Trojan infestation - Step 1 complete - Please Help

noles_0 · 11-01-2009, 02:23 PM

My computer has become infested with some type of Trojan Virus. AVG 8.5 tells me that its the "Trojan horse Generic 15". The computer is running extremely slow and popups are occuring frequently. Google and Bank of America websites are the latest popups that I have had. I do have the Gateway Restore Disk. Your assistance is greatly appreciated!

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 11:52:40.93 on Sun 11/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.113 [GMT -5:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4ef69150-8fed-47f2-9581-1b5db37be2aa} - jodunufe.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {687894FD-E5B9-4A9C-8735-746B26D064DC} - No File
BHO: {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [TivoTransfer] "c:\program files\common files\tivo shared\transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Jnakibugojudo] rundll32.exe "c:\windows\osoluqotiwuvu.dll",Startup
mRun: [punizutezi] Rundll32.exe "dozilibe.dll",s
mRun: [bewimubiw] Rundll32.exe "c:\windows\system32\weyipuje.dll",a
dRun: [Picasa Media Detector] c:\program files\picasa google\picasa2\PicasaMediaDetector.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225}
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://share.adoramapix.com/components/aurigma/ImageUploader4.cab
DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} - hxxp://www.fastaccess.drivers.bellsouth.net/software/DSLspeedtool/bls_speedop.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: sebokofo.dll c:\windows\system32\weyipuje.dll
SSODL: mgsvflkw - {7FC91010-F061-443E-AD60-4F42B727DF96} - No File
SSODL: babubetan - {4678e560-3bcc-482c-9527-4ec9a0a8fd26} - c:\windows\system32\weyipuje.dll
STS: tokatiluy: {4678e560-3bcc-482c-9527-4ec9a0a8fd26} - c:\windows\system32\weyipuje.dll
LSA: Notification Packages = scecli ushirys.dll dozilibe.dll sebokofo.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-31 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-31 108552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-31 297752]
R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2008-4-4 868864]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-8 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
=============== Created Last 30 ================

==================== Find3M ====================
2009-10-18 15:13:33 76448 ----a-w- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 00:26:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44:46 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2005-08-29 06:50:32 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe
2005-05-13 22:12:00 217073 -csha-r- c:\windows\meta4.exe
2005-08-28 05:51:12 0 -csha-w- c:\windows\sminst\HPCD.sys
2005-07-14 17:31:20 27648 -csha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32:28 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37:42 45568 -csha-r- c:\windows\system32\cygz.dll
2009-08-01 02:05:16 39424 --sha-w- c:\windows\system32\derinade.dll
2009-08-01 14:05:16 39424 --sha-w- c:\windows\system32\himepuka.dll
2009-07-31 13:57:54 53760 --sha-w- c:\windows\system32\jodunufe.dll
2009-08-01 14:05:16 92160 --sha-w- c:\windows\system32\weyipuje.dll
2009-07-31 13:57:01 53760 --sha-w- c:\windows\system32\wubefivu.dll
2005-02-28 18:16:22 240128 -csha-r- c:\windows\system32\x.264.exe
============= FINISH: 11:54:25.62 ===============

**Glaswegian** · 11-03-2009, 01:16 PM

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.

Combofix
Download ComboFix from one of these locations:

Link 1
Link 2

and rename it to step1.exe before saving it to your desktop.

Double click on the renamed ComboFix.exe & follow the prompts.

When finished it will produce a log at C:\ComboFix.txt for you
Please include the log in your next reply.

noles_0 · 11-03-2009, 07:41 PM

Thank you for your assistance. I had difficulty turning off AVG 8.5, finally had to get a cleaner from AVG to remove program in order to completely turn it off. Also cut off Spybot and diconnected internet prior to running Combofix, ie. Step1.exe. Log is below.

ComboFix 09-11-03.01 - Owner 11/03/2009 21:04.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.58 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\step1.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\dahesabi.dll
c:\windows\Tasks\apmwmmym.job
.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.
2009-11-01 16:44 . 2009-11-01 16:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-01 01:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 01:50 . 2009-11-01 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-01 01:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 01:50 . 2009-11-01 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 01:29 . 2009-11-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-31 23:40 . 2009-10-31 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-31 23:08 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-31 23:08 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-31 23:08 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-31 23:08 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-10-31 23:08 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-31 23:08 . 2009-10-31 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-10-31 21:26 . 2009-10-31 22:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-31 15:53 . 2009-10-31 23:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-31 15:53 . 2009-10-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1}
2009-10-31 01:59 . 2009-10-31 15:21 0 ----a-w- c:\windows\Isubili.bin
2009-10-31 01:59 . 2009-10-31 19:28 120 ----a-w- c:\windows\Epegigoreyesu.dat
2009-10-31 01:59 . 2009-10-31 01:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5}
2009-10-31 01:57 . 2009-10-31 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\75876942
2009-10-31 01:48 . 2009-10-31 01:48 53248 ----a-w- C:\oqbkddrr.exe
2009-10-06 00:34 . 2009-10-06 00:34 -------- d-----w- c:\program files\MSECache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 01:57 . 2008-04-20 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-01 16:40 . 2008-01-15 23:52 -------- d-----w- c:\program files\Coupons
2009-11-01 16:29 . 2008-04-10 23:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 16:25 . 2008-04-10 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-31 23:50 . 2008-01-28 01:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-31 22:39 . 2008-08-28 23:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-10-18 16:14 . 2007-01-18 03:02 -------- d-----w- c:\program files\CCleaner
2009-10-08 01:25 . 2008-12-25 23:46 -------- d-----w- c:\program files\iTunes
2009-10-08 01:24 . 2008-12-25 23:47 -------- d-----w- c:\program files\iPod
2009-09-29 01:33 . 2005-04-03 00:06 -------- d-----w- c:\program files\Java
2009-09-18 02:02 . 2009-09-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 01:56 . 2008-12-26 16:39 -------- d-----w- c:\program files\QuickTime
2009-09-18 01:48 . 2008-12-25 23:39 -------- d-----w- c:\program files\Common Files\Apple
2009-09-17 01:06 . 2005-08-28 06:52 72560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec
2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 00:36 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-14 00:36 . 2005-04-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-14 00:32 . 2009-09-14 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2009-09-14 00:31 . 2009-07-23 03:17 -------- d-----w- c:\program files\Sierra Wireless
2009-09-14 00:30 . 2009-07-23 03:15 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-09-14 00:17 . 2008-09-18 00:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon
2009-09-14 00:17 . 2008-09-18 00:19 -------- d-----w- c:\program files\Amazon
2009-09-11 14:18 . 2004-05-26 19:29 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 01:57 . 2009-09-11 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OverDrive
2009-09-11 01:56 . 2009-09-11 01:56 -------- d-----w- c:\program files\OverDrive Media Console
2009-09-04 21:03 . 2004-05-26 19:29 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-05-26 19:30 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-05-26 19:30 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2004-05-26 20:22 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-05-26 20:22 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-05-26 20:22 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-05-26 20:22 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-05-26 19:29 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-05-26 20:22 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2005-09-02 01:17 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2005-05-26 08:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-05-26 20:22 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2005-08-29 06:50 . 2005-08-29 06:50 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 -csha-r- c:\windows\meta4.exe
2005-08-28 05:51 . 2005-08-28 05:51 0 -csha-w- c:\windows\SMINST\HPCD.sys
2005-07-14 17:31 . 2005-07-14 17:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 -csha-r- c:\windows\system32\cygz.dll
2009-08-03 01:48 . 2009-08-03 01:48 39424 --sha-w- c:\windows\system32\hajenemi.dll
2009-07-31 13:57 . 2009-07-31 13:57 53760 --sha-w- c:\windows\system32\jodunufe.dll
2009-08-04 00:27 . 2009-08-04 00:27 39424 --sha-w- c:\windows\system32\rebuwizu.dll
2009-08-04 00:27 . 2009-08-04 00:27 61440 --sha-w- c:\windows\system32\sazotoyi.dll
2009-07-31 13:57 . 2009-07-31 13:57 53760 --sha-w- c:\windows\system32\wubefivu.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 -csha-r- c:\windows\system32\x.264.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ef69150-8fed-47f2-9581-1b5db37be2aa}]
2009-07-31 13:57 53760 --sha-w- c:\windows\system32\jodunufe.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa Google\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ushirys.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1900:TCP"= 1900:TCP:AVELINK
"8000:TCP"= 8000:TCP:AVELINK
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [4/4/2008 9:53 AM 868864]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/8/2009 10:42 AM 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - ikdtxyen
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-11-04 c:\windows\Tasks\User_Feed_Synchronization-{BF99CC6D-B5AD-4D0A-B6F8-4D36B84CC3C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
BHO-{687894FD-E5B9-4A9C-8735-746B26D064DC} - (no file)
HKLM-Run-Jnakibugojudo - c:\windows\osoluqotiwuvu.dll
HKLM-Run-bewimubiw - c:\windows\system32\dahesabi.dll
HKLM-Run-punizutezi - dozilibe.dll
SharedTaskScheduler-{7a97f7f5-ef72-4c77-a932-759d1f3d86fe} - c:\windows\system32\dahesabi.dll
SSODL-tolewuwow-{7a97f7f5-ef72-4c77-a932-759d1f3d86fe} - c:\windows\system32\dahesabi.dll
Notify-avgrsstarter - avgrsstx.dll
Notify-NavLogon - (no file)

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 21:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(620)
c:\windows\ushirys.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\ushirys.dll
c:\windows\system32\webcheck.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-04 21:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 02:22
Pre-Run: 46,835,032,064 bytes free
Post-Run: 46,831,804,416 bytes free

**Glaswegian** · 11-04-2009, 03:13 PM

Hi again

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Combofix

Open notepad and copy/paste the text in the box below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/427727-trojan-infestation-step-1-complete-please-help.html

Collect::[4][91]
c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1}
c:\windows\Isubili.bin
c:\windows\Epegigoreyesu.dat
c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5}
C:\oqbkddrr.exe
c:\windows\system32\hajenemi.dll
c:\windows\system32\jodunufe.dll
c:\windows\system32\rebuwizu.dll
c:\windows\system32\sazotoyi.dll
c:\windows\system32\wubefivu.dll
c:\windows\ushirys.dll

Driver::
Viewpoint Manager Service

Folder::
c:\program files\Viewpoint

DirLook::
c:\documents and settings\All Users\Application Data\75876942
c:\Program Files\Coupons

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ef69150-8fed-47f2-9581-1b5db37be2aa}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe.

When finished, it shall produce a log for you. Post that log in your next reply.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. Using the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

noles_0 · 11-04-2009, 06:19 PM

Ok, just a couple things that I noted. As Combofix was going through its stages, a rundll error message "error loading c:\windows\ushirys.dll" came up about 40 times. Also, after the computer restarts, 2 rundll errors are occuring. 1 reads "error loading c:\windows\system32\jujulihi.dll", the other reads "dozilibe.dll", both state 'specified module could not be found'. is it possible to prevent those messages from popping up each time the computer is restarted?

also, you mentioned that combofix would capture a file that would be submitted for analysis. I didnt see/find a file to attach, did I miss anything?

