• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1180
  • Last Modified:

worm.win32.netsky - Help

Following the instructions from another thread, here is the text file I received after running  HiJackThis.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:58:56 PM, on 12/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\c4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\notes\ntmulti.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\Program Files\c4ebreg\isamtray.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\winupdate86.exe
C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\IBM\My Help\MyHelp.exe
C:\Program Files\IBM\My Help\jre\bin\myhelpw.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = w3.ibm.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [ISAMTray] "C:\Program Files\c4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [MyHelpService] C:\Program Files\IBM\My Help\workspace\service\delayStart.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32maing.exe /cleanup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [pmonmh] C:\Program Files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISSI Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [zitobimupu] Rundll32.exe "C:\WINDOWS\system32\hohazoye.dll",s
O4 - HKLM\..\Run: [8017f807] rundll32.exe "C:\WINDOWS\system32\vomolapa.dll",b
O4 - HKLM\..\Run: [CPM8324cb9b] Rundll32.exe "c:\windows\system32\vatoteju.dll",a
O4 - HKLM\..\Run: [12861927] C:\Documents and Settings\All Users\Application Data\12861927\12861927.exe
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe" /stealt
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [zitobimupu] Rundll32.exe "C:\WINDOWS\system32\hohazoye.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zitobimupu] Rundll32.exe "C:\WINDOWS\system32\hohazoye.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Lotus QuickStart.lnk = ?
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Add to PrivUrl - {BC9FC656-BAE1-49CF-B09F-7CA8A0632FE9} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = IBM.COM,boulder.ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\muhimese.dll c:\windows\system32\vatoteju.dll,rijegazo.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vatoteju.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vatoteju.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\c4ebreg\c4ebreg.exe
O23 - Service: ISSI (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Network Client\NetCfgSv.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: RDI Document Conversion Helper (RDIConverterPrintHelper) - Web Meeting - C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe

--
End of file - 14106 bytes
0
reymannp
Asked:
reymannp
  • 3
  • 2
  • 2
  • +1
1 Solution
 
optomaCommented:
What notifies you of Netsky?

Run Malwarebytes and attach logfile after
http://www.malwarebytes.org/mbam-download.php

After run Netsky removal tool
http://www.nod32.it/cgi-bin/mapdl.pl?tool=Netsky
0
 
reymannpAuthor Commented:
On Windows startup, an error message appears which tells me I have the worm.  I then get an icon in my toolbar which tells me to click the icon, which will then download and install antispyware.  I have not clicked the icon.

Was unable to run malwarebytes.  Received an error message saying a certain file wasn't found and the program could not load.

The nod32 netsky removal tool did detect the worm, but was unable to remove.  
0
 
warturtleCommented:
Yes, there are bad entries in your HijackThis log. Download ComboFix from here:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Make sure that you read the instructions carefully before running this tool. It might be a rogue antispyware application that is probably installed already on your PC.

Send us the ComboFix logs to have a look at. After running ComboFix, you should try to install MalwareBytes again and run it.

Hope it helps.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
N4NathanCommented:
A Simple System Restore from safe mode should do the trick.
0
 
optomaCommented:
If still unsuccessful with above:

1-Try renaming Mbam or Combofix prior to saving them.
2-Run removal tool in safe mode with networking
0
 
reymannpAuthor Commented:
Here is the combofix log:

ComboFix 09-12-25.02 - reymannp 12/25/2009  16:22:30.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1023.154 [GMT -7:00]
Running from: c:\$sprint\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
c:\program files\\setup.exe
c:\recycler\S-1-5-21-1202660629-2077806209-682003330-500
c:\recycler\S-1-5-21-2565272303-2409329923-1198774929-500
c:\windows\kozuboho.dll
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17421.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\amanavom.ini
c:\windows\system32\apalomov.ini
c:\windows\system32\AVR10.exe
c:\windows\system32\azenibey.ini
c:\windows\system32\bahegatu.dll
c:\windows\system32\balumugo.dll
c:\windows\system32\belagayi.dll
c:\windows\system32\beruvufi.dll
c:\windows\system32\bewijeze.dll
c:\windows\system32\bohupota.dll
c:\windows\system32\bovejuto.dll
c:\windows\system32\budekaju.dll
c:\windows\system32\dehaziku.dll
c:\windows\system32\delutaha.dll
c:\windows\system32\dizubure.dll
c:\windows\system32\dodedeva.dll
c:\windows\system32\dukazewe.exe
c:\windows\system32\duyojaye.dll
c:\windows\system32\edelumup.ini
c:\windows\system32\epodojiz.ini
c:\windows\system32\epomiyuy.ini
c:\windows\system32\ezisijez.ini
c:\windows\system32\fabipibu.dll
c:\windows\system32\faviheki.dll
c:\windows\system32\fidavine.dll
c:\windows\system32\fubatuzo.dll
c:\windows\system32\fuvivuki.dll
c:\windows\system32\gidalepu.dll
c:\windows\system32\gitisowe.dll
c:\windows\system32\gogekaju.dll
c:\windows\system32\gudadamu.exe
c:\windows\system32\gulobimu.dll
c:\windows\system32\habemoya.dll
c:\windows\system32\hatasefa.dll
c:\windows\system32\hepusepi.dll
c:\windows\system32\higubowo.dll
c:\windows\system32\horefupa.dll
c:\windows\system32\hugeloko.dll
c:\windows\system32\hupunase.dll
c:\windows\system32\huzegeko.dll
c:\windows\system32\isanagew.ini
c:\windows\system32\itedatal.ini
c:\windows\system32\iwewojit.ini
c:\windows\system32\jejowada.dll
c:\windows\system32\jepeyumu.dll
c:\windows\system32\jetebusu.dll
c:\windows\system32\jevujuza.dll
c:\windows\system32\jujivane.dll
c:\windows\system32\kafawagi.dll
c:\windows\system32\kajikihi.dll
c:\windows\system32\kigilepi.dll
c:\windows\system32\kiropevu.dll
c:\windows\system32\konowahu.dll
c:\windows\system32\korediri.dll
c:\windows\system32\koyiwitu.dll
c:\windows\system32\latezopi.dll
c:\windows\system32\lavusita.dll
c:\windows\system32\layeleye.dll
c:\windows\system32\lefegeho.dll
c:\windows\system32\lilatawi.dll
c:\windows\system32\livovobe.dll
c:\windows\system32\lugopuko.dll
c:\windows\system32\mejiyuwo.dll
c:\windows\system32\mivekele.exe
c:\windows\system32\motatere.dll
c:\windows\system32\naluwota.dll
c:\windows\system32\navafono.dll
c:\windows\system32\nazonena.dll
c:\windows\system32\nekoneto.dll
c:\windows\system32\nesikesi.dll
c:\windows\system32\nogevivu.dll
c:\windows\system32\notewufe.dll
c:\windows\system32\nupevazu.dll
c:\windows\system32\nuzevuzi.dll
c:\windows\system32\ojiregob.ini
c:\windows\system32\okufozoy.ini
c:\windows\system32\parodupa.dll
c:\windows\system32\pasihawo.dll
c:\windows\system32\pehumeni.dll
c:\windows\system32\pemejilo.dll
c:\windows\system32\pisosuja.dll
c:\windows\system32\pizofubo.exe
c:\windows\system32\powihiza.dll
c:\windows\system32\puraviyu.dll
c:\windows\system32\pusekudu.dll
c:\windows\system32\puvugipe.dll
c:\windows\system32\pwdmon.dll
c:\windows\system32\rezafovo.dll
c:\windows\system32\rijegazo.dll
c:\windows\system32\risowupa.dll
c:\windows\system32\rohebiyi.dll
c:\windows\system32\rolabuye.dll
c:\windows\system32\ruhefife.dll
c:\windows\system32\rukohayo.dll
c:\windows\system32\sigalupi.dll
c:\windows\system32\soluwale.dll
c:\windows\system32\suzisuha.dll
c:\windows\system32\tevinuki.dll
c:\windows\system32\tezimawi.dll
c:\windows\system32\tilosupi.dll
c:\windows\system32\tizuguve.dll
c:\windows\system32\tojokiyi.dll
c:\windows\system32\ubayikit.ini
c:\windows\system32\ubofutad.ini
c:\windows\system32\veyoroda.dll
c:\windows\system32\voliyeyo.dll
c:\windows\system32\vubuwiwu.dll
c:\windows\system32\vujapede.dll
c:\windows\system32\waduyeso.dll
c:\windows\system32\wakosoli.dll
c:\windows\system32\wavoyolu.dll
c:\windows\system32\wifowigu.dll
c:\windows\system32\wimalowo.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\system32\wojebeji.dll
c:\windows\system32\wojohilu.dll
c:\windows\system32\womayovi.dll
c:\windows\system32\wotunivo.dll
c:\windows\system32\wugeruti.dll
c:\windows\system32\wuhemiwa.dll
c:\windows\system32\yabokiya.dll
c:\windows\system32\yedibona.exe
c:\windows\system32\yefayupo.dll
c:\windows\system32\yofujaya.dll
c:\windows\system32\yokayinu.dll
c:\windows\system32\yonugese.dll
c:\windows\system32\zarowoma.dll
c:\windows\system32\zibuzuhu.dll
c:\windows\system32\zokemohi.dll
c:\windows\system32\zudijovu.dll
c:\windows\system32\zuhukowa.dll
c:\windows\system32\zuniwoha.dll
c:\windows\system32\zutozube.dll
c:\windows\tenufuto.dll
c:\windows\wewirase.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.29
.
(((((((((((((((((((((((((   Files Created from 2009-11-25 to 2009-12-25  )))))))))))))))))))))))))))))))
.

