Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please take a look missing on boot up windows cannot find C:/windows/C


  • Please log in to reply

#1
cradl

cradl

    Member

  • Member
  • PipPipPip
  • 279 posts
windows cannot find C:/windows/Config/csrss.exe. Make sure you typed it in correctlly or search for the file.
Ok ran ATF, Malwarebytes. Could you check my log.
Thanks
  • 0

Advertisements


#2
cradl

cradl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 279 posts
sorry he is the log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:23 AM, on 1/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...DTP&M=W3503
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [puridagoja] Rundll32.exe "C:\WINDOWS\system32\pagakeli.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [puridagoja] Rundll32.exe "C:\WINDOWS\system32\pagakeli.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {D802A4DB-7481-49F4-BB9D-FB83378CCD74} (XRemoteSetupWeb2 Control) - http://www.h264ip.com/CAB/URSWeb.cab
O20 - AppInit_DLLs: bskozs.dll wpteuz.dll naptkt.dll lioprq.dll ctoqwu.dll bjwidl.dll C:\WINDOWS\system32\ratejuje.dll cwxidl.dll c:\windows\system32\gidogudi.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7403 bytes
  • 0

#3
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello cradl

Welcome to G2Go. :)
=====================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#4
cradl

cradl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 279 posts
Ok here you go

DSS

DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 22:35:23.29 on Fri 01/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.367.56 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W3503
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Shell=Explorer.exe c:\windows\config\csrss.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Beta: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar Beta: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D802A4DB-7481-49F4-BB9D-FB83378CCD74} - hxxp://www.h264ip.com/CAB/URSWeb.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: bskozs.dll wpteuz.dll naptkt.dll lioprq.dll ctoqwu.dll bjwidl.dll c:\windows\system32\ratejuje.dll cwxidl.dll c:\windows\system32\gidogudi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\wvUkHyaX
LSA: Notification Packages = scecli c:\windows\system32\ratejuje.dll

============= SERVICES / DRIVERS ===============

R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-22 33752]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-16 38496]

=============== Created Last 30 ================

2009-01-23 03:41 <DIR> --d----- c:\program files\DC++
2009-01-23 01:09 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-23 01:09 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-23 01:08 <DIR> --d----- c:\program files\iPod
2009-01-23 01:08 <DIR> --d----- c:\program files\iTunes
2009-01-23 01:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-23 01:08 <DIR> --d----- c:\program files\Bonjour
2009-01-22 23:09 1,203,770 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-01-22 22:45 <DIR> --d----- c:\program files\Trend Micro
2009-01-22 22:43 <DIR> --d----- c:\windows\pss
2009-01-22 22:26 2,650 a------- c:\windows\WEB_BACKUP.inf
2009-01-22 21:46 96 a------- c:\windows\XSearch.INF
2009-01-22 21:46 96 a------- c:\windows\NVSInfo.INF
2009-01-22 21:44 706 a------- c:\windows\XRemoteSetup.inf
2009-01-22 20:14 236 a------- C:\sqmdata08.sqm
2009-01-22 20:14 200 a------- C:\sqmnoopt08.sqm
2009-01-22 18:49 236 a------- C:\sqmdata07.sqm
2009-01-22 18:49 200 a------- C:\sqmnoopt07.sqm
2009-01-22 18:39 236 a------- C:\sqmdata06.sqm
2009-01-22 18:39 200 a------- C:\sqmnoopt06.sqm
2009-01-22 17:52 236 a------- C:\sqmdata05.sqm
2009-01-22 17:52 200 a------- C:\sqmnoopt05.sqm
2009-01-22 17:40 236 a------- C:\sqmdata04.sqm
2009-01-22 17:40 200 a------- C:\sqmnoopt04.sqm
2009-01-22 17:36 66,591 ac------ c:\windows\system32\dllcache\el90xbc5.sys
2009-01-22 17:36 66,591 a------- c:\windows\system32\drivers\el90xbc5.sys
2009-01-22 17:27 236 a------- C:\sqmdata03.sqm
2009-01-22 17:27 200 a------- C:\sqmnoopt03.sqm
2009-01-22 16:25 <DIR> --d----- c:\program files\X_Integrated Remote Station (W)
2009-01-19 21:05 236 a------- C:\sqmdata02.sqm
2009-01-19 21:05 200 a------- C:\sqmnoopt02.sqm
2009-01-19 20:58 236 a------- C:\sqmdata01.sqm
2009-01-19 20:58 200 a------- C:\sqmnoopt01.sqm
2009-01-18 07:11 133,389 a--sh--- c:\windows\system32\ctoqwu.dll
2009-01-17 07:10 133,238 a--sh--- c:\windows\system32\fhahhx.dll
2009-01-16 18:40 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-16 18:28 236 a------- C:\sqmdata00.sqm
2009-01-16 18:28 200 a------- C:\sqmnoopt00.sqm
2009-01-03 13:04 0 a------- c:\windows\system32\uyovemeb.tmp
2009-01-03 04:24 <DIR> --d----- c:\docume~1\owner\applic~1\WeatherDPA
2009-01-03 04:24 <DIR> --d----- c:\docume~1\owner\applic~1\Zango
2009-01-02 13:02 1,695,560 ---sh--- c:\windows\system32\uyovemeb.ini
2008-12-31 11:21 0 a--sh--- c:\windows\system32\yaluvoho.dll
2008-12-24 22:48 1,603,449 ---sh--- c:\windows\system32\asovojop.ini