Combofix log is below:

ComboFix 09-11-04.02 - Owner 11/04/2009 19:22.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.175 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\step1.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
file zipped: C:\oqbkddrr.exe
file zipped: c:\windows\Epegigoreyesu.dat
file zipped: c:\windows\Isubili.bin
file zipped: c:\windows\system32\hajenemi.dll
file zipped: c:\windows\system32\jodunufe.dll
file zipped: c:\windows\system32\rebuwizu.dll
file zipped: c:\windows\system32\sazotoyi.dll
file zipped: c:\windows\system32\wubefivu.dll
file zipped: c:\windows\ushirys.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\oqbkddrr.exe
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Viewpoint\Common\VistaBoot.sdll
c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_0305000D.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\DownloadedComponents\VMgr_Win\Exec.exe
c:\program files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\MTS3Reader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\SWFView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMgr.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
c:\program files\Viewpoint\Viewpoint Manager\CPtask.xml
c:\program files\Viewpoint\Viewpoint Manager\VETScriptInterpreter.dll
c:\program files\Viewpoint\Viewpoint Manager\ViewCP.cpl
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html
c:\program files\Viewpoint\Viewpoint Manager\ViewCPexe.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll
c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
c:\windows\Epegigoreyesu.dat
c:\windows\Isubili.bin
c:\windows\system32\bupozeje.dll
c:\windows\system32\hajenemi.dll
c:\windows\system32\jodunufe.dll
c:\windows\system32\jujulihi.dll
c:\windows\system32\lahonozi.dll
c:\windows\system32\rebuwizu.dll
c:\windows\system32\sazotoyi.dll
c:\windows\system32\vadusufo.dll
c:\windows\system32\wubefivu.dll
c:\windows\system32\yurivaho.dll
c:\windows\system32\zomavumo.dll
c:\windows\Tasks\tjgqxtvv.job
c:\windows\ushirys.dll
----- BITS: Possible infected sites -----
hxxp://82.98.231.102
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.
2009-11-04 23:38 . 2009-11-04 23:38 39424 ----a-w- c:\windows\system32\bujokuwo.dll
2009-11-04 02:02 . 2009-11-04 02:23 -------- d-----w- C:\step1
2009-11-01 16:49 . 2009-11-04 02:02 -------- d-----w- C:\ComboFix
2009-11-01 16:44 . 2009-11-01 16:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-01 01:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 01:50 . 2009-11-01 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-01 01:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 01:50 . 2009-11-01 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 01:29 . 2009-11-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-31 23:45 . 2009-10-18 00:27 3101560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\wip1.exe
2009-10-31 23:40 . 2009-10-31 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-31 23:08 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-31 23:08 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-31 23:08 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-31 23:08 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-10-31 23:08 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-31 23:08 . 2009-10-31 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-10-31 21:26 . 2009-10-31 22:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-31 19:19 . 2009-10-31 19:20 1794456 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-10-31 15:53 . 2009-10-31 23:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-31 15:53 . 2009-10-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1}
2009-10-31 01:59 . 2009-10-31 01:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5}
2009-10-31 01:57 . 2009-10-31 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\75876942
2009-10-31 01:57 . 2009-10-31 01:57 274 ----a-w- c:\documents and settings\All Users\Application Data\75876942\75876942.bat
2009-10-15 00:50 . 2009-10-31 19:20 5642688 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-08 00:57 . 2009-10-08 00:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 01:57 . 2008-04-20 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-01 16:40 . 2008-01-15 23:52 -------- d-----w- c:\program files\Coupons
2009-11-01 16:29 . 2008-04-10 23:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 16:25 . 2008-04-10 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-31 23:50 . 2008-01-28 01:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-31 22:39 . 2008-08-28 23:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-10-31 19:20 . 2009-05-25 03:41 143976 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-10-18 16:14 . 2007-01-18 03:02 -------- d-----w- c:\program files\CCleaner
2009-10-08 01:25 . 2008-12-25 23:46 -------- d-----w- c:\program files\iTunes
2009-10-08 01:24 . 2008-12-25 23:47 -------- d-----w- c:\program files\iPod
2009-10-06 00:34 . 2009-10-06 00:34 -------- d-----w- c:\program files\MSECache
2009-09-29 01:33 . 2005-04-03 00:06 -------- d-----w- c:\program files\Java
2009-09-29 01:32 . 2009-08-29 01:33 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-18 02:02 . 2009-09-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 01:56 . 2008-12-26 16:39 -------- d-----w- c:\program files\QuickTime
2009-09-18 01:48 . 2008-12-25 23:39 -------- d-----w- c:\program files\Common Files\Apple
2009-09-17 01:06 . 2005-08-28 06:52 72560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec
2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 00:36 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-14 00:36 . 2005-04-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-14 00:32 . 2009-09-14 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2009-09-14 00:31 . 2009-07-23 03:17 -------- d-----w- c:\program files\Sierra Wireless
2009-09-14 00:30 . 2009-07-23 03:15 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-09-14 00:17 . 2008-09-18 00:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon
2009-09-14 00:17 . 2008-09-18 00:19 -------- d-----w- c:\program files\Amazon
2009-09-11 14:18 . 2004-05-26 19:29 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 01:57 . 2009-09-11 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OverDrive
2009-09-11 01:56 . 2009-09-11 01:56 -------- d-----w- c:\program files\OverDrive Media Console
2009-09-05 19:31 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-05 19:31 . 2009-09-05 19:30 1686272 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
2009-09-04 21:03 . 2004-05-26 19:29 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-05-26 19:30 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-05-26 19:30 247326 ----a-w- c:\windows\system32\strmdll.dll
2005-08-29 06:50 . 2005-08-29 06:50 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 -csha-r- c:\windows\meta4.exe
2005-08-28 05:51 . 2005-08-28 05:51 0 -csha-w- c:\windows\SMINST\HPCD.sys
2005-07-14 17:31 . 2005-07-14 17:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 -csha-r- c:\windows\system32\cygz.dll
2009-08-04 23:54 . 2009-08-04 23:54 45056 --sha-w- c:\windows\system32\valagase.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 -csha-r- c:\windows\system32\x.264.exe
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\75876942 ----
2009-10-31 01:57 . 2009-10-31 01:57 274 ----a-w- c:\documents and settings\All Users\Application Data\75876942\75876942.bat
---- Directory of c:\program files\Coupons ----
2008-01-15 23:52 . 2008-01-15 23:52 473600 -c--a-w- c:\program files\Coupons\uninstall.exe

((((((((((((((((((((((((((((( SnapShot@2009-11-04_02.16.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-05 00:38 . 2009-11-05 00:38 16384 c:\windows\temp\Perflib_Perfdata_714.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"bewimubiw"="c:\windows\system32\jujulihi.dll" [BU]
"punizutezi"="dozilibe.dll" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa Google\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\explorer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1900:TCP"= 1900:TCP:AVELINK
"8000:TCP"= 8000:TCP:AVELINK
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - ikdtxyen
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-11-04 c:\windows\Tasks\User_Feed_Synchronization-{BF99CC6D-B5AD-4D0A-B6F8-4D36B84CC3C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {6201A7F6-C742-4976-A9E1-9E20760B6398} = 77.74.48.113
TCP: {8C6E3C69-729A-4EA3-BE75-84507EA18B50} = 77.74.48.113
.
- - - - ORPHANS REMOVED - - - -
SharedTaskScheduler-{7be84aeb-4a14-4881-984e-d796e80dd362} - c:\windows\system32\jujulihi.dll
SSODL-woruyalet-{7be84aeb-4a14-4881-984e-d796e80dd362} - c:\windows\system32\jujulihi.dll
AddRemove-Viewpoint Manager - c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 19:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3352)
c:\windows\system32\WININET.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Rundll32.exe
c:\windows\system32\Rundll32.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-11-05 19:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 00:51
ComboFix2.txt 2009-11-04 02:22
Pre-Run: 46,837,518,336 bytes free
Post-Run: 46,794,764,288 bytes free

**Glaswegian** · 11-05-2009, 02:56 PM

Hi there

CF does it automatically although there is a manual workaround in the event of a problem. Can you have a look for this file:

C:\CF-Submit.htm

If the file is there, just double click for the submission to take place.

The warnings should disappear after this run of CF.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Combofix

Open notepad and copy/paste the text in the box below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/427727-trojan-infestation-step-1-complete-please-help.html

Collect::[4]
c:\windows\system32\valagase.dll
c:\windows\system32\bujokuwo.dll

Folder::
c:\documents and settings\All Users\Application Data\75876942

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bewimubiw"=- 
"punizutezi"=-

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe.

When finished, it shall produce a log for you. Post that log in your next reply.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. Using the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

noles_0 · 11-05-2009, 06:05 PM

Thank you for your assistance! Two odd things are occuring. One is that I'm unable to post responces to this forum on the infected laptop. I have to use my desktop to post - reason given is "message is too short, must be atlease 5...". The other oddity that has began to occur, Webpages are not loading on the first "attempt". I'm finding myself having to hit refresh 1 or 2 times before webpages will display. Page that comes up is "Internet Explorer cannot display the webpage." Any ideas on this? I think the CS file was sent to you. Again, thank you!

