

05-01-2009, 01:59 PM	#9 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,144 OS: XP sp3	Re: Windows up date not working, pop ups and degraded performance Hi, Something interfered with the log writing process of the program. Please do the following: Make sure you disable all your security protection programs. Double click on the ComboFix.exe once again, allow it to update this time when ComboFix requests it, then post the resulting log when it's done. Thank-you __________________ ASAP & UNITE Member

05-01-2009, 03:11 PM	#10 (permalink)
jdlucas Registered User Join Date: Apr 2009 Posts: 11 OS: Windows XP	Re: Windows up date not working, pop ups and degraded performance Current log file. ComboFix 09-05-01.1 - Jeffrey 05/01/2009 17:04.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2496 [GMT -4:00] Running from: c:\documents and settings\Jeffrey\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\vaadyhs.dll . ((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 ))))))))))))))))))))))))))))))) . 2009-04-29 02:43 . 2009-04-29 02:43 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Dell 2009-04-29 01:16 . 2007-07-21 13:27 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Google 2009-04-28 22:24 . 2009-04-30 20:51 578560 ----a-w c:\windows\system32\dllcache\user32.dll 2009-04-26 13:24 . 2009-04-26 13:24 -------- d-----w c:\program files\Windows Defender 2009-04-26 04:33 . 2009-04-27 01:00 -------- d-----w c:\program files\Windows Live Safety Center 2009-04-20 01:53 . 2009-04-20 01:53 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Help 2009-04-19 21:58 . 2009-04-19 21:58 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iPod 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iTunes 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-18 20:28 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-18 20:28 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-04-18 20:28 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-18 20:28 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-18 20:28 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-18 20:28 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-18 20:28 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-18 20:28 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-18 20:28 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-18 20:28 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-18 20:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-18 20:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-04-11 16:10 . 2009-04-11 16:10 -------- d-----w C:\576e53d794bdf7a2a884d6d03d510b98 2009-04-11 16:10 . 2009-04-11 16:47 -------- d-----w c:\windows\SxsCaPendDel 2009-04-03 18:07 . 2009-04-03 18:07 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-01 17:07 . 2005-08-16 09:18 23424 ----a-w c:\windows\system32\drivers\npueqdud.sys 2009-05-01 10:02 . 2005-08-16 09:18 182656 ----a-w c:\windows\system32\drivers\ndis.sys 2009-04-30 20:51 . 2005-08-16 09:18 578560 ----a-w c:\windows\system32\user32.dll 2009-04-30 20:47 . 2005-08-16 09:18 14336 ----a-w c:\windows\system32\svchost.exe 2009-04-25 02:27 . 2008-12-18 22:30 -------- d-----w c:\program files\Symantec AntiVirus 2009-04-19 22:02 . 2007-07-21 13:30 47944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-18 23:25 . 2007-10-12 02:26 -------- d-----w c:\program files\Common Files\Apple 2009-04-11 15:48 . 2008-02-23 03:40 8 ----a-w c:\windows\system32\nvModes.dat 2009-03-19 20:32 . 2009-02-23 22:48 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-06 03:59 . 2009-03-15 00:45 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-03-06 03:59 . 2009-02-23 22:47 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 12:10 . 2005-08-16 09:18 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2005-08-16 09:18 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2005-08-16 09:18 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2005-08-16 09:18 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-06 11:11 . 2005-08-16 09:18 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:06 . 2005-08-16 09:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe 2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll 2009-02-03 16:34 . 2009-02-02 23:52 664 ----a-w c:\windows\system32\d3d9caps.dat 2009-02-02 23:34 . 2007-07-21 13:06 90112 ----a-w c:\windows\DUMP32a8.tmp . ((((((((((((((((((((((((((((( SnapShot@2009-04-30_20.52.15 ))))))))))))))))))))))))))))))))))))))))) . + 2007-07-26 21:48 . 2009-05-01 09:59 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2007-07-26 21:48 . 2009-04-30 20:43 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-04-30 20:18 . 2009-05-01 09:59 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat - 2009-04-30 20:18 . 2009-04-30 20:43 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat + 2007-07-26 21:48 . 2009-05-01 09:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2007-07-26 21:48 . 2009-04-30 20:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2005-08-16 09:18 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\ndis.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="-" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-21 169984] "razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2007-08-10 146432] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "HelpCenter4.1"="c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112] "CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592] "SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13574144] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 86016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384] "CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-04 1630208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456] hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\att-nap\\McciBrowser.exe"= "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpohmr08.exe"= --- Other Services/Drivers In Memory --- NewlyCreated - IOPXNFTF . Contents of the 'Scheduled Tasks' folder 2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2008-03-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4196535192.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56] 2009-05-01 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . - - - - ORPHANS REMOVED - - - - BHO-{AC714786-AC55-49A9-ABDC-BD18B7D29627} - c:\windows\system32\vaadyhs.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ecipublic.org/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-01 17:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? scanning hidden files ... c:\windows\TEMP\TMP000000C635E387089E6E79DB 524288 bytes ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1685921231-4013998947-3120363910-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:8a,56,95,7c,6b,61,e3,13,59,71,17,a2,c4,48,50,97,1b,fd,a5,92,a7,11,5e, 37,72,1c,e9,0b,2f,7e,d8,dc,b3,0c,b3,41,12,ed,ff,47,dc,c1,5e,3d,f9,82,e8,14,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 . Completion time: 2009-05-01 17:09 ComboFix-quarantined-files.txt 2009-05-01 21:08 ComboFix2.txt 2009-05-01 17:16 ComboFix3.txt 2009-05-01 10:08 ComboFix4.txt 2009-04-30 20:53 Pre-Run: 266,185,326,592 bytes free Post-Run: 266,189,017,088 bytes free 193 --- E O F --- 2009-04-20 20:58