==================== Find3M ====================

2009-01-22 09:43 86,246 a--sh--- c:\windows\system32\kigebele.dll
2009-01-21 21:46 134,263 a--sh--- c:\windows\system32\hamohive.dll
2009-01-19 07:12 100,135 a--sh--- c:\windows\system32\gedoneno.dll
2009-01-18 19:11 99,498 a--sh--- c:\windows\system32\dozeyama.dll
2009-01-18 07:11 97,504 a--sh--- c:\windows\system32\birirujo.dll
2009-01-18 07:11 133,389 a--sh--- c:\windows\system32\tehenupo.dll
2009-01-17 07:10 133,238 a--sh--- c:\windows\system32\papukavo.dll
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 22:57 68,404 a------- c:\windows\system32\gihezawo.dll
2009-01-05 07:04 99,069 a--sh--- c:\windows\system32\hulawira.dll
2009-01-04 16:23 98,915 a--sh--- c:\windows\system32\wavowibi.dll
2009-01-04 03:48 98,016 a--sh--- c:\windows\system32\newuwiyo.dll
2009-01-03 15:18 99,026 a--sh--- c:\windows\system32\jazibumo.dll
2009-01-03 03:18 99,106 a--sh--- c:\windows\system32\boyafihe.dll
2009-01-03 03:18 86,260 a--sh--- c:\windows\system32\tubuyena.dll
2009-01-02 13:02 98,063 a--sh--- c:\windows\system32\kuzezeve.dll
2009-01-01 23:56 100,556 a--sh--- c:\windows\system32\kihepela.dll
2008-12-31 23:08 101,019 a--sh--- c:\windows\system32\wikovire.dll
2008-12-31 11:21 61,582 a--sh--- c:\windows\system32\fosajugu.dll
2008-12-23 21:46 63,675 a--sh--- c:\windows\system32\rutobuki.dll
2008-12-18 23:20 1,862 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-12-18 05:06 93,826 a--sh--- c:\windows\system32\lolozima.dll
2008-12-18 05:06 62,748 a--sh--- c:\windows\system32\nepadape.dll
2008-12-16 04:40 880,918 a--sh--- c:\windows\system32\XayHkUvw.ini2
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-16 13:38 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-12 16:01 165,601 a------- c:\windows\hpoins28.dat
2008-11-04 16:30 410,976 a------- c:\windows\system32\deploytk.dll
0000-00-00 00:00 52,224 a--sh--- c:\windows\system32\dovinabu.dll
0000-00-00 00:00 9,216 a--sh--- c:\windows\system32\fujudofi.dll
0000-00-00 00:00 70,311 a--sh--- c:\windows\system32\tirowefa.dll
0000-00-00 00:00 99,840 a--sh--- c:\windows\system32\tohapuva.dll
0000-00-00 00:00 66,560 a--sh--- c:\windows\system32\yehuzisa.dll
0000-00-00 00:00 70,311 a--sh--- c:\windows\system32\yeweyefa.dll
0000-00-00 00:00 134,144 a--sh--- c:\windows\system32\yitofoyi.dll