ComboFix 09-11-04.02 - Owner 11/05/2009 19:26.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.194 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\step1.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
file zipped: c:\windows\system32\bujokuwo.dll
file zipped: c:\windows\system32\valagase.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\75876942
c:\documents and settings\All Users\Application Data\75876942\75876942.bat
c:\windows\system32\bujokuwo.dll
c:\windows\system32\valagase.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.
2009-11-05 00:20 . 2009-11-05 00:52 -------- d-----w- C:\step12186s
2009-11-04 02:02 . 2009-11-04 02:23 -------- d-----w- C:\step1
2009-11-01 16:49 . 2009-11-04 02:02 -------- d-----w- C:\ComboFix
2009-11-01 16:44 . 2009-11-01 16:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-01 01:29 . 2009-11-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-31 23:45 . 2009-10-18 00:27 3101560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\wip1.exe
2009-10-31 23:40 . 2009-10-31 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-31 23:08 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-31 23:08 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-31 23:08 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-31 23:08 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-10-31 23:08 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-31 23:08 . 2009-10-31 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-10-31 21:26 . 2009-10-31 22:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-31 19:19 . 2009-10-31 19:20 1794456 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-10-31 15:53 . 2009-10-31 23:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-31 15:53 . 2009-10-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1}
2009-10-31 01:59 . 2009-10-31 01:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5}
2009-10-15 00:50 . 2009-10-31 19:20 5642688 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-08 00:57 . 2009-10-08 00:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 01:57 . 2008-04-20 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-01 16:40 . 2008-01-15 23:52 -------- d-----w- c:\program files\Coupons
2009-11-01 16:29 . 2008-04-10 23:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 16:25 . 2008-04-10 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-31 23:50 . 2008-01-28 01:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-31 22:39 . 2008-08-28 23:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-10-31 19:20 . 2009-05-25 03:41 143976 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-10-18 16:14 . 2007-01-18 03:02 -------- d-----w- c:\program files\CCleaner
2009-10-08 01:25 . 2008-12-25 23:46 -------- d-----w- c:\program files\iTunes
2009-10-08 01:24 . 2008-12-25 23:47 -------- d-----w- c:\program files\iPod
2009-10-06 00:34 . 2009-10-06 00:34 -------- d-----w- c:\program files\MSECache
2009-09-29 01:33 . 2005-04-03 00:06 -------- d-----w- c:\program files\Java
2009-09-29 01:32 . 2009-08-29 01:33 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-18 02:02 . 2009-09-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 01:56 . 2008-12-26 16:39 -------- d-----w- c:\program files\QuickTime
2009-09-18 01:48 . 2008-12-25 23:39 -------- d-----w- c:\program files\Common Files\Apple
2009-09-17 01:06 . 2005-08-28 06:52 72560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec
2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 00:36 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-14 00:36 . 2005-04-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-14 00:32 . 2009-09-14 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2009-09-14 00:31 . 2009-07-23 03:17 -------- d-----w- c:\program files\Sierra Wireless
2009-09-14 00:30 . 2009-07-23 03:15 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-09-14 00:17 . 2008-09-18 00:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon
2009-09-14 00:17 . 2008-09-18 00:19 -------- d-----w- c:\program files\Amazon
2009-09-11 14:18 . 2004-05-26 19:29 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 01:57 . 2009-09-11 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OverDrive
2009-09-11 01:56 . 2009-09-11 01:56 -------- d-----w- c:\program files\OverDrive Media Console
2009-09-05 19:31 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-05 19:31 . 2009-09-05 19:30 1686272 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
2009-09-04 21:03 . 2004-05-26 19:29 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-05-26 19:30 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-05-26 19:30 247326 ----a-w- c:\windows\system32\strmdll.dll
2005-08-29 06:50 . 2005-08-29 06:50 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 -csha-r- c:\windows\meta4.exe
2005-08-28 05:51 . 2005-08-28 05:51 0 -csha-w- c:\windows\SMINST\HPCD.sys
2005-07-14 17:31 . 2005-07-14 17:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 -csha-r- c:\windows\system32\cygz.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 -csha-r- c:\windows\system32\x.264.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-11-04_02.16.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-05 01:00 . 2009-11-05 01:00 16384 c:\windows\temp\Perflib_Perfdata_5c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"bewimubiw"="c:\windows\system32\jujulihi.dll" [BU]
"punizutezi"="dozilibe.dll" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa Google\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1900:TCP"= 1900:TCP:AVELINK
"8000:TCP"= 8000:TCP:AVELINK
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [4/4/2008 9:53 AM 868864]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - IDSVC
*Deregistered* - ikdtxyen
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{BF99CC6D-B5AD-4D0A-B6F8-4D36B84CC3C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {6201A7F6-C742-4976-A9E1-9E20760B6398} = 77.74.48.113
TCP: {8C6E3C69-729A-4EA3-BE75-84507EA18B50} = 77.74.48.113
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 19:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-11-06 19:41
ComboFix-quarantined-files.txt 2009-11-06 00:41
ComboFix2.txt 2009-11-05 00:52
ComboFix3.txt 2009-11-04 02:22
Pre-Run: 46,748,155,904 bytes free
Post-Run: 46,725,799,936 bytes free
Upload was successful

**Glaswegian** · 11-06-2009, 01:14 PM

Hi again

We’ll concentrate on ensuring you are clean first – then we can look at other items.

Online Scan
Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

Note that Panda may take several hours to scan your system.

noles_0 · 11-07-2009, 12:04 PM

Panda scan downloads up to 100% but then does not begin the actual scan. Internet Explorer is nearly unresponsive. Once again, im having to use another computer to post this reply. Im thinking we need to reload (or fix) internet explorer before Im able to go forward. What should I do next given panda scan wont run and IE takes several refreshes before a website begins to display, once it connects, the websites are not displaying correctly.

noles_0 · 11-07-2009, 07:40 PM

OK, I downloaded Firefox onto a usb drive from my other computer and installed it onto this one. Firefox works well (IE still has major problems). ActiveScan ran successfully. I have attached the results. Whats next? Thank you for your help!

**Glaswegian** · 11-08-2009, 09:45 AM

Hi

Looks like another IE8 problem - logs are clean.

See here for rolling back to a previous version of IE

http://support.microsoft.com/kb/957700

Once you've done that, let me know how your system is running.

noles_0 · 11-08-2009, 06:41 PM

Computer is running well. Went back to IE7 and it seems to be working also. One small issue, i get 2 rundll errors during startup - the read:
error loading c:\windows\system32\jujulihi.dll - the specified module could not be found
error loading dozilibe.dll - the specified module could not be found.

do you think we can make these to messages go away?

which antivirus do you recommend going forward? they seem to really slow down the computer, does any of them take up less resources or are all of them similar?

thank you!

**Glaswegian** · 11-09-2009, 03:18 PM

Hi again

Let’s get rid of those Registry entries – that should sort the error messages. Once everything is running normally I’ll post some recommendations for you.

Combofix

Close any open browsers.
Open notepad and copy/paste the text in the box below into it:

Code:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bewimubiw"=-
"punizutezi"=-

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!

Please post the log C:\ComboFix.txt for further review.

noles_0 · 11-09-2009, 08:39 PM

Hello,
It seems to be working great! The startup messages are gone. IE7 is working great. Do you see any thing that is alarming in my Combofix log below? I'm truely impressed with your abilities and willingness to help people like myself!

