• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1188
  • Last Modified:

worm.win32.netsky - Help

Following the instructions from another thread, here is the text file I received after running  HiJackThis.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:58:56 PM, on 12/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\c4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\notes\ntmulti.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\Program Files\c4ebreg\isamtray.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\winupdate86.exe
C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\IBM\My Help\MyHelp.exe
C:\Program Files\IBM\My Help\jre\bin\myhelpw.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = w3.ibm.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [ISAMTray] "C:\Program Files\c4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [MyHelpService] C:\Program Files\IBM\My Help\workspace\service\delayStart.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32maing.exe /cleanup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [pmonmh] C:\Program Files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISSI Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [zitobimupu] Rundll32.exe "C:\WINDOWS\system32\hohazoye.dll",s
O4 - HKLM\..\Run: [8017f807] rundll32.exe "C:\WINDOWS\system32\vomolapa.dll",b
O4 - HKLM\..\Run: [CPM8324cb9b] Rundll32.exe "c:\windows\system32\vatoteju.dll",a
O4 - HKLM\..\Run: [12861927] C:\Documents and Settings\All Users\Application Data\12861927\12861927.exe
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe" /stealt
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [zitobimupu] Rundll32.exe "C:\WINDOWS\system32\hohazoye.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zitobimupu] Rundll32.exe "C:\WINDOWS\system32\hohazoye.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Lotus QuickStart.lnk = ?
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Add to PrivUrl - {BC9FC656-BAE1-49CF-B09F-7CA8A0632FE9} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = IBM.COM,boulder.ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\muhimese.dll c:\windows\system32\vatoteju.dll,rijegazo.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vatoteju.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vatoteju.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\c4ebreg\c4ebreg.exe
O23 - Service: ISSI (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Network Client\NetCfgSv.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: RDI Document Conversion Helper (RDIConverterPrintHelper) - Web Meeting - C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe

--
End of file - 14106 bytes
0
reymannp
Asked:
reymannp
  • 3
  • 2
  • 2
  • +1
1 Solution
 
optomaCommented:
What notifies you of Netsky?

Run Malwarebytes and attach logfile after
http://www.malwarebytes.org/mbam-download.php

After run Netsky removal tool
http://www.nod32.it/cgi-bin/mapdl.pl?tool=Netsky
0
 
reymannpAuthor Commented:
On Windows startup, an error message appears which tells me I have the worm.  I then get an icon in my toolbar which tells me to click the icon, which will then download and install antispyware.  I have not clicked the icon.

Was unable to run malwarebytes.  Received an error message saying a certain file wasn't found and the program could not load.

The nod32 netsky removal tool did detect the worm, but was unable to remove.  
0
 
warturtleCommented:
Yes, there are bad entries in your HijackThis log. Download ComboFix from here:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Make sure that you read the instructions carefully before running this tool. It might be a rogue antispyware application that is probably installed already on your PC.

Send us the ComboFix logs to have a look at. After running ComboFix, you should try to install MalwareBytes again and run it.

Hope it helps.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
N4NathanCommented:
A Simple System Restore from safe mode should do the trick.
0
 
optomaCommented:
If still unsuccessful with above:

1-Try renaming Mbam or Combofix prior to saving them.
2-Run removal tool in safe mode with networking
0
 
reymannpAuthor Commented:
Here is the combofix log:

ComboFix 09-12-25.02 - reymannp 12/25/2009  16:22:30.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1023.154 [GMT -7:00]
Running from: c:\$sprint\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
c:\program files\\setup.exe
c:\recycler\S-1-5-21-1202660629-2077806209-682003330-500
c:\recycler\S-1-5-21-2565272303-2409329923-1198774929-500
c:\windows\kozuboho.dll
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17421.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\amanavom.ini
c:\windows\system32\apalomov.ini
c:\windows\system32\AVR10.exe
c:\windows\system32\azenibey.ini
c:\windows\system32\bahegatu.dll
c:\windows\system32\balumugo.dll
c:\windows\system32\belagayi.dll
c:\windows\system32\beruvufi.dll
c:\windows\system32\bewijeze.dll
c:\windows\system32\bohupota.dll
c:\windows\system32\bovejuto.dll
c:\windows\system32\budekaju.dll
c:\windows\system32\dehaziku.dll
c:\windows\system32\delutaha.dll
c:\windows\system32\dizubure.dll
c:\windows\system32\dodedeva.dll
c:\windows\system32\dukazewe.exe
c:\windows\system32\duyojaye.dll
c:\windows\system32\edelumup.ini
c:\windows\system32\epodojiz.ini
c:\windows\system32\epomiyuy.ini
c:\windows\system32\ezisijez.ini
c:\windows\system32\fabipibu.dll
c:\windows\system32\faviheki.dll
c:\windows\system32\fidavine.dll
c:\windows\system32\fubatuzo.dll
c:\windows\system32\fuvivuki.dll
c:\windows\system32\gidalepu.dll
c:\windows\system32\gitisowe.dll
c:\windows\system32\gogekaju.dll
c:\windows\system32\gudadamu.exe
c:\windows\system32\gulobimu.dll
c:\windows\system32\habemoya.dll
c:\windows\system32\hatasefa.dll
c:\windows\system32\hepusepi.dll
c:\windows\system32\higubowo.dll
c:\windows\system32\horefupa.dll
c:\windows\system32\hugeloko.dll
c:\windows\system32\hupunase.dll
c:\windows\system32\huzegeko.dll
c:\windows\system32\isanagew.ini
c:\windows\system32\itedatal.ini
c:\windows\system32\iwewojit.ini
c:\windows\system32\jejowada.dll
c:\windows\system32\jepeyumu.dll
c:\windows\system32\jetebusu.dll
c:\windows\system32\jevujuza.dll
c:\windows\system32\jujivane.dll
c:\windows\system32\kafawagi.dll
c:\windows\system32\kajikihi.dll
c:\windows\system32\kigilepi.dll
c:\windows\system32\kiropevu.dll
c:\windows\system32\konowahu.dll
c:\windows\system32\korediri.dll
c:\windows\system32\koyiwitu.dll
c:\windows\system32\latezopi.dll
c:\windows\system32\lavusita.dll
c:\windows\system32\layeleye.dll
c:\windows\system32\lefegeho.dll
c:\windows\system32\lilatawi.dll
c:\windows\system32\livovobe.dll
c:\windows\system32\lugopuko.dll
c:\windows\system32\mejiyuwo.dll
c:\windows\system32\mivekele.exe
c:\windows\system32\motatere.dll
c:\windows\system32\naluwota.dll
c:\windows\system32\navafono.dll
c:\windows\system32\nazonena.dll
c:\windows\system32\nekoneto.dll
c:\windows\system32\nesikesi.dll
c:\windows\system32\nogevivu.dll
c:\windows\system32\notewufe.dll
c:\windows\system32\nupevazu.dll
c:\windows\system32\nuzevuzi.dll
c:\windows\system32\ojiregob.ini
c:\windows\system32\okufozoy.ini
c:\windows\system32\parodupa.dll
c:\windows\system32\pasihawo.dll
c:\windows\system32\pehumeni.dll
c:\windows\system32\pemejilo.dll
c:\windows\system32\pisosuja.dll
c:\windows\system32\pizofubo.exe
c:\windows\system32\powihiza.dll
c:\windows\system32\puraviyu.dll
c:\windows\system32\pusekudu.dll
c:\windows\system32\puvugipe.dll
c:\windows\system32\pwdmon.dll
c:\windows\system32\rezafovo.dll
c:\windows\system32\rijegazo.dll
c:\windows\system32\risowupa.dll
c:\windows\system32\rohebiyi.dll
c:\windows\system32\rolabuye.dll
c:\windows\system32\ruhefife.dll
c:\windows\system32\rukohayo.dll
c:\windows\system32\sigalupi.dll
c:\windows\system32\soluwale.dll
c:\windows\system32\suzisuha.dll
c:\windows\system32\tevinuki.dll
c:\windows\system32\tezimawi.dll
c:\windows\system32\tilosupi.dll
c:\windows\system32\tizuguve.dll
c:\windows\system32\tojokiyi.dll
c:\windows\system32\ubayikit.ini
c:\windows\system32\ubofutad.ini
c:\windows\system32\veyoroda.dll
c:\windows\system32\voliyeyo.dll
c:\windows\system32\vubuwiwu.dll
c:\windows\system32\vujapede.dll
c:\windows\system32\waduyeso.dll
c:\windows\system32\wakosoli.dll
c:\windows\system32\wavoyolu.dll
c:\windows\system32\wifowigu.dll
c:\windows\system32\wimalowo.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\system32\wojebeji.dll
c:\windows\system32\wojohilu.dll
c:\windows\system32\womayovi.dll
c:\windows\system32\wotunivo.dll
c:\windows\system32\wugeruti.dll
c:\windows\system32\wuhemiwa.dll
c:\windows\system32\yabokiya.dll
c:\windows\system32\yedibona.exe
c:\windows\system32\yefayupo.dll
c:\windows\system32\yofujaya.dll
c:\windows\system32\yokayinu.dll
c:\windows\system32\yonugese.dll
c:\windows\system32\zarowoma.dll
c:\windows\system32\zibuzuhu.dll
c:\windows\system32\zokemohi.dll
c:\windows\system32\zudijovu.dll
c:\windows\system32\zuhukowa.dll
c:\windows\system32\zuniwoha.dll
c:\windows\system32\zutozube.dll
c:\windows\tenufuto.dll
c:\windows\wewirase.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.29
.
(((((((((((((((((((((((((   Files Created from 2009-11-25 to 2009-12-25  )))))))))))))))))))))))))))))))
.

2009-12-25 21:48 . 2009-12-03 23:14      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-25 21:48 . 2009-12-25 21:48      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-25 21:48 . 2009-12-25 21:48      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-12-25 21:48 . 2009-12-03 23:13      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-12-25 20:57 . 2009-12-25 20:57      --------      d-----w-      c:\program files\TrendMicro
2009-12-25 20:17 . 2008-11-06 09:03      --------      d-----w-      C:\SDFix
2009-12-06 21:49 . 2009-12-06 21:49      --------      d-----w-      c:\windows\system32\XPSViewer
2009-12-06 21:49 . 2009-12-06 21:49      --------      d-----w-      c:\program files\MSBuild
2009-12-06 21:49 . 2009-12-06 21:49      --------      d-----w-      c:\program files\Reference Assemblies
2009-12-06 21:48 . 2008-07-06 12:06      89088      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-12-06 21:47 . 2008-07-06 12:06      117760      ------w-      c:\windows\system32\prntvpt.dll
2009-12-06 21:47 . 2008-07-06 12:06      89088      -c----w-      c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-06 21:47 . 2008-07-06 12:06      575488      -c----w-      c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-06 21:47 . 2008-07-06 12:06      575488      ------w-      c:\windows\system32\xpsshhdr.dll
2009-12-06 21:47 . 2008-07-06 12:06      1676288      -c----w-      c:\windows\system32\dllcache\xpssvcs.dll
2009-12-06 21:47 . 2008-07-06 12:06      1676288      ------w-      c:\windows\system32\xpssvcs.dll
2009-12-06 21:47 . 2008-07-06 10:50      597504      -c----w-      c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-06 21:47 . 2008-07-06 10:50      597504      ------w-      c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-12-06 21:47 . 2009-12-06 21:48      --------      d-----w-      C:\877d481083a46d4746c771bcdc0befab
2009-12-06 21:46 . 2009-12-07 00:16      --------      d-----w-      c:\windows\SxsCaPendDel
2009-12-04 10:39 . 2009-12-04 10:39      --------      d-----w-      c:\windows\system32\KB905474
2009-12-04 10:39 . 2009-03-11 05:26      1403264      ----a-w-      c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-12-04 10:39 . 2009-03-11 05:18      453512      ----a-w-      c:\windows\system32\KB905474\wgasetup.exe
2009-12-03 21:48 . 2009-12-03 21:48      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2009-12-03 21:38 . 2009-12-03 22:13      --------      d-----w-      c:\windows\system32\CatRoot_bak
2009-12-03 21:19 . 2008-06-13 13:10      272128      -c----w-      c:\windows\system32\dllcache\bthport.sys
2009-12-03 21:19 . 2008-06-13 13:10      272128      ------w-      c:\windows\system32\drivers\bthport.sys
2009-12-03 21:00 . 2008-10-24 11:10      453632      -c----w-      c:\windows\system32\dllcache\mrxsmb.sys
2009-12-03 20:59 . 2009-08-04 13:58      2136064      -c----w-      c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-03 20:59 . 2009-08-04 14:00      2180352      -c----w-      c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-03 20:58 . 2009-08-04 13:13      2015744      -c----w-      c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-03 20:58 . 2009-08-04 13:13      2057728      -c----w-      c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-03 20:29 . 2009-12-03 20:32      --------      d-----w-      c:\documents and settings\All Users\Application Data\PCDr
2009-12-03 20:28 . 2009-12-03 20:32      --------      d-----w-      c:\program files\PCDR5

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-25 23:36 . 2005-04-05 17:21      --------      d-----w-      c:\program files\C4ebreg
2009-12-25 23:19 . 2009-12-25 23:19      0      ---ha-w-      c:\windows\system32\BIT67.tmp
2009-12-25 23:17 . 2009-12-25 23:17      0      ---ha-w-      c:\windows\system32\BIT64.tmp
2009-12-25 23:17 . 2009-12-25 23:17      0      ---ha-w-      c:\windows\system32\BIT62.tmp
2009-12-25 23:16 . 2009-12-25 23:16      0      ---ha-w-      c:\windows\system32\BIT5F.tmp
2009-12-25 22:49 . 2005-04-05 20:10      --------      d-----w-      c:\program files\WST
2009-12-25 20:30 . 2007-10-15 21:36      1324      ----a-w-      c:\windows\system32\d3d9caps.dat
2009-12-25 03:13 . 2006-01-24 00:45      --------      d-----w-      c:\program files\Common Files\Symantec Shared
2009-12-25 03:10 . 2007-06-19 14:18      50844      ---ha-w-      c:\windows\system32\mlfcache.dat
2009-12-24 23:21 . 2009-12-24 23:21      3      ---ha-w-      c:\windows\system32\BIT1AD.tmp
2009-12-24 23:21 . 2009-12-24 23:21      3      ---ha-w-      c:\windows\system32\BIT1AC.tmp
2009-12-24 23:21 . 2009-12-24 23:21      3      ---ha-w-      c:\windows\system32\BIT1AB.tmp
2009-12-24 23:21 . 2009-12-24 23:21      3      ---ha-w-      c:\windows\system32\BIT1AA.tmp
2009-12-24 23:21 . 2009-12-24 23:21      3      ---ha-w-      c:\windows\system32\BIT1A5.tmp
2009-12-24 02:51 . 2007-08-09 17:06      40      ----a-w-      c:\windows\system32\profile.dat
2009-12-23 18:55 . 2006-02-10 22:20      --------      d-----w-      c:\program files\AT&T Network Client
2009-12-07 14:59 . 2005-04-04 18:17      55528      ----a-w-      c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 22:02 . 2009-10-07 21:17      6016      ----a-w-      c:\windows\system32\drivers\isamfilter.sys
2009-11-19 15:12 . 2006-06-19 20:57      --------      d-----w-      c:\program files\Opera
2009-11-17 18:57 . 2005-07-29 18:05      64792      ----a-w-      c:\windows\isamunin.exe
2009-11-15 21:13 . 2007-05-08 01:43      --------      d--h--w-      c:\documents and settings\Administrator\Application Data\Move Networks
2009-11-12 16:46 . 2007-07-24 04:58      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2009-11-12 16:45 . 2009-11-12 15:28      --------      d-----w-      c:\program files\Spyware Doctor
2009-11-12 16:45 . 2009-11-12 15:28      --------      d-----w-      c:\program files\Common Files\PC Tools
2009-10-29 07:46 . 2004-08-04 05:00      832512      ----a-w-      c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 05:00      78336      ----a-w-      c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 05:00      17408      ----a-w-      c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-04 05:00      75776      ----a-w-      c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 05:00      25088      ----a-w-      c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 05:00      263552      ----a-w-      c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 05:00      266752      ----a-w-      c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 05:00      69632      ----a-w-      c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 05:00      112128      ----a-w-      c:\windows\system32\rastls.dll
2006-02-24 16:57 . 2006-02-24 16:57      2352893      ----a-w-      c:\program files\openofficeorg4.cab
2006-02-24 16:57 . 2006-02-24 16:57      52855506      ----a-w-      c:\program files\openofficeorg3.cab
2006-02-24 16:52 . 2006-02-24 16:52      14867699      ----a-w-      c:\program files\openofficeorg2.cab
2006-02-24 16:52 . 2006-02-24 16:52      18307890      ----a-w-      c:\program files\openofficeorg1.cab
2006-02-24 16:50 . 2006-02-24 16:50      217      ----a-w-      c:\program files\setup.ini
2006-02-24 16:50 . 2006-02-24 16:50      5224448      ----a-w-      c:\program files\openofficeorg20.msi
2002-03-11 09:06 . 2002-03-11 09:06      1822520      ----a-w-      c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45      1708856      ----a-w-      c:\program files\instmsia.exe
2008-10-17 14:36 . 2008-10-17 14:36      27976      ----a-w-      c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-10-17 19:02 . 2008-10-17 14:36      125840      ----a-w-      c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-10-17 17:50 . 2008-10-17 17:50      46408      ----a-w-      c:\program files\mozilla firefox\plugins\atmccli.dll
2008-10-17 14:36 . 2008-10-17 14:36      98704      ----a-w-      c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-10-17 14:36 . 2008-10-17 14:36      107848      ----a-w-      c:\program files\mozilla firefox\plugins\mwmcli.dll
2009-08-18 03:35 . 2009-08-18 03:35      3      --sha-w-      c:\windows\zayiyahu.dll
2009-01-20 14:28 . 2009-01-20 14:28      70144      --sha-w-      c:\windows\system32\fadateta.dll.tmp
2009-04-25 16:07 . 2009-04-25 16:07      2713      --sh--w-      c:\windows\system32\kowogepu.dll
2009-01-14 16:18 . 2009-01-14 16:18      69632      --sha-w-      c:\windows\system32\mohijani.dll.tmp
2009-01-14 16:18 . 2009-01-14 16:18      69632      --sha-w-      c:\windows\system32\namiroto.dll.tmp
2009-01-23 02:30 . 2009-01-23 02:30      70144      --sha-w-      c:\windows\system32\napinope.dll.tmp
2009-09-24 23:15 . 2009-09-24 23:15      22016      --sha-w-      c:\windows\system32\nowikuje.exe
2009-04-20 14:51 . 2009-04-20 14:51      1411355      --sh--w-      c:\windows\system32\ojiregob.tmp
2009-01-23 02:30 . 2009-01-23 02:30      70144      --sha-w-      c:\windows\system32\pirabumo.dll.tmp
2009-01-23 02:30 . 2009-01-23 02:30      70144      --sha-w-      c:\windows\system32\poyutole.dll.tmp
2009-04-25 16:07 . 2009-04-25 16:07      2713      --sh--w-      c:\windows\system32\rehenano.exe
2009-01-14 16:18 . 2009-01-14 16:18      69632      --sha-w-      c:\windows\system32\ruyoneta.dll.tmp
2009-01-20 14:28 . 2009-01-20 14:28      70144      --sha-w-      c:\windows\system32\vusilina.dll.tmp
2009-01-20 14:28 . 2009-01-20 14:28      70144      --sha-w-      c:\windows\system32\yibavisu.dll.tmp
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SPSTEALT"="c:\program files\Smart Protector Pro\SmartProtector-Pro.exe" [2007-06-29 1945600]
"NetSP - restore settings on power failure"="c:\program files\AT&T Network Client\NetSP.exe" [2007-01-13 24576]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2004-04-27 28672]
"ISAMTray"="c:\program files\c4ebreg\isamtray.exe" [2009-11-17 285976]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-17 94208]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2006-02-10 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2006-02-10 396288]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-02-10 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-10 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-10 512000]
"TP4EX"="tp4ex.exe" [2005-08-24 40960]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"MyHelpService"="c:\program files\IBM\My Help\workspace\service\delayStart.exe" [2009-03-13 94208]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"C4EBReg"="c:\program files\c4ebreg\c4ebreg.exe" [2009-11-17 478488]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"stgclean"="c:\sdwork\w32maing.exe" [2009-11-23 266752]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-10-06 409600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-28 125168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-12-10 241392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Lotus QuickStart.lnk - c:\lotus\wordpro\ltsstart.exe [2003-4-7 32768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
2004-04-27 22:02      49152      ----a-w-      c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-02-10 21:59      28672      ----a-w-      c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-02-10 21:59      24576      ----a-w-      c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [4/27/2005 2:15 AM 6912]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2/10/2006 3:23 PM 16384]
R2 RDIConverterPrintHelper;RDI Document Conversion Helper;c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe [1/17/2008 7:23 AM 59392]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 11:19 AM 102448]
S3 gwiopm;gwiopm; [x]
S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/7/2009 2:17 PM 6016]
S3 PCDSRVC{9503439C-19F1437D-06000000}_0;PCDSRVC{9503439C-19F1437D-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\PCDR5\pcdsrvc.pkms [2/19/2009 2:50 PM 20848]
.
------- Supplementary Scan -------
.
uStart Page = w3.ibm.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
IE:       
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4m895696.default\
FF - prefs.js: browser.startup.homepage - w3.ibm.com
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4m895696.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4m895696.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbrowster.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcpsweb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{f223935e-a7ed-44a9-8e85-00307a35e0b8} - nupevazu.dll
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
HKLM-Run-zitobimupu - dehaziku.dll
HKLM-Run-8017f807 - c:\windows\system32\vomolapa.dll
HKLM-Run-CPM8324cb9b - c:\windows\system32\vatoteju.dll
Notify-ACNotify - ACNotify.dll
Notify-atmgrtok - atmgrtok.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-25 16:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCDSRVC{9503439C-19F1437D-06000000}_0]
"ImagePath"="\??\c:\program files\pcdr5\pcdsrvc.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
c:\program files\IBM\Personal Communications\atmgrtok.dll
c:\program files\IBM\Personal Communications\MILLUTIL.DLL
c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(2724)
c:\windows\system32\WININET.dll
c:\program files\Smart Protector Pro\sphook.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\windows\system32\Drivers\trcboot.exe
c:\program files\IBM\Personal Communications\PCS_AGNT.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\notes\ntmulti.exe
c:\program files\AT&T Network Client\NetCfgSv.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\windows\system32\Drivers\ldlcserv.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\TpShocks.exe
c:\program files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\IBM\My Help\MyHelp.exe
c:\program files\IBM\My Help\jre\bin\myhelpw.exe
.
**************************************************************************
.
Completion time: 2009-12-25  16:52:07 - machine was rebooted
ComboFix-quarantined-files.txt  2009-12-25 23:52

Pre-Run: 47,689,777,152 bytes free
Post-Run: 47,714,426,880 bytes free

- - End Of File - - 4B666B7DD3A920AAE7AA110AFBA0187E

Malwarebytes scan resulted in the following:

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

12/25/2009 5:31:10 PM
mbam-log-2009-12-25 (17-31-10).txt

Scan type: Quick Scan
Objects scanned: 124215
Time elapsed: 11 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kowogepu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

I think this takes care of it.  Let me reboot to confirm.
0
 
optomaCommented:
I'm not convinced that all is fully clear. Let Combofix's logfile be reviewed to make sure.
Run Hitman Pro http://www.surfright.nl/en/hitmanpro and make note of anything.
If it finds Combofix as suspicious, ignore it.
0
 
warturtleCommented:
Hello,

Yes, I too agree with Optoma, we need to scan again to make sure that the problems are completely finished. Either running ComboFix again would be a good idea or running MalwareBytes full scan followed by a full scan with your own antivirus.

These files look strange to me:

c:\windows\zayiyahu.dll
c:\windows\system32\fadateta.dll.tmp
c:\windows\system32\kowogepu.dll
c:\windows\system32\mohijani.dll.tmp
c:\windows\system32\namiroto.dll.tmp
c:\windows\system32\napinope.dll.tmp
c:\windows\system32\nowikuje.exe
c:\windows\system32\ojiregob.tmp
c:\windows\system32\pirabumo.dll.tmp
c:\windows\system32\poyutole.dll.tmp
c:\windows\system32\rehenano.exe
c:\windows\system32\ruyoneta.dll.tmp
c:\windows\system32\vusilina.dll.tmp
c:\windows\system32\yibavisu.dll.tmp

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now