============= FINISH: 22:35:39.81 ===============


GMER found nothing

and I zipped the attach file so here you are
Thanks
  • 0

#5
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O4 - HKUS\S-1-5-19\..\Run: [puridagoja] Rundll32.exe "C:\WINDOWS\system32\pagakeli.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [puridagoja] Rundll32.exe "C:\WINDOWS\system32\pagakeli.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: bskozs.dll wpteuz.dll naptkt.dll lioprq.dll ctoqwu.dll bjwidl.dll C:\WINDOWS\system32\ratejuje.dll cwxidl.dll c:\windows\system32\gidogudi.dll



Now click on Fix Checked and then close Hijackthis.
==================================================
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\system32\ctoqwu.dll
    c:\windows\system32\fhahhx.dl
    c:\docume~1\owner\applic~1\Zango
    c:\windows\system32\uyovemeb.ini
    c:\windows\system32\yaluvoho.dll
    c:\windows\system32\asovojop.ini
    c:\windows\system32\kigebele.dll
    c:\windows\system32\hamohive.dll
    c:\windows\system32\gedoneno.dll
    c:\windows\system32\dozeyama.dll
    c:\windows\system32\birirujo.dll
    c:\windows\system32\tehenupo.dll
    c:\windows\system32\papukavo.dll
    c:\windows\system32\gihezawo.dll
    c:\windows\system32\hulawira.dll
    c:\windows\system32\wavowibi.dll
    c:\windows\system32\newuwiyo.dll
    c:\windows\system32\jazibumo.dll
    c:\windows\system32\boyafihe.dll
    c:\windows\system32\tubuyena.dll
    c:\windows\system32\kuzezeve.dll
    c:\windows\system32\kihepela.dll
    c:\windows\system32\wikovire.dll
    c:\windows\system32\fosajugu.dll
    c:\windows\system32\rutobuki.dll
    c:\windows\system32\lolozima.dll
    c:\windows\system32\nepadape.dll
    c:\windows\system32\XayHkUvw.ini2
    c:\windows\system32\dovinabu.dll
    c:\windows\system32\fujudofi.dll
    c:\windows\system32\tirowefa.dll
    c:\windows\system32\tohapuva.dll
    c:\windows\system32\yehuzisa.dll
    c:\windows\system32\yeweyefa.dll
    c:\windows\system32\yitofoyi.dll
    
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):msv1_0,nwprovau
    "Notification Packages"=hex(7):scecli
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
======================================
=========================
Please post these logs in your next reply:
  • Ot Move it log
  • Malware Bytes log
  • New dds log

  • 0

#6
cradl

cradl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 279 posts
Ok ran ito this with Moveit.
OTmoveit3.exe-badimage
The app. or .dll c:\windows\system32\yaluvoho.dll is not a valid windows image. pleasr check against your install disk

Also:
\dovinabu.dll
fujudofi.dll
yehuzisa.dll
'$msv1_o' is not a valid integer value.


DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 23:55:21.17 on Fri 01/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.367.67 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W3503
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Shell=Explorer.exe c:\windows\config\csrss.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Beta: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar Beta: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D802A4DB-7481-49F4-BB9D-FB83378CCD74} - hxxp://www.h264ip.com/CAB/URSWeb.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: pdppsa.dll c:\windows\system32\ratejuje.dll c:\windows\system32\hulawira.dll c:\windows\system32\birirujo.dll c:\windows\system32\wikovire.dll c:\windows\system32\kihepela.dll c:\windows\system32\jazibumo.dll c:\windows\system32\dozeyama.dll c:\windows\system32\wavowibi.dll c:\windows\system32\kuzezeve.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\wvUkHyaX
LSA: Notification Packages = scecli c:\windows\system32\ratejuje.dll

============= SERVICES / DRIVERS ===============

R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-22 33752]

=============== Created Last 30 ================

2009-01-23 23:32 <DIR> --d----- C:\_OTMoveIt
2009-01-23 22:38 250 a------- c:\windows\gmer.ini
2009-01-23 03:41 <DIR> --d----- c:\program files\DC++
2009-01-23 01:09 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-23 01:09 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-23 01:08 <DIR> --d----- c:\program files\iPod
2009-01-23 01:08 <DIR> --d----- c:\program files\iTunes
2009-01-23 01:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-23 01:08 <DIR> --d----- c:\program files\Bonjour
2009-01-22 23:09 1,203,770 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-01-22 22:45 <DIR> --d----- c:\program files\Trend Micro
2009-01-22 22:43 <DIR> --d----- c:\windows\pss
2009-01-22 22:26 2,650 a------- c:\windows\WEB_BACKUP.inf
2009-01-22 21:46 96 a------- c:\windows\XSearch.INF
2009-01-22 21:46 96 a------- c:\windows\NVSInfo.INF
2009-01-22 21:44 706 a------- c:\windows\XRemoteSetup.inf
2009-01-22 20:14 236 a------- C:\sqmdata08.sqm
2009-01-22 20:14 200 a------- C:\sqmnoopt08.sqm
2009-01-22 18:49 236 a------- C:\sqmdata07.sqm
2009-01-22 18:49 200 a------- C:\sqmnoopt07.sqm
2009-01-22 18:39 236 a------- C:\sqmdata06.sqm
2009-01-22 18:39 200 a------- C:\sqmnoopt06.sqm
2009-01-22 17:52 236 a------- C:\sqmdata05.sqm
2009-01-22 17:52 200 a------- C:\sqmnoopt05.sqm
2009-01-22 17:40 236 a------- C:\sqmdata04.sqm
2009-01-22 17:40 200 a------- C:\sqmnoopt04.sqm
2009-01-22 17:36 66,591 ac------ c:\windows\system32\dllcache\el90xbc5.sys
2009-01-22 17:36 66,591 a------- c:\windows\system32\drivers\el90xbc5.sys
2009-01-22 17:27 236 a------- C:\sqmdata03.sqm
2009-01-22 17:27 200 a------- C:\sqmnoopt03.sqm
2009-01-22 16:25 <DIR> --d----- c:\program files\X_Integrated Remote Station (W)
2009-01-19 21:05 236 a------- C:\sqmdata02.sqm
2009-01-19 21:05 200 a------- C:\sqmnoopt02.sqm
2009-01-19 20:58 236 a------- C:\sqmdata01.sqm
2009-01-19 20:58 200 a------- C:\sqmnoopt01.sqm
2009-01-17 07:10 133,238 a--sh--- c:\windows\system32\fhahhx.dll
2009-01-16 18:40 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-16 18:28 236 a------- C:\sqmdata00.sqm
2009-01-16 18:28 200 a------- C:\sqmnoopt00.sqm
2009-01-03 13:04 0 a------- c:\windows\system32\uyovemeb.tmp
2009-01-03 04:24 <DIR> --d----- c:\docume~1\owner\applic~1\WeatherDPA