ComboFix 09-11-04.02 - Owner 11/09/2009 21:21.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.164 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\step1.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-07 22:59 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-07 22:57 . 2009-11-07 22:57 -------- d-----w- c:\program files\Panda Security
2009-11-07 22:47 . 2009-11-07 22:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-11-07 20:16 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-11-07 20:16 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-11-06 00:25 . 2009-11-06 00:46 -------- d-----w- C:\step119358s
2009-11-05 00:20 . 2009-11-05 00:52 -------- d-----w- C:\step12186s
2009-11-04 02:02 . 2009-11-04 02:23 -------- d-----w- C:\step1
2009-11-01 16:49 . 2009-11-04 02:02 -------- d-----w- C:\ComboFix
2009-11-01 16:44 . 2009-11-01 16:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-01 01:29 . 2009-11-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-31 23:45 . 2009-10-18 00:27 3101560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\wip1.exe
2009-10-31 23:40 . 2009-10-31 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-31 23:08 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-31 23:08 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-31 23:08 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-31 23:08 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-10-31 23:08 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-31 23:08 . 2009-10-31 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-10-31 21:26 . 2009-10-31 22:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-31 19:19 . 2009-10-31 19:20 1794456 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-10-31 15:53 . 2009-10-31 23:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-31 15:53 . 2009-10-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1}
2009-10-31 01:59 . 2009-10-31 01:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5}
2009-10-15 00:50 . 2009-10-31 19:20 5642688 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 01:34 . 2008-08-28 23:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-11-04 01:57 . 2008-04-20 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-01 16:40 . 2008-01-15 23:52 -------- d-----w- c:\program files\Coupons
2009-11-01 16:29 . 2008-04-10 23:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 16:25 . 2008-04-10 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-31 23:50 . 2008-01-28 01:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-31 19:20 . 2009-05-25 03:41 143976 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-10-18 16:14 . 2007-01-18 03:02 -------- d-----w- c:\program files\CCleaner
2009-10-08 01:25 . 2008-12-25 23:46 -------- d-----w- c:\program files\iTunes
2009-10-08 01:24 . 2008-12-25 23:47 -------- d-----w- c:\program files\iPod
2009-10-08 00:57 . 2009-10-08 00:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-06 00:34 . 2009-10-06 00:34 -------- d-----w- c:\program files\MSECache
2009-09-29 01:33 . 2005-04-03 00:06 -------- d-----w- c:\program files\Java
2009-09-29 01:32 . 2009-08-29 01:33 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-18 02:02 . 2009-09-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 01:56 . 2008-12-26 16:39 -------- d-----w- c:\program files\QuickTime
2009-09-18 01:48 . 2008-12-25 23:39 -------- d-----w- c:\program files\Common Files\Apple
2009-09-17 01:06 . 2005-08-28 06:52 72560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec
2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 00:36 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-14 00:36 . 2005-04-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-14 00:32 . 2009-09-14 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2009-09-14 00:31 . 2009-07-23 03:17 -------- d-----w- c:\program files\Sierra Wireless
2009-09-14 00:30 . 2009-07-23 03:15 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-09-14 00:17 . 2008-09-18 00:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon
2009-09-14 00:17 . 2008-09-18 00:19 -------- d-----w- c:\program files\Amazon
2009-09-11 14:18 . 2004-05-26 19:29 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 19:31 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-05 19:31 . 2009-09-05 19:30 1686272 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
2009-09-04 21:03 . 2004-05-26 19:29 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-05-26 19:30 247326 ----a-w- c:\windows\system32\strmdll.dll
2005-08-29 06:50 . 2005-08-29 06:50 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 -csha-r- c:\windows\meta4.exe
2005-08-28 05:51 . 2005-08-28 05:51 0 -csha-w- c:\windows\SMINST\HPCD.sys
2005-07-14 17:31 . 2005-07-14 17:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 -csha-r- c:\windows\system32\cygz.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 -csha-r- c:\windows\system32\x.264.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-04_02.16.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-10 01:10 . 2009-11-10 01:10 16384 c:\windows\temp\Perflib_Perfdata_560.dat
+ 2005-08-29 06:26 . 2009-01-07 23:21 26144 c:\windows\system32\spupdsvc.exe
- 2005-08-29 06:26 . 2009-01-07 22:21 26144 c:\windows\system32\spupdsvc.exe
+ 2005-08-29 06:26 . 2009-01-07 23:20 16928 c:\windows\system32\spmsg.dll
- 2005-08-29 06:26 . 2009-01-07 22:20 16928 c:\windows\system32\spmsg.dll
+ 2004-05-26 19:30 . 2009-04-29 04:56 44544 c:\windows\system32\pngfilt.dll
- 2006-06-29 12:05 . 2009-01-07 22:20 23552 c:\windows\system32\normaliz.dll
+ 2006-06-29 12:05 . 2009-01-07 23:20 23552 c:\windows\system32\normaliz.dll
- 2006-06-28 21:59 . 2009-01-07 22:20 24576 c:\windows\system32\nlsdl.dll
+ 2006-06-28 21:59 . 2009-01-07 23:20 24576 c:\windows\system32\nlsdl.dll
- 2004-05-26 19:29 . 2009-03-08 08:31 48128 c:\windows\system32\mshtmler.dll
+ 2004-05-26 19:29 . 2006-10-17 16:28 48128 c:\windows\system32\mshtmler.dll
- 2004-05-26 19:29 . 2009-03-08 08:31 45568 c:\windows\system32\mshta.exe
+ 2004-05-26 19:29 . 2006-10-17 16:56 45568 c:\windows\system32\mshta.exe
+ 2006-10-17 16:58 . 2006-10-17 16:58 12288 c:\windows\system32\msfeedssync.exe
+ 2006-10-17 17:33 . 2009-04-29 04:55 52224 c:\windows\system32\msfeedsbs.dll
+ 2009-11-08 05:12 . 2009-11-08 05:12 85173 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2004-05-26 19:29 . 2006-10-17 17:05 40960 c:\windows\system32\licmgr10.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 27648 c:\windows\system32\jsproxy.dll
+ 2004-05-26 19:29 . 2006-10-17 17:00 92672 c:\windows\system32\inseng.dll
+ 2004-05-26 19:29 . 2006-10-17 16:57 36352 c:\windows\system32\imgutil.dll
+ 2006-10-17 17:01 . 2009-03-08 09:32 36864 c:\windows\system32\ieudinit.exe
- 2006-10-17 17:01 . 2009-03-08 08:32 36864 c:\windows\system32\ieudinit.exe
+ 2004-05-26 19:29 . 2006-10-17 17:01 55296 c:\windows\system32\iesetup.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 44544 c:\windows\system32\iernonce.dll
+ 2004-05-26 19:29 . 2009-04-28 09:05 70656 c:\windows\system32\ie4uinit.exe
- 2006-06-29 12:05 . 2009-01-07 22:20 26112 c:\windows\system32\idndl.dll
+ 2006-06-29 12:05 . 2009-01-07 23:20 26112 c:\windows\system32\idndl.dll
+ 2006-10-17 16:58 . 2009-04-29 04:55 63488 c:\windows\system32\icardie.dll
+ 2004-05-26 19:30 . 2009-04-29 04:56 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-05-26 19:29 . 2006-10-17 16:28 48128 c:\windows\system32\dllcache\mshtmler.dll
- 2004-05-26 19:29 . 2009-03-08 08:31 48128 c:\windows\system32\dllcache\mshtmler.dll
- 2004-05-26 19:29 . 2009-03-08 08:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2004-05-26 19:29 . 2006-10-17 16:56 45568 c:\windows\system32\dllcache\mshta.exe
+ 2007-05-14 23:15 . 2009-04-29 04:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-05-26 19:29 . 2006-10-17 17:05 40960 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-05-26 19:29 . 2006-10-17 17:00 92672 c:\windows\system32\dllcache\inseng.dll
+ 2004-05-26 19:29 . 2006-10-17 16:57 36352 c:\windows\system32\dllcache\imgutil.dll
+ 2004-05-26 19:29 . 2006-10-17 17:01 55296 c:\windows\system32\dllcache\iesetup.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-05-26 19:29 . 2009-04-28 09:05 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-20 10:04 . 2009-04-29 04:55 63488 c:\windows\system32\dllcache\icardie.dll
+ 2004-05-26 20:22 . 2006-10-17 16:44 60416 c:\windows\system32\dllcache\hmmapi.dll
+ 2004-05-26 19:29 . 2006-10-17 17:01 71680 c:\windows\system32\dllcache\admparse.dll
+ 2004-05-26 19:29 . 2008-04-14 00:11 35328 c:\windows\system32\corpol.dll
+ 2004-05-26 19:29 . 2006-10-17 17:01 71680 c:\windows\system32\admparse.dll
- 2009-10-30 22:28 . 2009-10-30 22:28 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-11-07 00:59 . 2009-11-07 00:59 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2006-10-27 01:13 . 2006-10-27 01:13 72472 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNVP.DLL
+ 2006-10-27 01:07 . 2006-10-27 01:07 17680 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PXBPROXY.DLL
+ 2006-05-10 00:32 . 2009-01-07 23:21 121856 c:\windows\system32\xmllite.dll
- 2006-05-10 00:32 . 2009-01-07 22:21 121856 c:\windows\system32\xmllite.dll
+ 2004-05-26 19:30 . 2009-04-29 04:56 827392 c:\windows\system32\wininet.dll
+ 2006-10-17 17:05 . 2006-10-17 17:05 206336 c:\windows\system32\winfxdocobj.exe
+ 2004-05-26 19:30 . 2009-04-29 04:56 233472 c:\windows\system32\webcheck.dll
+ 2004-05-26 19:30 . 2008-05-09 10:53 430080 c:\windows\system32\vbscript.dll
+ 2004-05-26 19:30 . 2009-04-29 04:56 105984 c:\windows\system32\url.dll
- 2004-05-26 19:30 . 2009-03-08 08:34 105984 c:\windows\system32\url.dll
+ 2004-05-26 19:30 . 2009-04-29 04:56 102912 c:\windows\system32\occache.dll
+ 2004-05-26 19:29 . 2009-04-29 04:56 671232 c:\windows\system32\mstime.dll
+ 2004-05-26 19:29 . 2009-04-29 04:56 193024 c:\windows\system32\msrating.dll
- 2004-05-26 19:29 . 2009-03-08 08:22 156160 c:\windows\system32\msls31.dll
+ 2004-05-26 19:29 . 2006-10-17 17:33 156160 c:\windows\system32\msls31.dll
+ 2004-05-26 19:29 . 2009-04-29 04:56 477696 c:\windows\system32\mshtmled.dll
+ 2006-10-17 17:33 . 2009-04-29 04:55 459264 c:\windows\system32\msfeeds.dll
- 2009-01-07 22:20 . 2009-01-07 22:20 265720 c:\windows\system32\msdbg2.dll
+ 2009-01-07 22:20 . 2009-01-07 23:20 265720 c:\windows\system32\msdbg2.dll
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2004-05-26 19:29 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll
+ 2006-10-17 17:33 . 2006-10-17 17:33 180736 c:\windows\system32\ieui.dll
+ 2006-10-17 16:57 . 2009-04-29 04:55 268288 c:\windows\system32\iertutil.dll
+ 2004-05-26 19:29 . 2006-10-17 17:33 191488 c:\windows\system32\iepeers.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 385024 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 16:27 . 2009-04-29 04:55 383488 c:\windows\system32\ieapfltr.dll
+ 2004-05-26 19:29 . 2009-04-25 05:26 161792 c:\windows\system32\ieakui.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 230400 c:\windows\system32\ieaksie.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 153088 c:\windows\system32\ieakeng.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 214528 c:\windows\system32\dxtrans.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 347136 c:\windows\system32\dxtmsft.dll
+ 2004-05-26 19:30 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\wininet.dll
+ 2004-05-26 19:30 . 2009-04-29 04:56 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2004-05-26 20:22 . 2007-07-12 23:31 765952 c:\windows\system32\dllcache\vgx.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 430080 c:\windows\system32\dllcache\vbscript.dll
+ 2004-05-26 19:30 . 2009-04-29 04:56 105984 c:\windows\system32\dllcache\url.dll
- 2004-05-26 19:30 . 2009-03-08 08:34 105984 c:\windows\system32\dllcache\url.dll
+ 2004-05-26 19:30 . 2009-04-29 04:56 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-05-26 19:29 . 2009-04-29 04:56 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-05-26 19:29 . 2009-04-29 04:56 193024 c:\windows\system32\dllcache\msrating.dll
- 2004-05-26 19:29 . 2009-03-08 08:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2004-05-26 19:29 . 2006-10-17 17:33 156160 c:\windows\system32\dllcache\msls31.dll
+ 2004-05-26 19:29 . 2009-04-29 04:56 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-14 23:15 . 2009-04-29 04:55 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll
+ 2004-05-26 20:22 . 2009-04-25 05:27 636088 c:\windows\system32\dllcache\iexplore.exe
+ 2007-05-14 23:15 . 2009-04-29 04:55 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2004-05-26 19:29 . 2006-10-17 17:33 191488 c:\windows\system32\dllcache\iepeers.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-14 23:15 . 2009-04-29 04:55 383488 c:\windows\system32\dllcache\ieapfltr.dll
+ 2004-05-26 19:29 . 2009-04-25 05:26 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-05-26 19:29 . 2009-04-29 04:55 124928 c:\windows\system32\advpack.dll
+ 2009-11-07 20:16 . 2006-09-06 21:43 213216 c:\windows\ie7\spuninst\spuninst.exe
+ 2004-05-26 19:30 . 2009-04-29 04:56 1159680 c:\windows\system32\urlmon.dll
+ 2004-05-26 19:29 . 2009-04-29 04:56 3596288 c:\windows\system32\mshtml.dll
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2006-10-17 17:33 . 2009-04-29 04:55 6066176 c:\windows\system32\ieframe.dll
+ 2006-09-06 04:01 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
+ 2004-05-26 19:30 . 2009-04-29 04:56 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2004-05-26 19:29 . 2009-04-29 04:56 3596288 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-14 23:14 . 2009-04-29 04:55 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2007-05-14 23:15 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-05-04 12:46 . 2009-05-04 12:46 8299008 c:\windows\Installer\a4ccd7c.msp
+ 2009-04-24 17:31 . 2009-04-24 17:31 1425920 c:\windows\Installer\a4ccd72.msp
+ 2009-04-24 17:30 . 2009-04-24 17:30 2583552 c:\windows\Installer\a4ccd67.msp
+ 2009-07-27 09:31 . 2009-07-27 09:31 3738624 c:\windows\Installer\a4ccd5c.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa Google\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1900:TCP"= 1900:TCP:AVELINK
"8000:TCP"= 8000:TCP:AVELINK

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/7/2009 5:59 PM 28552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [4/4/2008 9:53 AM 868864]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-10 c:\windows\Tasks\User_Feed_Synchronization-{BF99CC6D-B5AD-4D0A-B6F8-4D36B84CC3C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
Trusted Zone: pandasecurity.com\www
TCP: {6201A7F6-C742-4976-A9E1-9E20760B6398} = 77.74.48.113
TCP: {8C6E3C69-729A-4EA3-BE75-84507EA18B50} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\89vo5gz6.default\
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Picasa Google\Picasa2\npPicasa2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {50A349C6-5731-4329-8974-718AC1A3B6C5} - c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5}
FF - HiddenExtension: XULRunner: {A312BAB9-380D-49E6-B4AD-30E1190445F1} - c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 21:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-10 21:35
ComboFix-quarantined-files.txt 2009-11-10 02:35
ComboFix2.txt 2009-11-06 00:46
ComboFix3.txt 2009-11-05 00:52
ComboFix4.txt 2009-11-04 02:22

Pre-Run: 49,747,218,432 bytes free
Post-Run: 49,742,225,408 bytes free

**Glaswegian** · 11-10-2009, 03:46 PM

Hi again

All looks good. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below

Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:

ComboFix /Uninstall

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

General Protection
Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.

Ad-aware 2008 Free Edition
Download and install Ad-Aware 2008 Free Edition. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.

SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Chrome
Maxthon
Safari

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall for XP does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm

Anti Virus Software
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners:
Anti-Spyware Tutorial

Here are three very good free Antivirus products which are available:
BitDefender Free
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

Web of Trust
WOT warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go
Yellow for caution
Red to stop

WOT has an addon available for both Firefox and IE.

ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system.

Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.
Think Prevention!

Have a look here if your PC is still running a bit slow
Is your PC running slow...?

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

noles_0 · 11-10-2009, 06:55 PM

I guess I need a little more help. After uninstalling ComboFix, I am unable to search using 2 different search engines, Google and Yahoo. Neither IE or Firefox work. (Bing and Excite searches both work) The sites are up as I have verified with my other computer. Could anything have possibly happened as a result of the uninstall of Combofix or is the uninstall a coincidence? I was in such good shape and now its acting weird. What do you think?

**Glaswegian** · 11-11-2009, 02:24 PM

Hi

It's unlikely that CF would cause that - I've never heard of it before. What happens when using Google? Any error message? Warnings?

noles_0 · 11-11-2009, 06:22 PM

It is actually behaving a little different today. Yesterday, Google would return a blank white screen (no writing) when you search on a word. Today, out of 10 searches, Google redirected about 8 to other sites, 1 resulted in white blank screen, and 1 actually went to the site searched for. I have attached a .pdf of screen shots of the redirects & white screens. (I typed the webaddress into the pdf so you can see where or why the white screen was returned. Also, when i attemped to 'sign in' to my google, both ie and firefox returned untrusted sources messages (firefox message is attached also)... Hopefully I have described it well enough, if not, let me know and ill try to get you more detailed info. Thank you, Clint

**Glaswegian** · 11-12-2009, 03:31 PM

Hi Clint

This looks like some kind of Networking or browser error, although I'm not really sure - not my area of expertise. I've been through all your logs again and there is nothing there in terms of malware - your system is clean.