05-01-2009, 06:16 PM	#11 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,144 OS: XP sp3	Re: Windows up date not working, pop ups and degraded performance Hi, Can you please advise how your system is running now, I take it the internet connection has been re-established successfully? Please advise if there are any other issues at this time. We still have a little more work to do, so please stay with me until I give you the all clear. Please do the following: Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Copy/paste the text inside the Codebox below into notepad: Here's how to do that: Click Start > Run type Notepad click OK. This will open an empty notepad file: Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy') Code: KillAll:: File:: c:\windows\system32\drivers\npueqdud.sys Driver:: iopxnftf Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste') Save this file to your desktop, Save this as "CFScript" Here's how to do that: 1.Click File; 2.Click Save As... Change the directory to your desktop; 3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript 5.Click Save ... Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. NEXT Click Start>Run and copy/paste the following bolded text into the Run box and click OK: C:\Qoobox\ComboFix-quarantined-files.txt A report should pop open for you. Please post the contents in your next reply. __________________ ASAP & UNITE Member

05-01-2009, 09:32 PM	#12 (permalink)
jdlucas Registered User Join Date: Apr 2009 Posts: 11 OS: Windows XP	Re: Windows up date not working, pop ups and degraded performance All programs and systems seem to function normally now. I don't have any more random pop ups when using internet explorer and CPU usage is now running at normal levels. Looks like it is fixed to me. Below is the most recent log file ComboFix 09-05-01.1 - Jeffrey 05/01/2009 23:18.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2337 [GMT -4:00] Running from: c:\documents and settings\Jeffrey\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Jeffrey\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) FILE :: c:\windows\system32\drivers\npueqdud.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\npueqdud.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_IOPXNFTF ((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 ))))))))))))))))))))))))))))))) . 2009-05-01 09:58 . 2009-05-01 09:58 -------- d-----w C:\KittyFix 2009-04-29 02:43 . 2009-04-29 02:43 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Dell 2009-04-29 01:16 . 2007-07-21 13:27 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Google 2009-04-28 22:24 . 2009-04-30 20:51 578560 ----a-w c:\windows\system32\dllcache\user32.dll 2009-04-26 13:24 . 2009-04-26 13:24 -------- d-----w c:\program files\Windows Defender 2009-04-26 04:33 . 2009-04-27 01:00 -------- d-----w c:\program files\Windows Live Safety Center 2009-04-20 01:53 . 2009-04-20 01:53 -------- d-----w c:\documents and settings\Jeffrey\Local Settings\Application Data\Help 2009-04-19 21:58 . 2009-04-19 21:58 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iPod 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\program files\iTunes 2009-04-18 23:25 . 2009-04-18 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-18 20:28 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-18 20:28 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-04-18 20:28 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-18 20:28 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-18 20:28 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-18 20:28 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-18 20:28 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-18 20:28 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-18 20:28 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-18 20:28 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-18 20:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-18 20:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-04-11 16:10 . 2009-04-11 16:10 -------- d-----w C:\576e53d794bdf7a2a884d6d03d510b98 2009-04-11 16:10 . 2009-04-11 16:47 -------- d-----w c:\windows\SxsCaPendDel 2009-04-03 18:07 . 2009-04-03 18:07 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-01 21:34 . 2008-05-19 22:09 -------- d-----w c:\program files\BellSouth 2009-05-01 10:02 . 2005-08-16 09:18 182656 ----a-w c:\windows\system32\drivers\ndis.sys 2009-04-30 20:51 . 2005-08-16 09:18 578560 ----a-w c:\windows\system32\user32.dll 2009-04-30 20:47 . 2005-08-16 09:18 14336 ----a-w c:\windows\system32\svchost.exe 2009-04-25 02:27 . 2008-12-18 22:30 -------- d-----w c:\program files\Symantec AntiVirus 2009-04-23 16:49 . 2009-03-31 22:23 530083 ----a-w C:\HC4DecommissionScheduler.exe 2009-04-19 22:02 . 2007-07-21 13:30 47944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-18 23:25 . 2007-10-12 02:26 -------- d-----w c:\program files\Common Files\Apple 2009-04-11 15:48 . 2008-02-23 03:40 8 ----a-w c:\windows\system32\nvModes.dat 2009-03-19 20:32 . 2009-02-23 22:48 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-06 03:59 . 2009-03-15 00:45 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-03-06 03:59 . 2009-02-23 22:47 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 12:10 . 2005-08-16 09:18 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2005-08-16 09:18 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2005-08-16 09:18 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2005-08-16 09:18 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-06 11:11 . 2005-08-16 09:18 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:06 . 2005-08-16 09:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe 2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll 2009-02-03 16:34 . 2009-02-02 23:52 664 ----a-w c:\windows\system32\d3d9caps.dat 2009-02-02 23:34 . 2007-07-21 13:06 90112 ----a-w c:\windows\DUMP32a8.tmp . ((((((((((((((((((((((((((((( SnapShot@2009-04-30_20.52.15 ))))))))))))))))))))))))))))))))))))))))) . + 2007-07-26 21:48 . 2009-05-01 09:59 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2007-07-26 21:48 . 2009-04-30 20:43 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-04-30 20:18 . 2009-05-01 09:59 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat - 2009-04-30 20:18 . 2009-04-30 20:43 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat + 2007-07-26 21:48 . 2009-05-01 09:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2007-07-26 21:48 . 2009-04-30 20:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2005-08-16 09:18 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\ndis.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="-" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-21 169984] "razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2007-08-10 146432] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "HelpCenter4.1"="c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112] "CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592] "SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13574144] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 86016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384] "CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-04 1630208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456] hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\att-nap\\McciBrowser.exe"= "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpohmr08.exe"= R2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe [2008-08-14 367088] R2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [2008-08-14 309744] R2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [2008-08-14 170480] R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\Drivers\Razerlow.sys [2005-04-25 13225] R3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [2008-08-14 313840] R3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [2008-08-14 1124848] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936] S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2006-09-27 44800] . Contents of the 'Scheduled Tasks' folder 2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2008-03-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4196535192.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56] 2009-05-02 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Download - c:\program files\Bellsouth\HelpCenter\ssGet.exe 120 http://patttbc.att.motive.com/motive..._Installer.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ecipublic.org/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-01 23:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? scanning hidden files ... c:\windows\TEMP\TMP00000030A8DDD82688890EF1 524288 bytes scan completed successfully hidden files: 1 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1685921231-4013998947-3120363910-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY] "??"=hex:8a,56,95,7c,6b,61,e3,13,59,71,17,a2,c4,48,50,97,1b,fd,a5,92,a7,11,5e, 37,72,1c,e9,0b,2f,7e,d8,dc,b3,0c,b3,41,12,ed,ff,47,dc,c1,5e,3d,f9,82,e8,14,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2900) c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Symantec AntiVirus\DefWatch.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Common Files\Motive\McciCMService.exe c:\windows\system32\nvsvc32.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\VentSrv\ventrilo_svc.exe c:\program files\VentSrv\ventrilo_srv.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\windows\system32\CTXFISPI.EXE c:\windows\ehome\ehmsas.exe c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe c:\program files\Razer\razerofa.exe c:\program files\Brother\ControlCenter3\BrccMCtl.exe c:\windows\system32\rundll32.exe c:\program files\Symantec AntiVirus\DoScan.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe . ************************************************************************* . Completion time: 2009-05-02 23:28 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-02 03:28 ComboFix2.txt 2009-05-01 21:09 ComboFix3.txt 2009-05-01 17:16 ComboFix4.txt 2009-05-01 10:08 ComboFix5.txt 2009-05-02 03:18 Pre-Run: 266,128,363,520 bytes free Post-Run: 266,221,027,328 bytes free 251 --- E O F --- 2009-05-02 03:27