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-18 23:20 1,862 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-16 13:38 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-12 16:01 165,601 a------- c:\windows\hpoins28.dat
2008-11-04 16:30 410,976 a------- c:\windows\system32\deploytk.dll

============= FINISH: 23:55:54.90 ===============

========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\ctoqwu.dll
c:\windows\system32\ctoqwu.dll NOT unregistered.
c:\windows\system32\ctoqwu.dll moved successfully.
File/Folder c:\windows\system32\fhahhx.dl not found.
c:\docume~1\owner\applic~1\Zango\v3.0\Zango\static\DownLoad moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\Zango\static\2 moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\Zango\static\1 moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\Zango\static moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\Zango\dynamic\ustat moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\Zango\dynamic\TooltipXML moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\Zango\dynamic moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\Zango moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\HostOL\static moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\HostOL\dynamic moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\HostOL moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\HostOI\static moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\HostOI\dynamic moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0\HostOI moved successfully.
c:\docume~1\owner\applic~1\Zango\v3.0 moved successfully.
c:\docume~1\owner\applic~1\Zango\IESkins moved successfully.
c:\docume~1\owner\applic~1\Zango moved successfully.
c:\windows\system32\uyovemeb.ini moved successfully.
LoadLibrary failed for c:\windows\system32\yaluvoho.dll
c:\windows\system32\yaluvoho.dll NOT unregistered.
c:\windows\system32\yaluvoho.dll moved successfully.
c:\windows\system32\asovojop.ini moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\kigebele.dll
c:\windows\system32\kigebele.dll NOT unregistered.
c:\windows\system32\kigebele.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\hamohive.dll
c:\windows\system32\hamohive.dll NOT unregistered.
c:\windows\system32\hamohive.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\gedoneno.dll
c:\windows\system32\gedoneno.dll NOT unregistered.
c:\windows\system32\gedoneno.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\dozeyama.dll
c:\windows\system32\dozeyama.dll NOT unregistered.
c:\windows\system32\dozeyama.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\birirujo.dll
c:\windows\system32\birirujo.dll NOT unregistered.
c:\windows\system32\birirujo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\tehenupo.dll
c:\windows\system32\tehenupo.dll NOT unregistered.
c:\windows\system32\tehenupo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\papukavo.dll
c:\windows\system32\papukavo.dll NOT unregistered.
c:\windows\system32\papukavo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\gihezawo.dll
c:\windows\system32\gihezawo.dll NOT unregistered.
c:\windows\system32\gihezawo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\hulawira.dll
c:\windows\system32\hulawira.dll NOT unregistered.
c:\windows\system32\hulawira.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\wavowibi.dll
c:\windows\system32\wavowibi.dll NOT unregistered.
c:\windows\system32\wavowibi.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\newuwiyo.dll
c:\windows\system32\newuwiyo.dll NOT unregistered.
c:\windows\system32\newuwiyo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\jazibumo.dll
c:\windows\system32\jazibumo.dll NOT unregistered.
c:\windows\system32\jazibumo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\boyafihe.dll
c:\windows\system32\boyafihe.dll NOT unregistered.
c:\windows\system32\boyafihe.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\tubuyena.dll
c:\windows\system32\tubuyena.dll NOT unregistered.
c:\windows\system32\tubuyena.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\kuzezeve.dll
c:\windows\system32\kuzezeve.dll NOT unregistered.
c:\windows\system32\kuzezeve.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\kihepela.dll
c:\windows\system32\kihepela.dll NOT unregistered.
c:\windows\system32\kihepela.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\wikovire.dll
c:\windows\system32\wikovire.dll NOT unregistered.
c:\windows\system32\wikovire.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\fosajugu.dll
c:\windows\system32\fosajugu.dll NOT unregistered.
c:\windows\system32\fosajugu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\rutobuki.dll
c:\windows\system32\rutobuki.dll NOT unregistered.
c:\windows\system32\rutobuki.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\lolozima.dll
c:\windows\system32\lolozima.dll NOT unregistered.
c:\windows\system32\lolozima.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\nepadape.dll
c:\windows\system32\nepadape.dll NOT unregistered.
c:\windows\system32\nepadape.dll moved successfully.
c:\windows\system32\XayHkUvw.ini2 moved successfully.
LoadLibrary failed for c:\windows\system32\dovinabu.dll
c:\windows\system32\dovinabu.dll NOT unregistered.
c:\windows\system32\dovinabu.dll moved successfully.
LoadLibrary failed for c:\windows\system32\fujudofi.dll
c:\windows\system32\fujudofi.dll NOT unregistered.
c:\windows\system32\fujudofi.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\tirowefa.dll
c:\windows\system32\tirowefa.dll NOT unregistered.
c:\windows\system32\tirowefa.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\tohapuva.dll
c:\windows\system32\tohapuva.dll NOT unregistered.
c:\windows\system32\tohapuva.dll moved successfully.
LoadLibrary failed for c:\windows\system32\yehuzisa.dll
c:\windows\system32\yehuzisa.dll NOT unregistered.
c:\windows\system32\yehuzisa.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\yeweyefa.dll
c:\windows\system32\yeweyefa.dll NOT unregistered.
c:\windows\system32\yeweyefa.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\yitofoyi.dll
c:\windows\system32\yitofoyi.dll NOT unregistered.
c:\windows\system32\yitofoyi.dll moved successfully.
========== REGISTRY ==========