I think it would probably be best if you posted (inc your pdf) in the Browsers Forum first. We have plenty of people here that know more about these kind of warnings than I. Remember to explain that you've been cleared by Security - good luck.

noles_0 · 11-12-2009, 07:55 PM

My last request and I'll move on to the browser portion of this site. I respect your time and knowledge! We didnt post a Combofix after the redirect problem began. Please review this post and see if you can find anything that looks abnormal. Thank you for your assistance. If you dont see anything, please go ahead and archive this post. Thank you for your assistance! Clint

ComboFix 09-11-13.04 - Owner 11/12/2009 21:14.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.158 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-10 01:56 . 2009-11-10 02:35 -------- d-----w- C:\step11877s
2009-11-07 22:59 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-07 22:57 . 2009-11-07 22:57 -------- d-----w- c:\program files\Panda Security
2009-11-07 22:47 . 2009-11-07 22:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-11-07 20:16 . 2009-08-29 07:36 78336 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2009-11-07 20:16 . 2009-08-29 07:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-11-06 00:25 . 2009-11-06 00:46 -------- d-----w- C:\step119358s
2009-11-05 00:20 . 2009-11-05 00:52 -------- d-----w- C:\step12186s
2009-11-04 02:02 . 2009-11-04 02:23 -------- d-----w- C:\step1
2009-11-01 16:44 . 2009-11-01 16:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-01 01:29 . 2009-11-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-31 23:45 . 2009-10-18 00:27 3101560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\wip1.exe
2009-10-31 23:40 . 2009-10-31 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-31 23:08 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-31 23:08 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-31 23:08 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-31 23:08 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-10-31 23:08 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-31 23:08 . 2009-10-31 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-10-31 21:26 . 2009-10-31 22:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-31 19:19 . 2009-10-31 19:20 1794456 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-10-31 15:53 . 2009-10-31 23:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-31 15:53 . 2009-10-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1}
2009-10-31 01:59 . 2009-10-31 01:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5}
2009-10-15 00:50 . 2009-10-31 19:20 5642688 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 01:34 . 2008-08-28 23:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-11-04 01:57 . 2008-04-20 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-01 16:40 . 2008-01-15 23:52 -------- d-----w- c:\program files\Coupons
2009-11-01 16:29 . 2008-04-10 23:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 16:25 . 2008-04-10 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-31 23:50 . 2008-01-28 01:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-31 19:20 . 2009-05-25 03:41 143976 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-10-18 16:14 . 2007-01-18 03:02 -------- d-----w- c:\program files\CCleaner
2009-10-08 01:25 . 2008-12-25 23:46 -------- d-----w- c:\program files\iTunes
2009-10-08 01:24 . 2008-12-25 23:47 -------- d-----w- c:\program files\iPod
2009-10-08 00:57 . 2009-10-08 00:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-06 00:34 . 2009-10-06 00:34 -------- d-----w- c:\program files\MSECache
2009-09-29 01:33 . 2005-04-03 00:06 -------- d-----w- c:\program files\Java
2009-09-29 01:32 . 2009-08-29 01:33 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-18 02:02 . 2009-09-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 01:56 . 2008-12-26 16:39 -------- d-----w- c:\program files\QuickTime
2009-09-18 01:48 . 2008-12-25 23:39 -------- d-----w- c:\program files\Common Files\Apple
2009-09-17 01:06 . 2005-08-28 06:52 72560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2004-05-26 19:29 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 19:31 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-05 19:31 . 2009-09-05 19:30 1686272 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
2009-09-04 21:03 . 2004-05-26 19:29 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-05-26 19:30 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-05-26 19:29 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-05-26 19:30 247326 ----a-w- c:\windows\system32\strmdll.dll
2005-08-29 06:50 . 2005-08-29 06:50 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 -csha-r- c:\windows\meta4.exe
2005-08-28 05:51 . 2005-08-28 05:51 0 -csha-w- c:\windows\SMINST\HPCD.sys
2005-07-14 17:31 . 2005-07-14 17:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 -csha-r- c:\windows\system32\cygz.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 -csha-r- c:\windows\system32\x.264.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa Google\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1900:TCP"= 1900:TCP:AVELINK
"8000:TCP"= 8000:TCP:AVELINK

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/7/2009 5:59 PM 28552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [4/4/2008 9:53 AM 868864]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-13 c:\windows\Tasks\User_Feed_Synchronization-{BF99CC6D-B5AD-4D0A-B6F8-4D36B84CC3C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
Trusted Zone: pandasecurity.com\www
TCP: {6201A7F6-C742-4976-A9E1-9E20760B6398} = 77.74.48.113
TCP: {8C6E3C69-729A-4EA3-BE75-84507EA18B50} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\89vo5gz6.default\
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Picasa Google\Picasa2\npPicasa2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {50A349C6-5731-4329-8974-718AC1A3B6C5} - c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5}
FF - HiddenExtension: XULRunner: {A312BAB9-380D-49E6-B4AD-30E1190445F1} - c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 21:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(612)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-12 21:30
ComboFix-quarantined-files.txt 2009-11-13 02:30
ComboFix2.txt 2009-11-10 02:35

Pre-Run: 50,238,803,968 bytes free
Post-Run: 50,233,954,304 bytes free

- - End Of File - - 15909A66F89A60D87BA93E15B28CC50B

11-03-2009, 01:16 PM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,620 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Trojan infestation - Step 1 complete - Please Help Hi and welcome to TSF. My name is Iain and I will be helping you clean your system. You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please ensure that you follow the instructions in the order I have them listed. Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments. Combofix Download ComboFix from one of these locations: Link 1 Link 2 and rename it to step1.exe before saving it to your desktop. Double click on the renamed ComboFix.exe & follow the prompts. When finished it will produce a log at C:\ComboFix.txt for you Please include the log in your next reply. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-03-2009, 07:41 PM	#3 (permalink)
noles_0 Registered User Join Date: Nov 2009 Location: Georgia Posts: 18 OS: XP Professional V2002 SP3	Re: Trojan infestation - Step 1 complete - Please Help Thank you for your assistance. I had difficulty turning off AVG 8.5, finally had to get a cleaner from AVG to remove program in order to completely turn it off. Also cut off Spybot and diconnected internet prior to running Combofix, ie. Step1.exe. Log is below. ComboFix 09-11-03.01 - Owner 11/03/2009 21:04.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.58 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\step1.exe AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\dahesabi.dll c:\windows\Tasks\apmwmmym.job . ((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 ))))))))))))))))))))))))))))))) . 2009-11-01 16:44 . 2009-11-01 16:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-11-01 01:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-01 01:50 . 2009-11-01 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-01 01:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-01 01:50 . 2009-11-01 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-01 01:29 . 2009-11-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-31 23:40 . 2009-10-31 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software 2009-10-31 23:08 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2009-10-31 23:08 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2009-10-31 23:08 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2009-10-31 23:08 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2009-10-31 23:08 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll 2009-10-31 23:08 . 2009-10-31 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software 2009-10-31 21:26 . 2009-10-31 22:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-10-31 15:53 . 2009-10-31 23:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-10-31 15:53 . 2009-10-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1} 2009-10-31 01:59 . 2009-10-31 15:21 0 ----a-w- c:\windows\Isubili.bin 2009-10-31 01:59 . 2009-10-31 19:28 120 ----a-w- c:\windows\Epegigoreyesu.dat 2009-10-31 01:59 . 2009-10-31 01:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5} 2009-10-31 01:57 . 2009-10-31 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\75876942 2009-10-31 01:48 . 2009-10-31 01:48 53248 ----a-w- C:\oqbkddrr.exe 2009-10-06 00:34 . 2009-10-06 00:34 -------- d-----w- c:\program files\MSECache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-04 01:57 . 2008-04-20 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-11-01 16:40 . 2008-01-15 23:52 -------- d-----w- c:\program files\Coupons 2009-11-01 16:29 . 2008-04-10 23:32 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-11-01 16:25 . 2008-04-10 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-31 23:50 . 2008-01-28 01:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-10-31 22:39 . 2008-08-28 23:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks 2009-10-18 16:14 . 2007-01-18 03:02 -------- d-----w- c:\program files\CCleaner 2009-10-08 01:25 . 2008-12-25 23:46 -------- d-----w- c:\program files\iTunes 2009-10-08 01:24 . 2008-12-25 23:47 -------- d-----w- c:\program files\iPod 2009-09-29 01:33 . 2005-04-03 00:06 -------- d-----w- c:\program files\Java 2009-09-18 02:02 . 2009-09-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-18 01:56 . 2008-12-26 16:39 -------- d-----w- c:\program files\QuickTime 2009-09-18 01:48 . 2008-12-25 23:39 -------- d-----w- c:\program files\Common Files\Apple 2009-09-17 01:06 . 2005-08-28 06:52 72560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec 2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-14 00:36 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec AntiVirus 2009-09-14 00:36 . 2005-04-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-09-14 00:32 . 2009-09-14 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint 2009-09-14 00:31 . 2009-07-23 03:17 -------- d-----w- c:\program files\Sierra Wireless 2009-09-14 00:30 . 2009-07-23 03:15 -------- d-----w- c:\program files\Common Files\Motorola Shared 2009-09-14 00:17 . 2008-09-18 00:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon 2009-09-14 00:17 . 2008-09-18 00:19 -------- d-----w- c:\program files\Amazon 2009-09-11 14:18 . 2004-05-26 19:29 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 01:57 . 2009-09-11 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OverDrive 2009-09-11 01:56 . 2009-09-11 01:56 -------- d-----w- c:\program files\OverDrive Media Console 2009-09-04 21:03 . 2004-05-26 19:29 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2004-05-26 19:30 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 08:00 . 2004-05-26 19:30 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-06 23:24 . 2004-05-26 20:22 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-06 23:24 . 2004-05-26 20:22 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-06 23:24 . 2004-05-26 20:22 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-06 23:24 . 2004-05-26 20:22 53472 ------w- c:\windows\system32\wuauclt.exe 2009-08-06 23:24 . 2004-05-26 19:29 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-06 23:23 . 2004-05-26 20:22 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-06 23:23 . 2005-09-02 01:17 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-08-06 23:23 . 2005-05-26 08:19 215920 ----a-w- c:\windows\system32\muweb.dll 2009-08-06 23:23 . 2004-05-26 20:22 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2005-08-29 06:50 . 2005-08-29 06:50 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe 2005-05-13 22:12 . 2005-05-13 22:12 217073 -csha-r- c:\windows\meta4.exe 2005-08-28 05:51 . 2005-08-28 05:51 0 -csha-w- c:\windows\SMINST\HPCD.sys 2005-07-14 17:31 . 2005-07-14 17:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll 2005-06-26 20:32 . 2005-06-26 20:32 616448 -csha-r- c:\windows\system32\cygwin1.dll 2005-06-22 03:37 . 2005-06-22 03:37 45568 -csha-r- c:\windows\system32\cygz.dll 2009-08-03 01:48 . 2009-08-03 01:48 39424 --sha-w- c:\windows\system32\hajenemi.dll 2009-07-31 13:57 . 2009-07-31 13:57 53760 --sha-w- c:\windows\system32\jodunufe.dll 2009-08-04 00:27 . 2009-08-04 00:27 39424 --sha-w- c:\windows\system32\rebuwizu.dll 2009-08-04 00:27 . 2009-08-04 00:27 61440 --sha-w- c:\windows\system32\sazotoyi.dll 2009-07-31 13:57 . 2009-07-31 13:57 53760 --sha-w- c:\windows\system32\wubefivu.dll 2005-02-28 18:16 . 2005-02-28 18:16 240128 -csha-r- c:\windows\system32\x.264.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ef69150-8fed-47f2-9581-1b5db37be2aa}] 2009-07-31 13:57 53760 --sha-w- c:\windows\system32\jodunufe.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984] "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240] "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="c:\program files\Picasa Google\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0sprecovr \SystemRoot\sprecovr.txt [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ushirys.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mirc\\mirc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1900:TCP"= 1900:TCP:AVELINK "8000:TCP"= 8000:TCP:AVELINK R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832] R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [4/4/2008 9:53 AM 868864] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/8/2009 10:42 AM 24652] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?] --- Other Services/Drivers In Memory --- Deregistered* - ikdtxyen Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-11-04 c:\windows\Tasks\User_Feed_Synchronization-{BF99CC6D-B5AD-4D0A-B6F8-4D36B84CC3C6}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - BHO-{687894FD-E5B9-4A9C-8735-746B26D064DC} - (no file) HKLM-Run-Jnakibugojudo - c:\windows\osoluqotiwuvu.dll HKLM-Run-bewimubiw - c:\windows\system32\dahesabi.dll HKLM-Run-punizutezi - dozilibe.dll SharedTaskScheduler-{7a97f7f5-ef72-4c77-a932-759d1f3d86fe} - c:\windows\system32\dahesabi.dll SSODL-tolewuwow-{7a97f7f5-ef72-4c77-a932-759d1f3d86fe} - c:\windows\system32\dahesabi.dll Notify-avgrsstarter - avgrsstx.dll Notify-NavLogon - (no file) ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-03 21:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(620) c:\windows\ushirys.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(2412) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\ushirys.dll c:\windows\system32\webcheck.dll c:\program files\Bonjour\mdnsNSP.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\system32\wdfmgr.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\wscntfy.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2009-11-04 21:22 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-04 02:22 Pre-Run: 46,835,032,064 bytes free Post-Run: 46,831,804,416 bytes free