05-01-2009, 09:54 PM	#13 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,144 OS: XP sp3	Re: Windows up date not working, pop ups and degraded performance Hi, Things are looking much better, but there is a little more I would like to do before I give you the final all clear and tidy up of our tools. Please do the following: Click Start>Run and copy/paste the following bolded text into the Run box and click OK: C:\Qoobox\ComboFix-quarantined-files.txt A report should pop open for you. Please post the contents in your next reply. __________________ ASAP & UNITE Member

05-02-2009, 09:37 AM	#15 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,144 OS: XP sp3	Re: Windows up date not working, pop ups and degraded performance Hi, We need to upload a file for analysis. Please do the following: Please visit this site and copy/paste the following bolded text into the 'browse to file to submit' box: C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip Click 'Send File' Please return here and let me know when that file has been uploaded. __________________ ASAP & UNITE Member

05-02-2009, 12:12 PM	#16 (permalink)
jdlucas Registered User Join Date: Apr 2009 Posts: 11 OS: Windows XP	Re: Windows up date not working, pop ups and degraded performance file uploaded at 1411 EST.

05-02-2009, 01:35 PM	#17 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,144 OS: XP sp3	Re: Windows up date not working, pop ups and degraded performance Hi, Please do the following: Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop. Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java version. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and AppletsTrace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. STEP #2 Please download Malwarebytes' Anti-Malware Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish, so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. <-- very important When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. STEP #3 Go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here. In your next reply please include MBAM Log Kaspersky report __________________ ASAP & UNITE Member