Error: Unable to interpret <"Notification Packages"=hex(7):scecli> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01232009_233952


Malwarebytes' Anti-Malware 1.33
Database version: 1687
Windows 5.1.2600 Service Pack 3

1/23/2009 11:50:31 PM
mbam-log-2009-01-23 (23-50-31).txt

Scan type: Quick Scan
Objects scanned: 61944
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\veyekuke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rorabetu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pdppsa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8c18293b-8ba2-42e3-a8e5-a3b137c99598} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8c18293b-8ba2-42e3-a8e5-a3b137c99598} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{09329b5c-11e9-4533-bec1-0fb58a57a589} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{09329b5c-11e9-4533-bec1-0fb58a57a589} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8c18293b-8ba2-42e3-a8e5-a3b137c99598} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\84b17f8b (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puridagoja (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm87824c17 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\rorabetu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\rorabetu.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pdppsa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\veyekuke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ekukeyev.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rorabetu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mikolobe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#8
cradl

cradl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 279 posts
ComboFix 09-01-21.04 - Owner 2009-01-24 21:33:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.367.126 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\WeatherDPA
c:\documents and settings\Owner\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\Owner\err.log
c:\windows\system32\baborefe.dll.tmp
c:\windows\system32\fhahhx.dll
c:\windows\system32\gjqreqml.ini
c:\windows\system32\guzazuwo.dll.tmp
c:\windows\system32\julapato.dll.tmp
c:\windows\system32\penonoge.dll.tmp
c:\windows\system32\pologodi.dll.tmp
c:\windows\system32\pujojiwu.dll.tmp
c:\windows\system32\taviretu.dll.tmp
c:\windows\system32\vopuvemi.dll.tmp
c:\windows\system32\vulukoka.dll.tmp
c:\windows\Tasks\rssievqq.job
c:\windows\wiaserviv.log
D:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.