11-04-2009, 03:13 PM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,620 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Trojan infestation - Step 1 complete - Please Help Hi again Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Combofix Open notepad and copy/paste the text in the box below into it: Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/427727-trojan-infestation-step-1-complete-please-help.html Collect::[4][91] c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1} c:\windows\Isubili.bin c:\windows\Epegigoreyesu.dat c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5} C:\oqbkddrr.exe c:\windows\system32\hajenemi.dll c:\windows\system32\jodunufe.dll c:\windows\system32\rebuwizu.dll c:\windows\system32\sazotoyi.dll c:\windows\system32\wubefivu.dll c:\windows\ushirys.dll Driver:: Viewpoint Manager Service Folder:: c:\program files\Viewpoint DirLook:: c:\documents and settings\All Users\Application Data\75876942 c:\Program Files\Coupons Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ef69150-8fed-47f2-9581-1b5db37be2aa}] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 Save this as CFScript.txt Referring to the picture above, drag CFScript.txt into ComboFix.exe. When finished, it shall produce a log for you. Post that log in your next reply. Do not mouseclick combofix's window whilst it's running. This may cause it to stall. When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. Using the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK on the message box. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-04-2009, 06:19 PM	#5 (permalink)
noles_0 Registered User Join Date: Nov 2009 Location: Georgia Posts: 18 OS: XP Professional V2002 SP3	Re: Trojan infestation - Step 1 complete - Please Help Ok, just a couple things that I noted. As Combofix was going through its stages, a rundll error message "error loading c:\windows\ushirys.dll" came up about 40 times. Also, after the computer restarts, 2 rundll errors are occuring. 1 reads "error loading c:\windows\system32\jujulihi.dll", the other reads "dozilibe.dll", both state 'specified module could not be found'. is it possible to prevent those messages from popping up each time the computer is restarted? also, you mentioned that combofix would capture a file that would be submitted for analysis. I didnt see/find a file to attach, did I miss anything? Combofix log is below: ComboFix 09-11-04.02 - Owner 11/04/2009 19:22.3.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.175 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\step1.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} file zipped: C:\oqbkddrr.exe file zipped: c:\windows\Epegigoreyesu.dat file zipped: c:\windows\Isubili.bin file zipped: c:\windows\system32\hajenemi.dll file zipped: c:\windows\system32\jodunufe.dll file zipped: c:\windows\system32\rebuwizu.dll file zipped: c:\windows\system32\sazotoyi.dll file zipped: c:\windows\system32\wubefivu.dll file zipped: c:\windows\ushirys.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\oqbkddrr.exe c:\program files\Viewpoint c:\program files\Viewpoint\Common\ViewpointService.exe c:\program files\Viewpoint\Common\VistaBoot.sdll c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_0305000D.dll c:\program files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll c:\program files\Viewpoint\Viewpoint Experience Technology\DownloadedComponents\VMgr_Win\Exec.exe c:\program files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini c:\program files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini c:\program files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe c:\program files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\JpegReader.dll c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\MTS3Reader.dll c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\SWFView.dll c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMgr.dll c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMPVideo2.dll c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\WaveletReader.dll c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt c:\program files\Viewpoint\Viewpoint Manager\CPtask.xml c:\program files\Viewpoint\Viewpoint Manager\VETScriptInterpreter.dll c:\program files\Viewpoint\Viewpoint Manager\ViewCP.cpl c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html c:\program files\Viewpoint\Viewpoint Manager\ViewCPexe.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe c:\windows\Epegigoreyesu.dat c:\windows\Isubili.bin c:\windows\system32\bupozeje.dll c:\windows\system32\hajenemi.dll c:\windows\system32\jodunufe.dll c:\windows\system32\jujulihi.dll c:\windows\system32\lahonozi.dll c:\windows\system32\rebuwizu.dll c:\windows\system32\sazotoyi.dll c:\windows\system32\vadusufo.dll c:\windows\system32\wubefivu.dll c:\windows\system32\yurivaho.dll c:\windows\system32\zomavumo.dll c:\windows\Tasks\tjgqxtvv.job c:\windows\ushirys.dll ----- BITS: Possible infected sites ----- hxxp://82.98.231.102 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_VIEWPOINT_MANAGER_SERVICE -------\Service_Viewpoint Manager Service ((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 ))))))))))))))))))))))))))))))) . 2009-11-04 23:38 . 2009-11-04 23:38 39424 ----a-w- c:\windows\system32\bujokuwo.dll 2009-11-04 02:02 . 2009-11-04 02:23 -------- d-----w- C:\step1 2009-11-01 16:49 . 2009-11-04 02:02 -------- d-----w- C:\ComboFix 2009-11-01 16:44 . 2009-11-01 16:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-11-01 01:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-01 01:50 . 2009-11-01 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-01 01:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-01 01:50 . 2009-11-01 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-01 01:29 . 2009-11-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-31 23:45 . 2009-10-18 00:27 3101560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\wip1.exe 2009-10-31 23:40 . 2009-10-31 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software 2009-10-31 23:08 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2009-10-31 23:08 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2009-10-31 23:08 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2009-10-31 23:08 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2009-10-31 23:08 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll 2009-10-31 23:08 . 2009-10-31 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software 2009-10-31 21:26 . 2009-10-31 22:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-10-31 19:19 . 2009-10-31 19:20 1794456 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe 2009-10-31 15:53 . 2009-10-31 23:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-10-31 15:53 . 2009-10-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1} 2009-10-31 01:59 . 2009-10-31 01:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5} 2009-10-31 01:57 . 2009-10-31 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\75876942 2009-10-31 01:57 . 2009-10-31 01:57 274 ----a-w- c:\documents and settings\All Users\Application Data\75876942\75876942.bat 2009-10-15 00:50 . 2009-10-31 19:20 5642688 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll 2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe 2009-10-08 00:57 . 2009-10-08 00:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-04 01:57 . 2008-04-20 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-11-01 16:40 . 2008-01-15 23:52 -------- d-----w- c:\program files\Coupons 2009-11-01 16:29 . 2008-04-10 23:32 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-11-01 16:25 . 2008-04-10 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-31 23:50 . 2008-01-28 01:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-10-31 22:39 . 2008-08-28 23:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks 2009-10-31 19:20 . 2009-05-25 03:41 143976 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe 2009-10-18 16:14 . 2007-01-18 03:02 -------- d-----w- c:\program files\CCleaner 2009-10-08 01:25 . 2008-12-25 23:46 -------- d-----w- c:\program files\iTunes 2009-10-08 01:24 . 2008-12-25 23:47 -------- d-----w- c:\program files\iPod 2009-10-06 00:34 . 2009-10-06 00:34 -------- d-----w- c:\program files\MSECache 2009-09-29 01:33 . 2005-04-03 00:06 -------- d-----w- c:\program files\Java 2009-09-29 01:32 . 2009-08-29 01:33 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-09-18 02:02 . 2009-09-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-18 01:56 . 2008-12-26 16:39 -------- d-----w- c:\program files\QuickTime 2009-09-18 01:48 . 2008-12-25 23:39 -------- d-----w- c:\program files\Common Files\Apple 2009-09-17 01:06 . 2005-08-28 06:52 72560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec 2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-14 00:36 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec AntiVirus 2009-09-14 00:36 . 2005-04-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-09-14 00:32 . 2009-09-14 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint 2009-09-14 00:31 . 2009-07-23 03:17 -------- d-----w- c:\program files\Sierra Wireless 2009-09-14 00:30 . 2009-07-23 03:15 -------- d-----w- c:\program files\Common Files\Motorola Shared 2009-09-14 00:17 . 2008-09-18 00:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon 2009-09-14 00:17 . 2008-09-18 00:19 -------- d-----w- c:\program files\Amazon 2009-09-11 14:18 . 2004-05-26 19:29 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 01:57 . 2009-09-11 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OverDrive 2009-09-11 01:56 . 2009-09-11 01:56 -------- d-----w- c:\program files\OverDrive Media Console 2009-09-05 19:31 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll 2009-09-05 19:31 . 2009-09-05 19:30 1686272 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe 2009-09-04 21:03 . 2004-05-26 19:29 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2004-05-26 19:30 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 08:00 . 2004-05-26 19:30 247326 ----a-w- c:\windows\system32\strmdll.dll 2005-08-29 06:50 . 2005-08-29 06:50 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe 2005-05-13 22:12 . 2005-05-13 22:12 217073 -csha-r- c:\windows\meta4.exe 2005-08-28 05:51 . 2005-08-28 05:51 0 -csha-w- c:\windows\SMINST\HPCD.sys 2005-07-14 17:31 . 2005-07-14 17:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll 2005-06-26 20:32 . 2005-06-26 20:32 616448 -csha-r- c:\windows\system32\cygwin1.dll 2005-06-22 03:37 . 2005-06-22 03:37 45568 -csha-r- c:\windows\system32\cygz.dll 2009-08-04 23:54 . 2009-08-04 23:54 45056 --sha-w- c:\windows\system32\valagase.dll 2005-02-28 18:16 . 2005-02-28 18:16 240128 -csha-r- c:\windows\system32\x.264.exe . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\All Users\Application Data\75876942 ---- 2009-10-31 01:57 . 2009-10-31 01:57 274 ----a-w- c:\documents and settings\All Users\Application Data\75876942\75876942.bat ---- Directory of c:\program files\Coupons ---- 2008-01-15 23:52 . 2008-01-15 23:52 473600 -c--a-w- c:\program files\Coupons\uninstall.exe ((((((((((((((((((((((((((((( SnapShot@2009-11-04_02.16.23 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-05 00:38 . 2009-11-05 00:38 16384 c:\windows\temp\Perflib_Perfdata_714.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984] "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240] "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "bewimubiw"="c:\windows\system32\jujulihi.dll" [BU] "punizutezi"="dozilibe.dll" [BU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="c:\program files\Picasa Google\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0sprecovr \SystemRoot\sprecovr.txt [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mirc\\mirc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\WINDOWS\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1900:TCP"= 1900:TCP:AVELINK "8000:TCP"= 8000:TCP:AVELINK S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?] --- Other Services/Drivers In Memory --- Deregistered* - ikdtxyen Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-11-04 c:\windows\Tasks\User_Feed_Synchronization-{BF99CC6D-B5AD-4D0A-B6F8-4D36B84CC3C6}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: {6201A7F6-C742-4976-A9E1-9E20760B6398} = 77.74.48.113 TCP: {8C6E3C69-729A-4EA3-BE75-84507EA18B50} = 77.74.48.113 . - - - - ORPHANS REMOVED - - - - SharedTaskScheduler-{7be84aeb-4a14-4881-984e-d796e80dd362} - c:\windows\system32\jujulihi.dll SSODL-woruyalet-{7be84aeb-4a14-4881-984e-d796e80dd362} - c:\windows\system32\jujulihi.dll AddRemove-Viewpoint Manager - c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-04 19:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3352) c:\windows\system32\WININET.dll c:\program files\Bonjour\mdnsNSP.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Rundll32.exe c:\windows\system32\Rundll32.exe c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe c:\windows\system32\wdfmgr.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Java\jre6\bin\jucheck.exe . ************************************************************************ . Completion time: 2009-11-05 19:52 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-05 00:51 ComboFix2.txt 2009-11-04 02:22 Pre-Run: 46,837,518,336 bytes free Post-Run: 46,794,764,288 bytes free