2009-12-25 21:48 . 2009-12-03 23:14      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-25 21:48 . 2009-12-25 21:48      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-25 21:48 . 2009-12-25 21:48      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-12-25 21:48 . 2009-12-03 23:13      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-12-25 20:57 . 2009-12-25 20:57      --------      d-----w-      c:\program files\TrendMicro
2009-12-25 20:17 . 2008-11-06 09:03      --------      d-----w-      C:\SDFix
2009-12-06 21:49 . 2009-12-06 21:49      --------      d-----w-      c:\windows\system32\XPSViewer
2009-12-06 21:49 . 2009-12-06 21:49      --------      d-----w-      c:\program files\MSBuild
2009-12-06 21:49 . 2009-12-06 21:49      --------      d-----w-      c:\program files\Reference Assemblies
2009-12-06 21:48 . 2008-07-06 12:06      89088      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-12-06 21:47 . 2008-07-06 12:06      117760      ------w-      c:\windows\system32\prntvpt.dll
2009-12-06 21:47 . 2008-07-06 12:06      89088      -c----w-      c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-06 21:47 . 2008-07-06 12:06      575488      -c----w-      c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-06 21:47 . 2008-07-06 12:06      575488      ------w-      c:\windows\system32\xpsshhdr.dll
2009-12-06 21:47 . 2008-07-06 12:06      1676288      -c----w-      c:\windows\system32\dllcache\xpssvcs.dll
2009-12-06 21:47 . 2008-07-06 12:06      1676288      ------w-      c:\windows\system32\xpssvcs.dll
2009-12-06 21:47 . 2008-07-06 10:50      597504      -c----w-      c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-06 21:47 . 2008-07-06 10:50      597504      ------w-      c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-12-06 21:47 . 2009-12-06 21:48      --------      d-----w-      C:\877d481083a46d4746c771bcdc0befab
2009-12-06 21:46 . 2009-12-07 00:16      --------      d-----w-      c:\windows\SxsCaPendDel
2009-12-04 10:39 . 2009-12-04 10:39      --------      d-----w-      c:\windows\system32\KB905474
2009-12-04 10:39 . 2009-03-11 05:26      1403264      ----a-w-      c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-12-04 10:39 . 2009-03-11 05:18      453512      ----a-w-      c:\windows\system32\KB905474\wgasetup.exe
2009-12-03 21:48 . 2009-12-03 21:48      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2009-12-03 21:38 . 2009-12-03 22:13      --------      d-----w-      c:\windows\system32\CatRoot_bak
2009-12-03 21:19 . 2008-06-13 13:10      272128      -c----w-      c:\windows\system32\dllcache\bthport.sys
2009-12-03 21:19 . 2008-06-13 13:10      272128      ------w-      c:\windows\system32\drivers\bthport.sys
2009-12-03 21:00 . 2008-10-24 11:10      453632      -c----w-      c:\windows\system32\dllcache\mrxsmb.sys
2009-12-03 20:59 . 2009-08-04 13:58      2136064      -c----w-      c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-03 20:59 . 2009-08-04 14:00      2180352      -c----w-      c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-03 20:58 . 2009-08-04 13:13      2015744      -c----w-      c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-03 20:58 . 2009-08-04 13:13      2057728      -c----w-      c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-03 20:29 . 2009-12-03 20:32      --------      d-----w-      c:\documents and settings\All Users\Application Data\PCDr
2009-12-03 20:28 . 2009-12-03 20:32      --------      d-----w-      c:\program files\PCDR5

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-25 23:36 . 2005-04-05 17:21      --------      d-----w-      c:\program files\C4ebreg
2009-12-25 23:19 . 2009-12-25 23:19      0      ---ha-w-      c:\windows\system32\BIT67.tmp
2009-12-25 23:17 . 2009-12-25 23:17      0      ---ha-w-      c:\windows\system32\BIT64.tmp
2009-12-25 23:17 . 2009-12-25 23:17      0      ---ha-w-      c:\windows\system32\BIT62.tmp
2009-12-25 23:16 . 2009-12-25 23:16      0      ---ha-w-      c:\windows\system32\BIT5F.tmp
2009-12-25 22:49 . 2005-04-05 20:10      --------      d-----w-      c:\program files\WST
2009-12-25 20:30 . 2007-10-15 21:36      1324      ----a-w-      c:\windows\system32\d3d9caps.dat
2009-12-25 03:13 . 2006-01-24 00:45      --------      d-----w-      c:\program files\Common Files\Symantec Shared
2009-12-25 03:10 . 2007-06-19 14:18      50844      ---ha-w-      c:\windows\system32\mlfcache.dat
2009-12-24 23:21 . 2009-12-24 23:21      3      ---ha-w-      c:\windows\system32\BIT1AD.tmp
2009-12-24 23:21 . 2009-12-24 23:21      3      ---ha-w-      c:\windows\system32\BIT1AC.tmp
2009-12-24 23:21 . 2009-12-24 23:21      3      ---ha-w-      c:\windows\system32\BIT1AB.tmp
2009-12-24 23:21 . 2009-12-24 23:21      3      ---ha-w-      c:\windows\system32\BIT1AA.tmp
2009-12-24 23:21 . 2009-12-24 23:21      3      ---ha-w-      c:\windows\system32\BIT1A5.tmp
2009-12-24 02:51 . 2007-08-09 17:06      40      ----a-w-      c:\windows\system32\profile.dat
2009-12-23 18:55 . 2006-02-10 22:20      --------      d-----w-      c:\program files\AT&T Network Client
2009-12-07 14:59 . 2005-04-04 18:17      55528      ----a-w-      c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 22:02 . 2009-10-07 21:17      6016      ----a-w-      c:\windows\system32\drivers\isamfilter.sys
2009-11-19 15:12 . 2006-06-19 20:57      --------      d-----w-      c:\program files\Opera
2009-11-17 18:57 . 2005-07-29 18:05      64792      ----a-w-      c:\windows\isamunin.exe
2009-11-15 21:13 . 2007-05-08 01:43      --------      d--h--w-      c:\documents and settings\Administrator\Application Data\Move Networks
2009-11-12 16:46 . 2007-07-24 04:58      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2009-11-12 16:45 . 2009-11-12 15:28      --------      d-----w-      c:\program files\Spyware Doctor
2009-11-12 16:45 . 2009-11-12 15:28      --------      d-----w-      c:\program files\Common Files\PC Tools
2009-10-29 07:46 . 2004-08-04 05:00      832512      ----a-w-      c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 05:00      78336      ----a-w-      c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 05:00      17408      ----a-w-      c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-04 05:00      75776      ----a-w-      c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 05:00      25088      ----a-w-      c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 05:00      263552      ----a-w-      c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 05:00      266752      ----a-w-      c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 05:00      69632      ----a-w-      c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 05:00      112128      ----a-w-      c:\windows\system32\rastls.dll
2006-02-24 16:57 . 2006-02-24 16:57      2352893      ----a-w-      c:\program files\openofficeorg4.cab
2006-02-24 16:57 . 2006-02-24 16:57      52855506      ----a-w-      c:\program files\openofficeorg3.cab
2006-02-24 16:52 . 2006-02-24 16:52      14867699      ----a-w-      c:\program files\openofficeorg2.cab
2006-02-24 16:52 . 2006-02-24 16:52      18307890      ----a-w-      c:\program files\openofficeorg1.cab
2006-02-24 16:50 . 2006-02-24 16:50      217      ----a-w-      c:\program files\setup.ini
2006-02-24 16:50 . 2006-02-24 16:50      5224448      ----a-w-      c:\program files\openofficeorg20.msi
2002-03-11 09:06 . 2002-03-11 09:06      1822520      ----a-w-      c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45      1708856      ----a-w-      c:\program files\instmsia.exe
2008-10-17 14:36 . 2008-10-17 14:36      27976      ----a-w-      c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-10-17 19:02 . 2008-10-17 14:36      125840      ----a-w-      c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-10-17 17:50 . 2008-10-17 17:50      46408      ----a-w-      c:\program files\mozilla firefox\plugins\atmccli.dll
2008-10-17 14:36 . 2008-10-17 14:36      98704      ----a-w-      c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-10-17 14:36 . 2008-10-17 14:36      107848      ----a-w-      c:\program files\mozilla firefox\plugins\mwmcli.dll
2009-08-18 03:35 . 2009-08-18 03:35      3      --sha-w-      c:\windows\zayiyahu.dll
2009-01-20 14:28 . 2009-01-20 14:28      70144      --sha-w-      c:\windows\system32\fadateta.dll.tmp
2009-04-25 16:07 . 2009-04-25 16:07      2713      --sh--w-      c:\windows\system32\kowogepu.dll
2009-01-14 16:18 . 2009-01-14 16:18      69632      --sha-w-      c:\windows\system32\mohijani.dll.tmp
2009-01-14 16:18 . 2009-01-14 16:18      69632      --sha-w-      c:\windows\system32\namiroto.dll.tmp
2009-01-23 02:30 . 2009-01-23 02:30      70144      --sha-w-      c:\windows\system32\napinope.dll.tmp
2009-09-24 23:15 . 2009-09-24 23:15      22016      --sha-w-      c:\windows\system32\nowikuje.exe