2009-01-24 13:24 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-24 13:23 . 2008-04-13 18:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-23 23:32 . 2009-01-23 23:32 <DIR> d-------- C:\_OTMoveIt
2009-01-23 22:38 . 2009-01-23 22:38 250 --a------ c:\windows\gmer.ini
2009-01-23 03:41 . 2009-01-23 07:19 <DIR> d-------- c:\program files\DC++
2009-01-23 01:09 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-23 01:09 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-23 01:08 . 2009-01-23 01:09 <DIR> d-------- c:\program files\iTunes
2009-01-23 01:08 . 2009-01-23 01:08 <DIR> d-------- c:\program files\iPod
2009-01-23 01:08 . 2009-01-23 01:08 <DIR> d-------- c:\program files\Bonjour
2009-01-23 01:08 . 2009-01-23 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-22 23:09 . 2008-12-06 04:05 1,203,770 -----c--- c:\windows\system32\dllcache\sysmain.sdb
2009-01-22 22:45 . 2009-01-22 22:45 <DIR> d-------- c:\program files\Trend Micro
2009-01-22 22:26 . 2009-01-22 22:26 2,650 --a------ c:\windows\WEB_BACKUP.inf
2009-01-22 21:46 . 2009-01-22 22:26 96 --a------ c:\windows\XSearch.INF
2009-01-22 21:46 . 2009-01-23 21:32 96 --a------ c:\windows\NVSInfo.INF
2009-01-22 21:44 . 2009-01-22 22:25 706 --a------ c:\windows\XRemoteSetup.inf
2009-01-22 21:21 . 2009-01-22 21:21 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-22 21:14 . 2009-01-22 21:14 <DIR> d-------- c:\program files\NOS
2009-01-22 21:14 . 2009-01-22 21:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-22 21:13 . 2009-01-22 21:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\AdobeUM
2009-01-22 20:14 . 2009-01-22 20:14 236 --a------ C:\sqmdata08.sqm
2009-01-22 20:14 . 2009-01-22 20:14 200 --a------ C:\sqmnoopt08.sqm
2009-01-22 18:49 . 2009-01-22 18:49 236 --a------ C:\sqmdata07.sqm
2009-01-22 18:49 . 2009-01-22 18:49 200 --a------ C:\sqmnoopt07.sqm
2009-01-22 18:39 . 2009-01-22 18:39 236 --a------ C:\sqmdata06.sqm
2009-01-22 18:39 . 2009-01-22 18:39 200 --a------ C:\sqmnoopt06.sqm
2009-01-22 17:52 . 2009-01-22 17:52 236 --a------ C:\sqmdata05.sqm
2009-01-22 17:52 . 2009-01-22 17:52 200 --a------ C:\sqmnoopt05.sqm
2009-01-22 17:40 . 2009-01-22 17:40 236 --a------ C:\sqmdata04.sqm
2009-01-22 17:40 . 2009-01-22 17:40 200 --a------ C:\sqmnoopt04.sqm
2009-01-22 17:36 . 2001-08-17 12:11 66,591 --a------ c:\windows\system32\drivers\el90xbc5.sys
2009-01-22 17:36 . 2001-08-17 12:11 66,591 --a--c--- c:\windows\system32\dllcache\el90xbc5.sys
2009-01-22 17:27 . 2009-01-22 17:27 236 --a------ C:\sqmdata03.sqm
2009-01-22 17:27 . 2009-01-22 17:27 200 --a------ C:\sqmnoopt03.sqm
2009-01-22 16:25 . 2009-01-22 16:25 <DIR> d-------- c:\program files\X_Integrated Remote Station (W)
2009-01-22 16:25 . 2009-01-22 16:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield
2009-01-19 21:05 . 2009-01-19 21:05 236 --a------ C:\sqmdata02.sqm
2009-01-19 21:05 . 2009-01-19 21:05 200 --a------ C:\sqmnoopt02.sqm
2009-01-19 20:58 . 2009-01-19 20:58 236 --a------ C:\sqmdata01.sqm
2009-01-19 20:58 . 2009-01-19 20:58 200 --a------ C:\sqmnoopt01.sqm
2009-01-16 18:51 . 2009-01-24 13:49 <DIR> d-------- c:\documents and settings\Owner\Application Data\Apple Computer
2009-01-16 18:41 . 2009-01-16 18:43 <DIR> d-------- c:\program files\QuickTime
2009-01-16 18:41 . 2009-01-16 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-16 18:40 . 2009-01-16 18:40 <DIR> d-------- c:\program files\Apple Software Update
2009-01-16 18:40 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-01-16 18:39 . 2009-01-23 01:08 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-16 18:39 . 2009-01-16 18:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-16 18:28 . 2009-01-16 18:28 236 --a------ C:\sqmdata00.sqm
2009-01-16 18:28 . 2009-01-16 18:28 200 --a------ C:\sqmnoopt00.sqm
2009-01-03 13:04 . 2009-01-03 13:04 0 --a------ c:\windows\system32\uyovemeb.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 06:03 --------- d-----w c:\program files\World of Warcraft
2009-01-23 00:56 --------- d-----w c:\program files\RegistryFix7
2009-01-22 22:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-22 21:37 --------- d--h--r c:\documents and settings\Owner\Application Data\yahoo!
2009-01-22 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-22 21:36 --------- d-----w c:\program files\Common Files\Real
2009-01-20 03:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 22:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 22:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-19 05:20 1,862 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-12-15 08:38 --------- d-----w c:\program files\Vuze
2008-12-15 00:08 --------- d-----w c:\documents and settings\Owner\Application Data\Azureus
2008-12-14 09:44 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-12-14 07:03 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-12-14 01:23 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-14 01:08 --------- d-----w c:\documents and settings\Owner\Application Data\HPAppData
2008-12-13 12:27 --------- d-----w c:\program files\Windows Live
2008-12-13 12:26 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2008-12-13 12:24 --------- d-----w c:\program files\Microsoft
2008-12-13 12:14 --------- d-----w c:\program files\Common Files\Windows Live
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-09 3513344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-04 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-25 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2008-03-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 22:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2006-11-07 14:49 1121280 c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2008-09-09 00:02 3513344 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-02-25 18:24 966656 c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\WINDOWS\\ehome\\ehmsas.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\Digital Media Reader\\readericon45G.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\OTMoveIt3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:*:Disabled:blizard downloader
"6881:TCP"= 6881:TCP:*:Disabled:blizzard downloader
"6999:TCP"= 6999:TCP:*:Disabled:blizzard downloader