11-05-2009, 02:56 PM	#6 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,620 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Trojan infestation - Step 1 complete - Please Help Hi there CF does it automatically although there is a manual workaround in the event of a problem. Can you have a look for this file: C:\CF-Submit.htm If the file is there, just double click for the submission to take place. The warnings should disappear after this run of CF. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Combofix Open notepad and copy/paste the text in the box below into it: Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/427727-trojan-infestation-step-1-complete-please-help.html Collect::[4] c:\windows\system32\valagase.dll c:\windows\system32\bujokuwo.dll Folder:: c:\documents and settings\All Users\Application Data\75876942 Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "bewimubiw"=- "punizutezi"=- Save this as CFScript.txt Referring to the picture above, drag CFScript.txt into ComboFix.exe. When finished, it shall produce a log for you. Post that log in your next reply. Do not mouseclick combofix's window whilst it's running. This may cause it to stall. When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. Using the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK on the message box. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-05-2009, 06:05 PM	#7 (permalink)
noles_0 Registered User Join Date: Nov 2009 Location: Georgia Posts: 18 OS: XP Professional V2002 SP3	Re: Trojan infestation - Step 1 complete - Please Help Thank you for your assistance! Two odd things are occuring. One is that I'm unable to post responces to this forum on the infected laptop. I have to use my desktop to post - reason given is "message is too short, must be atlease 5...". The other oddity that has began to occur, Webpages are not loading on the first "attempt". I'm finding myself having to hit refresh 1 or 2 times before webpages will display. Page that comes up is "Internet Explorer cannot display the webpage." Any ideas on this? I think the CS file was sent to you. Again, thank you! ComboFix 09-11-04.02 - Owner 11/05/2009 19:26.4.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.194 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\step1.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} file zipped: c:\windows\system32\bujokuwo.dll file zipped: c:\windows\system32\valagase.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\75876942 c:\documents and settings\All Users\Application Data\75876942\75876942.bat c:\windows\system32\bujokuwo.dll c:\windows\system32\valagase.dll . ((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 ))))))))))))))))))))))))))))))) . 2009-11-05 00:20 . 2009-11-05 00:52 -------- d-----w- C:\step12186s 2009-11-04 02:02 . 2009-11-04 02:23 -------- d-----w- C:\step1 2009-11-01 16:49 . 2009-11-04 02:02 -------- d-----w- C:\ComboFix 2009-11-01 16:44 . 2009-11-01 16:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-11-01 01:29 . 2009-11-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-31 23:45 . 2009-10-18 00:27 3101560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\wip1.exe 2009-10-31 23:40 . 2009-10-31 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software 2009-10-31 23:08 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2009-10-31 23:08 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2009-10-31 23:08 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2009-10-31 23:08 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2009-10-31 23:08 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll 2009-10-31 23:08 . 2009-10-31 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software 2009-10-31 21:26 . 2009-10-31 22:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-10-31 19:19 . 2009-10-31 19:20 1794456 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe 2009-10-31 15:53 . 2009-10-31 23:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-10-31 15:53 . 2009-10-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1} 2009-10-31 01:59 . 2009-10-31 01:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5} 2009-10-15 00:50 . 2009-10-31 19:20 5642688 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll 2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe 2009-10-08 00:57 . 2009-10-08 00:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-04 01:57 . 2008-04-20 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-11-01 16:40 . 2008-01-15 23:52 -------- d-----w- c:\program files\Coupons 2009-11-01 16:29 . 2008-04-10 23:32 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-11-01 16:25 . 2008-04-10 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-31 23:50 . 2008-01-28 01:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-10-31 22:39 . 2008-08-28 23:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks 2009-10-31 19:20 . 2009-05-25 03:41 143976 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe 2009-10-18 16:14 . 2007-01-18 03:02 -------- d-----w- c:\program files\CCleaner 2009-10-08 01:25 . 2008-12-25 23:46 -------- d-----w- c:\program files\iTunes 2009-10-08 01:24 . 2008-12-25 23:47 -------- d-----w- c:\program files\iPod 2009-10-06 00:34 . 2009-10-06 00:34 -------- d-----w- c:\program files\MSECache 2009-09-29 01:33 . 2005-04-03 00:06 -------- d-----w- c:\program files\Java 2009-09-29 01:32 . 2009-08-29 01:33 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-09-18 02:02 . 2009-09-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-18 01:56 . 2008-12-26 16:39 -------- d-----w- c:\program files\QuickTime 2009-09-18 01:48 . 2008-12-25 23:39 -------- d-----w- c:\program files\Common Files\Apple 2009-09-17 01:06 . 2005-08-28 06:52 72560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec 2009-09-14 00:37 . 2006-02-19 18:01 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-14 00:36 . 2006-02-19 18:01 -------- d-----w- c:\program files\Symantec AntiVirus 2009-09-14 00:36 . 2005-04-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-09-14 00:32 . 2009-09-14 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint 2009-09-14 00:31 . 2009-07-23 03:17 -------- d-----w- c:\program files\Sierra Wireless 2009-09-14 00:30 . 2009-07-23 03:15 -------- d-----w- c:\program files\Common Files\Motorola Shared 2009-09-14 00:17 . 2008-09-18 00:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon 2009-09-14 00:17 . 2008-09-18 00:19 -------- d-----w- c:\program files\Amazon 2009-09-11 14:18 . 2004-05-26 19:29 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 01:57 . 2009-09-11 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OverDrive 2009-09-11 01:56 . 2009-09-11 01:56 -------- d-----w- c:\program files\OverDrive Media Console 2009-09-05 19:31 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll 2009-09-05 19:31 . 2009-09-05 19:30 1686272 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe 2009-09-04 21:03 . 2004-05-26 19:29 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2004-05-26 19:30 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 08:00 . 2004-05-26 19:30 247326 ----a-w- c:\windows\system32\strmdll.dll 2005-08-29 06:50 . 2005-08-29 06:50 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe 2005-05-13 22:12 . 2005-05-13 22:12 217073 -csha-r- c:\windows\meta4.exe 2005-08-28 05:51 . 2005-08-28 05:51 0 -csha-w- c:\windows\SMINST\HPCD.sys 2005-07-14 17:31 . 2005-07-14 17:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll 2005-06-26 20:32 . 2005-06-26 20:32 616448 -csha-r- c:\windows\system32\cygwin1.dll 2005-06-22 03:37 . 2005-06-22 03:37 45568 -csha-r- c:\windows\system32\cygz.dll 2005-02-28 18:16 . 2005-02-28 18:16 240128 -csha-r- c:\windows\system32\x.264.exe . ((((((((((((((((((((((((((((( SnapShot@2009-11-04_02.16.23 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-05 01:00 . 2009-11-05 01:00 16384 c:\windows\temp\Perflib_Perfdata_5c4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984] "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240] "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "bewimubiw"="c:\windows\system32\jujulihi.dll" [BU] "punizutezi"="dozilibe.dll" [BU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="c:\program files\Picasa Google\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0sprecovr \SystemRoot\sprecovr.txt [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mirc\\mirc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1900:TCP"= 1900:TCP:AVELINK "8000:TCP"= 8000:TCP:AVELINK R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832] R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [4/4/2008 9:53 AM 868864] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?] --- Other Services/Drivers In Memory --- NewlyCreated* - IDSVC Deregistered - ikdtxyen Deregistered - mbr Deregistered - PROCEXP113 . Contents of the 'Scheduled Tasks' folder 2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{BF99CC6D-B5AD-4D0A-B6F8-4D36B84CC3C6}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: {6201A7F6-C742-4976-A9E1-9E20760B6398} = 77.74.48.113 TCP: {8C6E3C69-729A-4EA3-BE75-84507EA18B50} = 77.74.48.113 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-05 19:37 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(744) c:\windows\system32\igfxsrvc.dll c:\windows\system32\hccutils.DLL . Completion time: 2009-11-06 19:41 ComboFix-quarantined-files.txt 2009-11-06 00:41 ComboFix2.txt 2009-11-05 00:52 ComboFix3.txt 2009-11-04 02:22 Pre-Run: 46,748,155,904 bytes free Post-Run: 46,725,799,936 bytes free Upload was successful

11-06-2009, 01:14 PM	#8 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,620 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Trojan infestation - Step 1 complete - Please Help Hi again We’ll concentrate on ensuring you are clean first – then we can look at other items. Online Scan Perform an online scan with Panda ActiveScan Click on Scan Your PC Now A "pop up" window will appear, or a new tab will open. Click on Register Choose the option you like most, but we recommend the Free Registration. Click on Register Enter your e-mail address, and create a password. Select "I do not want to receive any type of information". (unless you want to receive such information) Click on Send Confirm registration, and continue by entering your user name and password, then click on Enter Select Full Scan, then Click on Scan Now Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser. If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect Please ignore the offer to buy the program. Click on Export To Export the log and save it to your desktop. Please attach the contents of that log to your reply. * Turn off the real time scanner of any existing antivirus program while performing the online scan. Avast users note: Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database. Note that Panda may take several hours to scan your system. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-07-2009, 12:04 PM	#9 (permalink)
noles_0 Registered User Join Date: Nov 2009 Location: Georgia Posts: 18 OS: XP Professional V2002 SP3	Re: Trojan infestation - Step 1 complete - Please Help Panda scan downloads up to 100% but then does not begin the actual scan. Internet Explorer is nearly unresponsive. Once again, im having to use another computer to post this reply. Im thinking we need to reload (or fix) internet explorer before Im able to go forward. What should I do next given panda scan wont run and IE takes several refreshes before a website begins to display, once it connects, the websites are not displaying correctly.