05-02-2009, 06:17 PM	#18 (permalink)
jdlucas Registered User Join Date: Apr 2009 Posts: 11 OS: Windows XP	Re: Windows up date not working, pop ups and degraded performance Malwarebytes' Anti-Malware 1.36 Database version: 2067 Windows 5.1.2600 Service Pack 3 5/2/2009 6:15:32 PM mbam-log-2009-05-02 (18-15-32).txt Scan type: Quick Scan Objects scanned: 101445 Time elapsed: 2 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf5c6a80-c938-478c-bc8b-8d7b00788154} (Rogue.Installer) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully. KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\9g2234wesdf3dfgjf23 (Trojan.KoobFace) -> Quarantined and deleted successfully. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Saturday, May 2, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Sunday, May 03, 2009 00:07:44 Records in database: 2121628 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 162874 Threat name: 28 Infected objects: 95 Suspicious objects: 0 Duration of the scan: 01:31:37 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000\4BFE752F.VBN Infected: Trojan-Downloader.Win32.Agent.bfjx 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\154C0001.VBN Infected: Rootkit.Win32.Agent.iuw 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\175C0001.VBN Infected: Exploit.Java.Gimsh.b 1 C:\Qoobox\Quarantine\C\Documents and Settings\Home\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\Qoobox\Quarantine\C\Documents and Settings\Home\Start Menu\Programs\Startup\ChkDisk.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\reader_s.exe.vir Infected: Trojan.Win32.Agent.cdcn 1 C:\Qoobox\Quarantine\C\Documents and Settings\Jeffrey\Start Menu\Programs\Startup\ChkDisk.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\Qoobox\Quarantine\C\pdtivk.exe.vir Infected: Trojan.Win32.Agent2.hoc 1 C:\Qoobox\Quarantine\C\WINDOWS\ld08.exe.vir Infected: Net-Worm.Win32.Koobface.hn 1 C:\Qoobox\Quarantine\C\WINDOWS\pp06.exe.vir Infected: Net-Worm.Win32.Koobface.hu 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\796525\796525.dll.vir Infected: Trojan-Downloader.Win32.BHO.lfm 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\reader_s.exe.vir Infected: Trojan.Win32.Agent.cdcn 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\DL32.exe.vir Infected: Trojan.Win32.Agent2.iwh 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\dll32.exe.vir Infected: Trojan-Proxy.Win32.Agent.blm 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthrnqrckgvcmxmdaphktwbjnqdybrkuwkg.sys.vir Infected: Trojan.Win32.Tdss.aalf 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_iopxnftf_.sys.zip Infected: Trojan.Win32.BHO.ext 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\nvrsk.dll.vir Infected: Worm.Win32.Pinit.dc 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthdrnuwlpgvfhcjlobuicqmuodbojcntvf.dll.vir Infected: Trojan.Win32.Tdss.aald 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsththbxfyydsdhgwnxlwnngiflmqobvhyll.dll.vir Infected: Trojan.Win32.Tdss.aalg 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthtstyieioopsdncuskahaoruldklpxohp.dll.vir Infected: Trojan.Win32.Tdss.aalc 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\pofusido.dll.vir Infected: Trojan.Win32.Monder.byqu 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\reader_s.exe.vir Infected: Trojan.Win32.Agent.cdcn 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\sjg9s8guigjs.dll.vir Infected: Trojan.Win32.Agent.cdbr 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\winglsetup.exe.vir Infected: Trojan-Dropper.Win32.Agent.anrj 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\yevalofa.exe.vir Infected: Trojan-Downloader.Win32.Agent.bujb 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\yunukino.dll.vir Infected: Trojan.Win32.Monder.byqu 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\___c0035B44_.dat.zip Infected: Trojan-Downloader.Win32.Agent.bunv 1 C:\Qoobox\Quarantine\C\WINDOWS\Temp\1642042980.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1 C:\Qoobox\Quarantine\C\WINDOWS\Temp\1992372518.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1 C:\Qoobox\Quarantine\C\WINDOWS\Temp\3420974664.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1 C:\Qoobox\Quarantine\C\WINDOWS\Temp\4167849664.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1 C:\Qoobox\Quarantine\C\WINDOWS\Temp\4169724664.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1 C:\Qoobox\Quarantine\C\WINDOWS\Temp\417791328.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1 C:\Qoobox\Quarantine\C\WINDOWS\Temp\4204255914.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1 C:\Qoobox\Quarantine\C\WINDOWS\Temp\496697578.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1 C:\Qoobox\Quarantine\C\WINDOWS\Temp\641853828.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1 C:\Qoobox\Quarantine\C\xmrgycj.exe.vir Infected: Trojan.Win32.Agent2.hoc 1 C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip Infected: Trojan-Dropper.Win32.Agent.ansc 2 C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip Infected: Trojan-Downloader.Win32.Agent.bskq 1 C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip Infected: Trojan.Win32.Agent2.iwh 1 C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_13.6.0.zip Infected: Trojan.Win32.Agent2.hoc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000024.exe Infected: Trojan.Win32.Inject.xmi 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000026.dll Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000027.dll Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000028.exe Infected: Trojan.Win32.Agent2.iwh 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000029.exe Infected: Trojan-Proxy.Win32.Agent.blm 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000031.dll Infected: Worm.Win32.Pinit.dc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000033.exe Infected: Trojan.Win32.Agent.cdcn 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000034.exe Infected: Trojan-Dropper.Win32.Agent.anrj 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000037.dll Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000038.dll Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000040.dll Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000041.exe Infected: Trojan.Win32.Agent.cdcn 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000042.dll Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000044.dll Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000045.dll Infected: Trojan-Spy.Win32.Agent.amjg 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000046.exe Infected: Net-Worm.Win32.Koobface.hn 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000047.exe Infected: Net-Worm.Win32.Koobface.hu 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000048.exe Infected: Trojan.Win32.Agent.cdcn 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000052.dll Infected: Trojan-Downloader.Win32.BHO.lfm 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000065.dll Infected: Trojan.Win32.Monder.byqu 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000067.dll Infected: Trojan.Win32.Agent.cdbr 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000072.dll Infected: Trojan.Win32.Monder.byqu 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000109.exe Infected: Trojan-Downloader.Win32.Agent.bskq 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000110.exe Infected: Trojan.Win32.Agent2.hoc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000111.exe Infected: Trojan-Dropper.Win32.Agent.ansc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001097.exe Infected: Trojan.Win32.Inject.xmi 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001098.exe Infected: Trojan-Downloader.Win32.Agent.bskq 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001099.dll Infected: Worm.Win32.Pinit.dc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001102.exe Infected: Trojan.Win32.Agent2.hoc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001103.exe Infected: Trojan-Dropper.Win32.Agent.ansc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001105.exe Infected: Trojan.Win32.Agent.cdcn 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001106.exe Infected: Net-Worm.Win32.Koobface.hn 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001107.exe Infected: Trojan.Win32.Agent.cdcn 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002095.exe Infected: Trojan.Win32.Agent2.hxw 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002098.exe Infected: Trojan.Win32.Inject.xmi 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002099.dll Infected: Worm.Win32.Pinit.dc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002100.exe Infected: Trojan.Win32.Agent2.hoc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002101.exe Infected: Trojan-Dropper.Win32.Agent.ansc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002103.exe Infected: Trojan.Win32.Agent.cdcn 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002104.exe Infected: Net-Worm.Win32.Koobface.hn 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002105.exe Infected: Trojan.Win32.Agent.cdcn 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002177.exe Infected: Trojan.Win32.Agent2.iwh 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002184.dll Infected: Trojan-Downloader.Win32.BHO.lfm 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002185.dll Infected: Trojan.Win32.Agent.cdbr 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002193.exe Infected: Worm.Win32.Agent.lz 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002515.exe Infected: Trojan.Win32.Agent2.hoc 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002527.exe Infected: Trojan-Downloader.Win32.Agent.bujb 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002530.exe Infected: Trojan.Win32.Agent2.hoc 1 The selected area was scanned.

05-02-2009, 08:50 PM	#19 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,144 OS: XP sp3	Re: Windows up date not working, pop ups and degraded performance Hi, I would like you to do the following: Please run GMER once again, using these instructions. Double click GMER.exe. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then proceed as indicated below to set it up for a more complete scan. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop, and attach it in reply. Caution Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries NEXT I would like you to run another DDS scan: Disable any script blocking protection Double click dds.pif to run the tool. When done, two DDS.txt's will open. Save both reports to your desktop. --------------------------------------------------- Please include the contents of the following in your next reply: DDS.txt Attach.txt. In your next reply please attach the GMER and DDS Logs as well as describe how your computer is running now and if there are any outstanding issues. __________________ ASAP & UNITE Member

05-03-2009, 07:33 AM	#20 (permalink)
jdlucas Registered User Join Date: Apr 2009 Posts: 11 OS: Windows XP	Re: Windows up date not working, pop ups and degraded performance System seems to be running normally with no pop ups and the performace is back to normal. The only thing I can see that doesn't appear correct is the Symantec program. When I right click to enable auto protect in the system tray nothing happens and it remains disabled. GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-05-03 09:18:58 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB1DCECB0] SSDT 89007428 ZwQueryValueKey SSDT 8A7146F8 ZwResumeThread SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB1DCEF10] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) Device \FileSystem\Fastfat \Fat ACC7AD20 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions) ---- Files - GMER 1.0.15 ---- ADS C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000024.exe:ext.exe 32256 bytes executable ADS C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001097.exe:ext.exe 32256 bytes executable ADS C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002098.exe:ext.exe 32256 bytes executable ---- EOF - GMER 1.0.15 ---- DDS.txt Attach.txt