2009-04-20 14:51 . 2009-04-20 14:51      1411355      --sh--w-      c:\windows\system32\ojiregob.tmp
2009-01-23 02:30 . 2009-01-23 02:30      70144      --sha-w-      c:\windows\system32\pirabumo.dll.tmp
2009-01-23 02:30 . 2009-01-23 02:30      70144      --sha-w-      c:\windows\system32\poyutole.dll.tmp
2009-04-25 16:07 . 2009-04-25 16:07      2713      --sh--w-      c:\windows\system32\rehenano.exe
2009-01-14 16:18 . 2009-01-14 16:18      69632      --sha-w-      c:\windows\system32\ruyoneta.dll.tmp
2009-01-20 14:28 . 2009-01-20 14:28      70144      --sha-w-      c:\windows\system32\vusilina.dll.tmp
2009-01-20 14:28 . 2009-01-20 14:28      70144      --sha-w-      c:\windows\system32\yibavisu.dll.tmp
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SPSTEALT"="c:\program files\Smart Protector Pro\SmartProtector-Pro.exe" [2007-06-29 1945600]
"NetSP - restore settings on power failure"="c:\program files\AT&T Network Client\NetSP.exe" [2007-01-13 24576]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2004-04-27 28672]
"ISAMTray"="c:\program files\c4ebreg\isamtray.exe" [2009-11-17 285976]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-17 94208]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2006-02-10 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2006-02-10 396288]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-02-10 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-10 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-10 512000]
"TP4EX"="tp4ex.exe" [2005-08-24 40960]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"MyHelpService"="c:\program files\IBM\My Help\workspace\service\delayStart.exe" [2009-03-13 94208]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"C4EBReg"="c:\program files\c4ebreg\c4ebreg.exe" [2009-11-17 478488]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"stgclean"="c:\sdwork\w32maing.exe" [2009-11-23 266752]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-10-06 409600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-28 125168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-12-10 241392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Lotus QuickStart.lnk - c:\lotus\wordpro\ltsstart.exe [2003-4-7 32768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
2004-04-27 22:02      49152      ----a-w-      c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-02-10 21:59      28672      ----a-w-      c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-02-10 21:59      24576      ----a-w-      c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [4/27/2005 2:15 AM 6912]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2/10/2006 3:23 PM 16384]
R2 RDIConverterPrintHelper;RDI Document Conversion Helper;c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe [1/17/2008 7:23 AM 59392]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 11:19 AM 102448]
S3 gwiopm;gwiopm; [x]
S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/7/2009 2:17 PM 6016]
S3 PCDSRVC{9503439C-19F1437D-06000000}_0;PCDSRVC{9503439C-19F1437D-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\PCDR5\pcdsrvc.pkms [2/19/2009 2:50 PM 20848]
.
------- Supplementary Scan -------
.
uStart Page = w3.ibm.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
IE:       
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4m895696.default\
FF - prefs.js: browser.startup.homepage - w3.ibm.com
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4m895696.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4m895696.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbrowster.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcpsweb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{f223935e-a7ed-44a9-8e85-00307a35e0b8} - nupevazu.dll
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
HKLM-Run-zitobimupu - dehaziku.dll
HKLM-Run-8017f807 - c:\windows\system32\vomolapa.dll
HKLM-Run-CPM8324cb9b - c:\windows\system32\vatoteju.dll
Notify-ACNotify - ACNotify.dll
Notify-atmgrtok - atmgrtok.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-25 16:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCDSRVC{9503439C-19F1437D-06000000}_0]
"ImagePath"="\??\c:\program files\pcdr5\pcdsrvc.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
c:\program files\IBM\Personal Communications\atmgrtok.dll
c:\program files\IBM\Personal Communications\MILLUTIL.DLL
c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(2724)
c:\windows\system32\WININET.dll
c:\program files\Smart Protector Pro\sphook.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\windows\system32\Drivers\trcboot.exe
c:\program files\IBM\Personal Communications\PCS_AGNT.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\notes\ntmulti.exe
c:\program files\AT&T Network Client\NetCfgSv.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\windows\system32\Drivers\ldlcserv.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\TpShocks.exe
c:\program files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\IBM\My Help\MyHelp.exe
c:\program files\IBM\My Help\jre\bin\myhelpw.exe
.
**************************************************************************
.
Completion time: 2009-12-25  16:52:07 - machine was rebooted
ComboFix-quarantined-files.txt  2009-12-25 23:52

Pre-Run: 47,689,777,152 bytes free
Post-Run: 47,714,426,880 bytes free

- - End Of File - - 4B666B7DD3A920AAE7AA110AFBA0187E

Malwarebytes scan resulted in the following:

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

12/25/2009 5:31:10 PM
mbam-log-2009-12-25 (17-31-10).txt

Scan type: Quick Scan
Objects scanned: 124215
Time elapsed: 11 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kowogepu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

I think this takes care of it.  Let me reboot to confirm.
0
 
optomaCommented:
I'm not convinced that all is fully clear. Let Combofix's logfile be reviewed to make sure.
Run Hitman Pro http://www.surfright.nl/en/hitmanpro and make note of anything.
If it finds Combofix as suspicious, ignore it.
0
 
warturtleCommented:
Hello,

Yes, I too agree with Optoma, we need to scan again to make sure that the problems are completely finished. Either running ComboFix again would be a good idea or running MalwareBytes full scan followed by a full scan with your own antivirus.

These files look strange to me:

c:\windows\zayiyahu.dll
c:\windows\system32\fadateta.dll.tmp
c:\windows\system32\kowogepu.dll
c:\windows\system32\mohijani.dll.tmp
c:\windows\system32\namiroto.dll.tmp
c:\windows\system32\napinope.dll.tmp
c:\windows\system32\nowikuje.exe
c:\windows\system32\ojiregob.tmp
c:\windows\system32\pirabumo.dll.tmp
c:\windows\system32\poyutole.dll.tmp
c:\windows\system32\rehenano.exe
c:\windows\system32\ruyoneta.dll.tmp
c:\windows\system32\vusilina.dll.tmp
c:\windows\system32\yibavisu.dll.tmp

0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now