11-08-2009, 09:45 AM	#11 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,620 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Trojan infestation - Step 1 complete - Please Help Hi Looks like another IE8 problem - logs are clean. See here for rolling back to a previous version of IE http://support.microsoft.com/kb/957700 Once you've done that, let me know how your system is running. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-08-2009, 06:41 PM	#12 (permalink)
noles_0 Registered User Join Date: Nov 2009 Location: Georgia Posts: 18 OS: XP Professional V2002 SP3	Re: Trojan infestation - Step 1 complete - Please Help Computer is running well. Went back to IE7 and it seems to be working also. One small issue, i get 2 rundll errors during startup - the read: error loading c:\windows\system32\jujulihi.dll - the specified module could not be found error loading dozilibe.dll - the specified module could not be found. do you think we can make these to messages go away? which antivirus do you recommend going forward? they seem to really slow down the computer, does any of them take up less resources or are all of them similar? thank you!

11-09-2009, 03:18 PM	#13 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,620 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Trojan infestation - Step 1 complete - Please Help Hi again Let’s get rid of those Registry entries – that should sort the error messages. Once everything is running normally I’ll post some recommendations for you. Combofix Close any open browsers. Open notepad and copy/paste the text in the box below into it: Code: Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "bewimubiw"=- "punizutezi"=- Looking at the image below as an example Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript onto ComboFix.exe. When finished, it will produce a log for you at "C:\ComboFix.txt" Do not mouseclick combofix's window whilst it's running. This may cause it to stall. CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows! Please post the log C:\ComboFix.txt for further review. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-10-2009, 03:46 PM	#15 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,620 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Trojan infestation - Step 1 complete - Please Help Hi again All looks good. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure. The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Referring to the image below Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK: ComboFix /Uninstall Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: General Protection Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. Ad-aware 2008 Free Edition Download and install Ad-Aware 2008 Free Edition. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here. SnoopFree SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems. MVPS Hosts File The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Firefox Opera Chrome Maxthon Safari Firewalls A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall for XP does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Comodo Personal Firewall Sygate Personal Firewall ZoneAlarm Anti Virus Software It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are three very good free Antivirus products which are available: BitDefender Free Avast! AVG It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Other Protection Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. Web of Trust WOT warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE. ERUNT & NTREGOPT ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash. NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system. Additional Reading In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles PC Safety & Security - What Do I Need?. Making Internet Explorer Safer. Think Prevention! Have a look here if your PC is still running a bit slow Is your PC running slow...? Keep clean and safe and enjoy your computing! Please respond to this thread one more time so we can mark this thread as resolved. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-10-2009, 06:55 PM	#16 (permalink)
noles_0 Registered User Join Date: Nov 2009 Location: Georgia Posts: 18 OS: XP Professional V2002 SP3	Re: Trojan infestation - Step 1 complete - Please Help I guess I need a little more help. After uninstalling ComboFix, I am unable to search using 2 different search engines, Google and Yahoo. Neither IE or Firefox work. (Bing and Excite searches both work) The sites are up as I have verified with my other computer. Could anything have possibly happened as a result of the uninstall of Combofix or is the uninstall a coincidence? I was in such good shape and now its acting weird. What do you think?

11-11-2009, 02:24 PM	#17 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,620 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Trojan infestation - Step 1 complete - Please Help Hi It's unlikely that CF would cause that - I've never heard of it before. What happens when using Google? Any error message? Warnings? __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-12-2009, 03:31 PM	#19 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,620 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Trojan infestation - Step 1 complete - Please Help Hi Clint This looks like some kind of Networking or browser error, although I'm not really sure - not my area of expertise. I've been through all your logs again and there is nothing there in terms of malware - your system is clean. I think it would probably be best if you posted (inc your pdf) in the Browsers Forum first. We have plenty of people here that know more about these kind of warnings than I. Remember to explain that you've been cleared by Security - good luck. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-12-2009, 07:55 PM	#20 (permalink)
noles_0 Registered User Join Date: Nov 2009 Location: Georgia Posts: 18 OS: XP Professional V2002 SP3	Re: Trojan infestation - Step 1 complete - Please Help My last request and I'll move on to the browser portion of this site. I respect your time and knowledge! We didnt post a Combofix after the redirect problem began. Please review this post and see if you can find anything that looks abnormal. Thank you for your assistance. If you dont see anything, please go ahead and archive this post. Thank you for your assistance! Clint ComboFix 09-11-13.04 - Owner 11/12/2009 21:14.6.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.158 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 ))))))))))))))))))))))))))))))) . 2009-11-10 01:56 . 2009-11-10 02:35 -------- d-----w- C:\step11877s 2009-11-07 22:59 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys 2009-11-07 22:57 . 2009-11-07 22:57 -------- d-----w- c:\program files\Panda Security 2009-11-07 22:47 . 2009-11-07 22:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla 2009-11-07 20:16 . 2009-08-29 07:36 78336 -c--a-w- c:\windows\system32\dllcache\ieencode.dll 2009-11-07 20:16 . 2009-08-29 07:36 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-11-06 00:25 . 2009-11-06 00:46 -------- d-----w- C:\step119358s 2009-11-05 00:20 . 2009-11-05 00:52 -------- d-----w- C:\step12186s 2009-11-04 02:02 . 2009-11-04 02:23 -------- d-----w- C:\step1 2009-11-01 16:44 . 2009-11-01 16:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-11-01 01:29 . 2009-11-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-31 23:45 . 2009-10-18 00:27 3101560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\wip1.exe 2009-10-31 23:40 . 2009-10-31 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software 2009-10-31 23:08 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2009-10-31 23:08 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2009-10-31 23:08 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2009-10-31 23:08 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2009-10-31 23:08 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll 2009-10-31 23:08 . 2009-10-31 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software 2009-10-31 21:26 . 2009-10-31 22:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-10-31 19:19 . 2009-10-31 19:20 1794456 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe 2009-10-31 15:53 . 2009-10-31 23:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-10-31 15:53 . 2009-10-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1} 2009-10-31 01:59 . 2009-10-31 01:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5} 2009-10-15 00:50 . 2009-10-31 19:20 5642688 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll 2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-09 01:34 . 2008-08-28 23:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks 2009-11-04 01:57 . 2008-04-20 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-11-01 16:40 . 2008-01-15 23:52 -------- d-----w- c:\program files\Coupons 2009-11-01 16:29 . 2008-04-10 23:32 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-11-01 16:25 . 2008-04-10 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-31 23:50 . 2008-01-28 01:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-10-31 19:20 . 2009-05-25 03:41 143976 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe 2009-10-18 16:14 . 2007-01-18 03:02 -------- d-----w- c:\program files\CCleaner 2009-10-08 01:25 . 2008-12-25 23:46 -------- d-----w- c:\program files\iTunes 2009-10-08 01:24 . 2008-12-25 23:47 -------- d-----w- c:\program files\iPod 2009-10-08 00:57 . 2009-10-08 00:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe 2009-10-06 00:34 . 2009-10-06 00:34 -------- d-----w- c:\program files\MSECache 2009-09-29 01:33 . 2005-04-03 00:06 -------- d-----w- c:\program files\Java 2009-09-29 01:32 . 2009-08-29 01:33 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-09-18 02:02 . 2009-09-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-18 01:56 . 2008-12-26 16:39 -------- d-----w- c:\program files\QuickTime 2009-09-18 01:48 . 2008-12-25 23:39 -------- d-----w- c:\program files\Common Files\Apple 2009-09-17 01:06 . 2005-08-28 06:52 72560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-11 14:18 . 2004-05-26 19:29 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-05 19:31 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll 2009-09-05 19:31 . 2009-09-05 19:30 1686272 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe 2009-09-04 21:03 . 2004-05-26 19:29 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 07:36 . 2004-05-26 19:30 832512 ----a-w- c:\windows\system32\wininet.dll 2009-08-29 07:36 . 2004-05-26 19:29 17408 ----a-w- c:\windows\system32\corpol.dll 2009-08-26 08:00 . 2004-05-26 19:30 247326 ----a-w- c:\windows\system32\strmdll.dll 2005-08-29 06:50 . 2005-08-29 06:50 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe 2005-05-13 22:12 . 2005-05-13 22:12 217073 -csha-r- c:\windows\meta4.exe 2005-08-28 05:51 . 2005-08-28 05:51 0 -csha-w- c:\windows\SMINST\HPCD.sys 2005-07-14 17:31 . 2005-07-14 17:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll 2005-06-26 20:32 . 2005-06-26 20:32 616448 -csha-r- c:\windows\system32\cygwin1.dll 2005-06-22 03:37 . 2005-06-22 03:37 45568 -csha-r- c:\windows\system32\cygz.dll 2005-02-28 18:16 . 2005-02-28 18:16 240128 -csha-r- c:\windows\system32\x.264.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984] "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240] "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="c:\program files\Picasa Google\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0sprecovr \SystemRoot\sprecovr.txt [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mirc\\mirc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1900:TCP"= 1900:TCP:AVELINK "8000:TCP"= 8000:TCP:AVELINK R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/7/2009 5:59 PM 28552] R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832] R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [4/4/2008 9:53 AM 868864] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?] --- Other Services/Drivers In Memory --- Deregistered* - mbr Deregistered - PROCEXP113 . Contents of the 'Scheduled Tasks' folder 2009-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-11-13 c:\windows\Tasks\User_Feed_Synchronization-{BF99CC6D-B5AD-4D0A-B6F8-4D36B84CC3C6}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 16:58] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ Trusted Zone: pandasecurity.com\www TCP: {6201A7F6-C742-4976-A9E1-9E20760B6398} = 77.74.48.113 TCP: {8C6E3C69-729A-4EA3-BE75-84507EA18B50} = 77.74.48.113 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\89vo5gz6.default\ FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll FF - plugin: c:\program files\Picasa Google\Picasa2\npPicasa2.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF - HiddenExtension: XULRunner: {50A349C6-5731-4329-8974-718AC1A3B6C5} - c:\documents and settings\Owner\Local Settings\Application Data\{50A349C6-5731-4329-8974-718AC1A3B6C5} FF - HiddenExtension: XULRunner: {A312BAB9-380D-49E6-B4AD-30E1190445F1} - c:\documents and settings\Administrator\Local Settings\Application Data\{A312BAB9-380D-49E6-B4AD-30E1190445F1} ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-12 21:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(612) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . Completion time: 2009-11-12 21:30 ComboFix-quarantined-files.txt 2009-11-13 02:30 ComboFix2.txt 2009-11-10 02:35 Pre-Run: 50,238,803,968 bytes free Post-Run: 50,233,954,304 bytes free - - End Of File - - 15909A66F89A60D87BA93E15B28CC50B