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-22 33752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bae0573-0389-11db-89f1-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8b20aa1-f860-11da-b187-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-24 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe []

2009-01-24 c:\windows\Tasks\WebReg 20070510174506.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2008-03-25 20:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {D802A4DB-7481-49F4-BB9D-FB83378CCD74} - hxxp://www.h264ip.com/CAB/URSWeb.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-24 21:38:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\digital imaging\bin\hpqste08.exe
c:\program files\HP\digital imaging\bin\hpqbam08.exe
c:\program files\HP\digital imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-01-24 21:44:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-25 03:44:49

Pre-Run: 118,014,025,728 bytes free
Post-Run: 118,011,191,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

256 --- E O F --- 2009-01-23 05:31:31
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\system32\uyovemeb.tmp
    
    :reg
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bae0573-0389-11db-89f1-806d6172696f}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8b20aa1-f860-11da-b187-806d6172696f}]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Post back with that log and a new Hijackthis log and let me iknow how things are running?
  • 0

#10
cradl

cradl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 279 posts
========== FILES ==========
File/Folder c:\windows\system32\uyovemeb.tmp not found.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bae0573-0389-11db-89f1-806d6172696f}\\ not found.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8b20aa1-f860-11da-b187-806d6172696f}\\ not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01262009_031030
  • 0

#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please post a new Hijackthis log and let me know how things are running?
  • 0

#12
cradl

cradl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 279 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:50 AM, on 1/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {D802A4DB-7481-49F4-BB9D-FB83378CCD74} (XRemoteSetupWeb2 Control) - http://www.h264ip.com/CAB/URSWeb.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6915 bytes
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Delete\uninstall anything else that we have used.

Including this folder C:\Rsit

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingc...143.html#manual
=====================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP