17 replies to this topic

[silverstar77]

I am all over in malware s.. trouble. So bad that Malwarebytes cannot install mbam.exe. Here is the HT log (sorry, but I cannot find logs tab in the file system of the program). Thanx so much for any help in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:10:19, on 13.10.09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: zuharovi.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

--
End of file - 7685 bytes

[silverstar77]

It is not nice to leave a woman in trouble without any tint of help
However, I read a lot in this forum and performed this gimmick with ComboFix. Here are my CF stats and the new HJ stats. I really hope you will either help or at least honestly say that I'd better reinstall Windows and not to waste your time anymore. Thank you in advance.

So:

Win32kDiag.txt:
Running from: C:\Documents and Settings\ivo\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\ivo\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...




ComboFix 09-10-13.01 - ivo 13.10.09 21:49.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.3071.2682 [GMT -5:00]
Running from: c:\documents and settings\ivo\Desktop\Combo-Fix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\oem9.inf
c:\windows\system32\yevapare.dll
c:\windows\system32\yudawane.dll

----- BITS: Possible infected sites -----

hxxp://193.33.61.160
Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-13 20:10 . 2009-10-13 20:10 -------- d-----w- c:\program files\Trend Micro
2009-10-13 19:39 . 2009-10-13 19:39 -------- d--h--w- c:\windows\PIF
2009-10-13 19:16 . 2009-10-13 19:16 -------- d-----w- c:\documents and settings\ivo\Application Data\Malwarebytes
2009-10-13 19:08 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-13 19:08 . 2009-10-13 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 19:08 . 2009-10-13 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-13 19:08 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-13 16:06 . 2009-10-13 16:14 39946752 ----a-w- C:\ess_nt64_enu.msi
2009-10-12 22:48 . 2009-10-12 22:48 -------- d-----w- c:\documents and settings\ivo\Application Data\GARMIN
2009-10-12 22:46 . 2009-10-12 22:46 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-10-12 22:46 . 2009-10-12 22:46 -------- d-----w- c:\program files\DIFX
2009-10-12 22:46 . 2009-10-12 22:46 -------- d-----w- c:\program files\Garmin
2009-10-08 19:43 . 2009-10-08 19:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-08 14:39 . 2009-10-13 21:53 -------- d-----w- C:\Nevena
2009-10-08 04:48 . 2008-04-14 05:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-10-07 13:30 . 2009-10-07 13:30 0 ----a-w- c:\windows\nsreg.dat
2009-10-07 13:30 . 2009-10-07 13:30 -------- d-----w- c:\documents and settings\ivo\Local Settings\Application Data\Mozilla
2009-10-06 03:56 . 2009-10-06 03:56 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-05 00:53 . 2009-10-05 00:53 -------- d-----w- c:\documents and settings\ivo\Local Settings\Application Data\ESET
2009-10-04 21:26 . 2009-10-04 21:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-10-03 23:38 . 2009-10-03 23:38 -------- d-----w- c:\documents and settings\ivo\Application Data\GRETECH
2009-10-03 23:30 . 2009-10-03 23:30 -------- d-----w- c:\program files\GRETECH
2009-10-03 21:04 . 2009-10-04 23:08 -------- d-----w- c:\documents and settings\ivo\Application Data\NBC Direct
2009-10-03 21:04 . 2009-10-04 23:24 -------- d-----w- c:\program files\Pando Networks
2009-10-03 21:04 . 2009-10-04 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NBC Direct
2009-10-03 21:04 . 2009-10-04 23:08 -------- d---a-w- c:\program files\NBC Direct
2009-10-03 19:59 . 2009-10-03 19:59 -------- d-----w- c:\documents and settings\ivo\UpToDate
2009-10-03 19:57 . 2009-10-03 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-03 19:57 . 2009-10-03 19:57 -------- d-----w- c:\documents and settings\ivo\Application Data\Office Genuine Advantage
2009-10-03 19:27 . 2009-10-03 19:58 -------- d-----w- c:\program files\UpToDate
2009-10-03 08:04 . 2008-04-13 21:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-10-03 08:04 . 2008-04-13 21:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-10-03 08:04 . 2008-04-13 21:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2009-10-03 08:04 . 2008-04-13 21:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-10-03 08:04 . 2008-04-13 21:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2009-10-03 08:04 . 2008-04-13 21:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-10-03 08:03 . 2008-04-13 21:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2009-10-03 08:03 . 2008-04-13 21:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-10-03 08:03 . 2008-04-13 21:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-10-03 08:03 . 2008-04-13 21:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-10-03 08:03 . 2008-04-13 21:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2009-10-03 08:03 . 2008-04-13 21:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-10-03 08:03 . 2008-04-13 21:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2009-10-03 08:03 . 2008-04-13 21:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2009-10-03 08:03 . 2008-04-13 21:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-10-03 08:03 . 2008-04-13 21:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-10-03 08:02 . 2008-04-14 02:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-10-03 08:02 . 2008-04-14 02:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-10-03 08:02 . 2008-04-13 21:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-10-03 08:02 . 2008-04-13 21:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-03 08:02 . 2009-10-13 23:09 -------- d-----w- c:\documents and settings\ivo\Application Data\skypePM
2009-10-03 08:02 . 2009-10-03 08:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-03 07:58 . 2009-10-14 02:47 -------- d-----w- c:\documents and settings\ivo\Application Data\Skype
2009-10-03 07:56 . 2009-10-03 07:56 -------- d-----w- c:\program files\Common Files\Skype
2009-10-03 07:56 . 2009-10-03 07:56 -------- d-----r- c:\program files\Skype
2009-10-03 07:55 . 2009-10-03 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-03 07:48 . 2009-10-03 07:48 -------- d-sh--w- c:\documents and settings\ivo\PrivacIE
2009-10-02 22:38 . 2009-10-02 22:38 -------- d-sh--w- c:\documents and settings\ivo\IETldCache
2009-10-02 22:07 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-02 22:07 . 2009-10-03 18:48 -------- d-----w- c:\windows\ie8updates
2009-10-02 22:06 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-02 22:06 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-02 22:06 . 2009-10-02 22:06 -------- dc-h--w- c:\windows\ie8
2009-10-02 21:56 . 2009-10-02 21:56 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-02 21:56 . 2009-10-02 21:56 -------- d-----w- c:\program files\MSBuild
2009-10-02 21:56 . 2009-10-02 21:56 -------- d-----w- c:\program files\Reference Assemblies
2009-10-02 21:55 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-02 21:55 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-02 21:55 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-02 21:55 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-02 21:55 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-02 21:55 . 2009-10-02 21:56 -------- d-----w- C:\d9ae6748a70b06d8b177
2009-10-02 21:55 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-02 21:55 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-02 21:46 . 2009-10-02 21:46 -------- d-----w- c:\program files\MSXML 4.0
2009-10-02 21:42 . 2009-10-03 18:48 -------- d--h--w- c:\windows\$hf_mig$
2009-10-02 21:38 . 2009-07-29 04:37 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-10-02 21:38 . 2009-07-29 04:37 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-10-02 21:37 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-10-02 21:37 . 2009-06-12 12:31 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-10-02 21:37 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-10-02 21:36 . 2009-06-10 14:13 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-10-02 21:36 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-10-02 21:36 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-10-02 21:36 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-10-02 21:36 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-10-02 21:36 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-10-02 21:35 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-02 21:35 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-02 21:35 . 2009-03-08 01:33 18944 -c--a-w- c:\windows\system32\dllcache\corpol.dll
2009-10-02 21:35 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-02 21:35 . 2009-03-08 01:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2009-10-02 21:35 . 2009-06-29 11:25 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-02 21:35 . 2009-03-08 01:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2009-10-02 21:35 . 2009-02-06 18:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2009-10-02 21:35 . 2009-07-19 15:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-02 21:32 . 2009-06-03 19:09 1291264 -c----w- c:\windows\system32\dllcache\quartz.dll
2009-10-02 21:32 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-10-02 21:25 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-02 21:21 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-02 21:04 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-10-02 21:04 . 2009-04-17 12:26 1847168 -c----w- c:\windows\system32\dllcache\win32k.sys
2009-10-02 21:04 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-10-02 21:03 . 2009-06-25 08:25 56832 -c----w- c:\windows\system32\dllcache\secur32.dll
2009-10-02 21:03 . 2009-03-21 14:06 989696 -c----w- c:\windows\system32\dllcache\kernel32.dll
2009-10-02 21:02 . 2008-12-16 12:30 354304 -c----w- c:\windows\system32\dllcache\winhttp.dll
2009-10-02 21:02 . 2008-06-12 14:23 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll
2009-10-02 21:02 . 2008-06-12 14:23 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll
2009-10-02 21:02 . 2008-06-12 14:23 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll
2009-10-02 21:02 . 2008-06-12 14:23 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll
2009-10-02 21:02 . 2008-06-12 14:23 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll
2009-10-02 21:01 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-02 21:01 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-02 21:01 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-02 21:01 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-02 21:01 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-02 21:01 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-02 21:01 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-02 21:01 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-02 21:01 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-02 21:01 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-02 21:01 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-02 21:01 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-02 21:00 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-02 21:00 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-13 20:41 . 2008-03-09 15:30 -------- d-----w- c:\documents and settings\ivo\Application Data\uTorrent
2009-10-05 00:41 . 2008-03-10 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-04 22:46 . 2008-03-08 01:18 70528 ----a-w- c:\documents and settings\ivo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-03 21:11 . 2008-03-09 11:45 -------- d-----w- c:\documents and settings\ivo\Application Data\IDM
2009-10-03 19:25 . 2008-03-08 01:24 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-02 21:50 . 2008-03-10 02:07 -------- d-----w- c:\program files\Microsoft Works
2009-08-06 16:24 . 2008-03-07 20:06 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 16:24 . 2008-03-07 20:06 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 16:24 . 2008-03-07 20:06 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 16:24 . 2007-07-30 22:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 16:24 . 2008-03-07 20:06 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 16:24 . 2007-07-30 22:19 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 16:23 . 2008-03-07 20:06 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 16:23 . 2008-03-07 20:06 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 16:23 . 2007-07-30 22:19 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 16:23 . 2007-07-30 22:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 12:07 . 2009-08-03 12:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 12:07 . 2009-08-03 12:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 12:07 . 2009-08-03 12:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-29 04:37 . 2007-04-28 13:02 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2005-10-17 19:21 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-11 22:15 . 2009-07-11 22:15 108544 --sha-w- c:\windows\system32\bumisida.dll
2009-07-11 22:20 . 2009-07-11 22:20 2510 --sha-w- c:\windows\system32\fopogufa.dll
2009-07-12 11:52 . 2009-07-12 11:52 2511 --sha-w- c:\windows\system32\gagadeda.dll
2009-07-12 11:52 . 2009-07-12 11:52 2509 --sha-w- c:\windows\system32\gotevori.dll
2009-07-12 11:52 . 2009-07-12 11:52 2510 --sha-w- c:\windows\system32\hezekose.dll
2009-07-13 15:28 . 2009-07-13 15:28 2510 --sha-w- c:\windows\system32\kizoraju.dll
2009-07-13 15:28 . 2009-07-13 15:28 2337 --sha-w- c:\windows\system32\lezowafu.exe
2009-07-13 15:28 . 2009-07-13 15:28 2510 --sha-w- c:\windows\system32\nagefipi.dll
2009-07-13 02:29 . 2009-07-13 02:29 2510 --sha-w- c:\windows\system32\nokosemu.dll
2009-07-13 15:28 . 2009-07-13 15:28 2511 --sha-w- c:\windows\system32\pemewoma.dll
2009-07-11 22:20 . 2009-07-11 22:20 2510 --sha-w- c:\windows\system32\temoliro.dll
2009-07-13 15:28 . 2009-07-13 15:28 2338 --sha-w- c:\windows\system32\vehotora.exe
2009-07-11 22:20 . 2009-07-11 22:20 1049600 --sha-w- c:\windows\system32\wipirawu.exe
2009-07-11 22:20 . 2009-07-11 22:20 2509 --sha-w- c:\windows\system32\yasukeki.dll
2009-07-13 02:29 . 2009-07-13 02:29 2511 --sha-w- c:\windows\system32\yudasobe.dll
2009-07-11 22:15 . 2009-07-11 22:15 108544 --sha-w- c:\windows\system32\zuharovi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d3ceb086-d1cb-41d2-8926-160eac6ca076}]
2009-07-11 22:15 108544 --sha-w- c:\windows\system32\bumisida.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\zuharovi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli zuharovi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.05.09 07:47 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.05.09 07:47 731840]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-14 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 12:07]

2009-10-13 c:\windows\Tasks\User_Feed_Synchronization-{F34E8F2C-8C39-43CD-83FC-3FBA467E8786}.job
- c:\windows\system32\msfeedssync.exe [2007-12-12 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: chase.com\chaseonline
Trusted Zone: google.com\www
FF - ProfilePath - c:\documents and settings\ivo\Application Data\Mozilla\Firefox\Profiles\1qh6lqc6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ruvarejize - yevapare.dll
AddRemove-{F46BF5EA-0B4E-4A41-8C4B-3B127346E30F} - c:\documents and settings\ivo\Local Settings\Application Data\{F9ABF6FF-B068-4877-9373-3B5353A65A36}\NBCDirectInstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-13 21:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET Smart Security\\"
"DataDir"="ESET\\ESET Smart Security\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000001
"ProductCode"="{71CBF9BB-7E07-4A9D-BF30-84C11810B242}"
"ProductName"="ESET Smart Security"
"ProductType"="ess"
"ProductVersion"="4.0.437.0"
"UniqueId"="0003F0BA4AC65FBE"
"ScannerBuild"=dword:00001329
"ScannerVersionId"=dword:00000feb
"ScannerVersion"="Open window for status."
"FixId"=dword:00000005
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1036)
c:\windows\system32\zuharovi.dll
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(2956)
c:\windows\system32\WININET.dll
c:\windows\system32\zuharovi.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2009-10-14 21:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-14 02:55

Pre-Run: 19 772 923 904 bytes free
Post-Run: 19 793 358 848 bytes free

334 --- E O F --- 2008-03-10 10:41



HJ: attached

Attached Files

•  ComboFix.txt   24.11K   10 downloads
•  hijackthis.log2.txt   7.11K   11 downloads

[sUBs]

Delete your existing copy of ComboFix. Then visit this webpage for an updated copy:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[silverstar77]

It is done. Here is the log:

ComboFix 09-10-15.04 - ivo 16.10.09 10:32.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.3071.2357 [GMT -5:00]
Running from: c:\documents and settings\ivo\Desktop\Combo-Fix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\02811517
c:\documents and settings\All Users\Application Data\02811517\02811517.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\fuyigeze.exe
c:\windows\system32\nijozaka.exe
c:\windows\system32\rolirefu.exe
c:\windows\system32\zohijiho.exe
c:\windows\TEMP\NOD15F4.tmp
c:\windows\TEMP\NOD2861.tmp

----- BITS: Possible infected sites -----

hxxp://193.33.61.160
.
((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-13 20:10 . 2009-10-13 20:10 -------- d-----w- c:\program files\Trend Micro
2009-10-13 19:39 . 2009-10-13 19:39 -------- d--h--w- c:\windows\PIF
2009-10-13 19:16 . 2009-10-13 19:16 -------- d-----w- c:\documents and settings\ivo\Application Data\Malwarebytes
2009-10-13 19:08 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-13 19:08 . 2009-10-13 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 19:08 . 2009-10-13 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-13 19:08 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-13 16:06 . 2009-10-13 16:14 39946752 ----a-w- C:\ess_nt64_enu.msi
2009-10-12 22:48 . 2009-10-12 22:48 -------- d-----w- c:\documents and settings\ivo\Application Data\GARMIN
2009-10-12 22:46 . 2009-10-12 22:46 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-10-12 22:46 . 2009-10-12 22:46 -------- d-----w- c:\program files\DIFX
2009-10-12 22:46 . 2009-10-12 22:46 -------- d-----w- c:\program files\Garmin
2009-10-08 19:43 . 2009-10-08 19:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-08 14:39 . 2009-10-13 21:53 -------- d-----w- C:\Nevena
2009-10-08 04:48 . 2008-04-14 05:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-10-07 13:30 . 2009-10-07 13:30 0 ----a-w- c:\windows\nsreg.dat
2009-10-07 13:30 . 2009-10-07 13:30 -------- d-----w- c:\documents and settings\ivo\Local Settings\Application Data\Mozilla
2009-10-06 03:56 . 2009-10-06 03:56 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-05 00:53 . 2009-10-05 00:53 -------- d-----w- c:\documents and settings\ivo\Local Settings\Application Data\ESET
2009-10-04 21:26 . 2009-10-04 21:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-10-03 23:38 . 2009-10-03 23:38 -------- d-----w- c:\documents and settings\ivo\Application Data\GRETECH
2009-10-03 23:30 . 2009-10-03 23:30 -------- d-----w- c:\program files\GRETECH
2009-10-03 21:04 . 2009-10-04 23:08 -------- d-----w- c:\documents and settings\ivo\Application Data\NBC Direct
2009-10-03 21:04 . 2009-10-04 23:24 -------- d-----w- c:\program files\Pando Networks
2009-10-03 21:04 . 2009-10-04 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NBC Direct
2009-10-03 21:04 . 2009-10-04 23:08 -------- d---a-w- c:\program files\NBC Direct
2009-10-03 19:59 . 2009-10-03 19:59 -------- d-----w- c:\documents and settings\ivo\UpToDate
2009-10-03 19:57 . 2009-10-03 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-03 19:57 . 2009-10-03 19:57 -------- d-----w- c:\documents and settings\ivo\Application Data\Office Genuine Advantage
2009-10-03 19:27 . 2009-10-03 19:58 -------- d-----w- c:\program files\UpToDate
2009-10-03 08:04 . 2008-04-13 21:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-10-03 08:04 . 2008-04-13 21:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-10-03 08:04 . 2008-04-13 21:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2009-10-03 08:04 . 2008-04-13 21:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-10-03 08:04 . 2008-04-13 21:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2009-10-03 08:04 . 2008-04-13 21:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-10-03 08:03 . 2008-04-13 21:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2009-10-03 08:03 . 2008-04-13 21:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-10-03 08:03 . 2008-04-13 21:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-10-03 08:03 . 2008-04-13 21:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-10-03 08:03 . 2008-04-13 21:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2009-10-03 08:03 . 2008-04-13 21:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-10-03 08:03 . 2008-04-13 21:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2009-10-03 08:03 . 2008-04-13 21:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2009-10-03 08:03 . 2008-04-13 21:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-10-03 08:03 . 2008-04-13 21:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-10-03 08:02 . 2008-04-14 02:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-10-03 08:02 . 2008-04-14 02:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-10-03 08:02 . 2008-04-13 21:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-10-03 08:02 . 2008-04-13 21:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-03 08:02 . 2009-10-16 13:01 -------- d-----w- c:\documents and settings\ivo\Application Data\skypePM
2009-10-03 08:02 . 2009-10-03 08:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-03 07:58 . 2009-10-16 15:35 -------- d-----w- c:\documents and settings\ivo\Application Data\Skype
2009-10-03 07:56 . 2009-10-03 07:56 -------- d-----w- c:\program files\Common Files\Skype
2009-10-03 07:56 . 2009-10-03 07:56 -------- d-----r- c:\program files\Skype
2009-10-03 07:55 . 2009-10-03 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-03 07:48 . 2009-10-03 07:48 -------- d-sh--w- c:\documents and settings\ivo\PrivacIE
2009-10-02 22:38 . 2009-10-02 22:38 -------- d-sh--w- c:\documents and settings\ivo\IETldCache
2009-10-02 22:07 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-02 22:07 . 2009-10-03 18:48 -------- d-----w- c:\windows\ie8updates
2009-10-02 22:06 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-02 22:06 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-02 22:06 . 2009-10-02 22:06 -------- dc-h--w- c:\windows\ie8
2009-10-02 21:56 . 2009-10-02 21:56 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-02 21:56 . 2009-10-02 21:56 -------- d-----w- c:\program files\MSBuild
2009-10-02 21:56 . 2009-10-02 21:56 -------- d-----w- c:\program files\Reference Assemblies
2009-10-02 21:55 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-02 21:55 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-02 21:55 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-02 21:55 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-02 21:55 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-02 21:55 . 2009-10-02 21:56 -------- d-----w- C:\d9ae6748a70b06d8b177
2009-10-02 21:55 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-02 21:55 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-02 21:46 . 2009-10-02 21:46 -------- d-----w- c:\program files\MSXML 4.0
2009-10-02 21:42 . 2009-10-03 18:48 -------- d--h--w- c:\windows\$hf_mig$
2009-10-02 21:38 . 2009-07-29 04:37 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-10-02 21:38 . 2009-07-29 04:37 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-10-02 21:37 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-10-02 21:37 . 2009-06-12 12:31 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-10-02 21:37 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-10-02 21:36 . 2009-06-10 14:13 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-10-02 21:36 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-10-02 21:36 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-10-02 21:36 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-10-02 21:36 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-10-02 21:36 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-10-02 21:35 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-02 21:35 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-02 21:35 . 2009-03-08 01:33 18944 -c--a-w- c:\windows\system32\dllcache\corpol.dll
2009-10-02 21:35 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-02 21:35 . 2009-03-08 01:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2009-10-02 21:35 . 2009-06-29 11:25 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-02 21:35 . 2009-03-08 01:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2009-10-02 21:35 . 2009-02-06 18:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2009-10-02 21:35 . 2009-07-19 15:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-02 21:32 . 2009-06-03 19:09 1291264 -c----w- c:\windows\system32\dllcache\quartz.dll
2009-10-02 21:32 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-10-02 21:25 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-02 21:21 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-02 21:04 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-10-02 21:04 . 2009-04-17 12:26 1847168 -c----w- c:\windows\system32\dllcache\win32k.sys
2009-10-02 21:04 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-10-02 21:03 . 2009-06-25 08:25 56832 -c----w- c:\windows\system32\dllcache\secur32.dll
2009-10-02 21:03 . 2009-03-21 14:06 989696 -c----w- c:\windows\system32\dllcache\kernel32.dll
2009-10-02 21:02 . 2008-12-16 12:30 354304 -c----w- c:\windows\system32\dllcache\winhttp.dll
2009-10-02 21:02 . 2008-06-12 14:23 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll
2009-10-02 21:02 . 2008-06-12 14:23 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll
2009-10-02 21:02 . 2008-06-12 14:23 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll
2009-10-02 21:02 . 2008-06-12 14:23 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll
2009-10-02 21:02 . 2008-06-12 14:23 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll
2009-10-02 21:01 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-02 21:01 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-02 21:01 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-02 21:01 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-02 21:01 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-02 21:01 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-02 21:01 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-02 21:01 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-02 21:01 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-02 21:01 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-02 21:01 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-02 21:01 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-02 21:00 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-02 21:00 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 15:27 . 2009-10-16 15:27 1111915 ---ha-w- c:\windows\system32\BIT40DB.tmp
2009-10-14 19:02 . 2008-03-10 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-13 20:41 . 2008-03-09 15:30 -------- d-----w- c:\documents and settings\ivo\Application Data\uTorrent
2009-10-04 22:46 . 2008-03-08 01:18 70528 ----a-w- c:\documents and settings\ivo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-03 21:11 . 2008-03-09 11:45 -------- d-----w- c:\documents and settings\ivo\Application Data\IDM
2009-10-03 19:25 . 2008-03-08 01:24 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-02 21:50 . 2008-03-10 02:07 -------- d-----w- c:\program files\Microsoft Works
2009-08-06 16:24 . 2008-03-07 20:06 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 16:24 . 2008-03-07 20:06 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 16:24 . 2008-03-07 20:06 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 16:24 . 2007-07-30 22:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 16:24 . 2008-03-07 20:06 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 16:24 . 2007-07-30 22:19 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 16:23 . 2008-03-07 20:06 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 16:23 . 2008-03-07 20:06 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 16:23 . 2007-07-30 22:19 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 16:23 . 2007-07-30 22:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 12:07 . 2009-08-03 12:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 12:07 . 2009-08-03 12:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 12:07 . 2009-08-03 12:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-29 04:37 . 2007-04-28 13:02 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2005-10-17 19:21 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-14 03:26 . 2009-07-14 03:26 2510 --sha-w- c:\windows\system32\bijukotu.dll
2009-07-15 03:26 . 2009-07-15 03:26 2510 --sha-w- c:\windows\system32\dagubawe.dll
2009-07-11 22:20 . 2009-07-11 22:20 2510 --sha-w- c:\windows\system32\fopogufa.dll
2009-07-15 03:26 . 2009-07-15 03:26 2337 --sha-w- c:\windows\system32\fotuwutu.exe
2009-07-12 11:52 . 2009-07-12 11:52 2511 --sha-w- c:\windows\system32\gagadeda.dll
2009-07-12 11:52 . 2009-07-12 11:52 2509 --sha-w- c:\windows\system32\gotevori.dll
2009-07-14 03:26 . 2009-07-14 03:26 1010688 --sha-w- c:\windows\system32\gubebusi.exe
2009-07-14 03:26 . 2009-07-14 03:26 2510 --sha-w- c:\windows\system32\hariviza.dll
2009-07-12 11:52 . 2009-07-12 11:52 2510 --sha-w- c:\windows\system32\hezekose.dll
2009-07-13 15:28 . 2009-07-13 15:28 2510 --sha-w- c:\windows\system32\kizoraju.dll
2009-07-13 15:28 . 2009-07-13 15:28 2337 --sha-w- c:\windows\system32\lezowafu.exe
2009-07-16 15:27 . 2009-07-16 15:27 2510 --sha-w- c:\windows\system32\mavaturi.dll
2009-07-14 15:26 . 2009-07-14 15:26 2510 --sha-w- c:\windows\system32\merumebe.dll
2009-07-14 03:26 . 2009-07-14 03:26 2337 --sha-w- c:\windows\system32\merumebe.exe
2009-07-14 15:26 . 2009-07-14 15:26 2509 --sha-w- c:\windows\system32\mevaseyu.dll
2009-07-15 15:26 . 2009-07-15 15:26 2511 --sha-w- c:\windows\system32\mudurofo.dll
2009-07-13 15:28 . 2009-07-13 15:28 2510 --sha-w- c:\windows\system32\nagefipi.dll
2009-07-16 03:27 . 2009-07-16 03:27 2510 --sha-w- c:\windows\system32\najeriwa.dll
2009-07-13 02:29 . 2009-07-13 02:29 2510 --sha-w- c:\windows\system32\nokosemu.dll
2009-07-13 15:28 . 2009-07-13 15:28 2511 --sha-w- c:\windows\system32\pemewoma.dll
2009-07-15 03:26 . 2009-07-15 03:26 2510 --sha-w- c:\windows\system32\pokumala.dll
2009-07-14 03:26 . 2009-07-14 03:26 2511 --sha-w- c:\windows\system32\putirise.dll
2009-07-14 03:26 . 2009-07-14 03:26 2338 --sha-w- c:\windows\system32\raditile.exe
2009-07-14 15:26 . 2009-07-14 15:26 2337 --sha-w- c:\windows\system32\remowoka.exe
2009-07-14 15:26 . 2009-07-14 15:26 2336 --sha-w- c:\windows\system32\sopiveri.dll
2009-07-11 22:20 . 2009-07-11 22:20 2510 --sha-w- c:\windows\system32\temoliro.dll
2009-07-13 15:28 . 2009-07-13 15:28 2338 --sha-w- c:\windows\system32\vehotora.exe
2009-07-15 03:26 . 2009-07-15 03:26 2511 --sha-w- c:\windows\system32\vemejofa.dll
2009-07-16 15:27 . 2009-07-16 15:27 2510 --sha-w- c:\windows\system32\vibohaji.dll
2009-07-16 03:27 . 2009-07-16 03:27 2509 --sha-w- c:\windows\system32\wifofizo.dll
2009-07-11 22:20 . 2009-07-11 22:20 1049600 --sha-w- c:\windows\system32\wipirawu.exe
2009-07-15 15:26 . 2009-07-15 15:26 2509 --sha-w- c:\windows\system32\yafubuge.dll
2009-07-11 22:20 . 2009-07-11 22:20 2509 --sha-w- c:\windows\system32\yasukeki.dll
2009-07-15 15:26 . 2009-07-15 15:26 2510 --sha-w- c:\windows\system32\yirobibu.dll
2009-07-13 02:29 . 2009-07-13 02:29 2511 --sha-w- c:\windows\system32\yudasobe.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_02.53.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 11:00 . 2009-10-13 19:40 68490 c:\windows\system32\perfc009.dat
+ 2004-08-04 11:00 . 2009-10-14 02:58 68490 c:\windows\system32\perfc009.dat
+ 2008-03-07 20:29 . 2009-10-15 15:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-07 20:29 . 2009-10-13 19:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-07 20:29 . 2009-10-13 19:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-07 20:29 . 2009-10-15 15:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-14 03:26 . 2009-10-15 15:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-14 03:26 . 2009-10-16 15:27 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5E7817C0-B871-11DE-AEF5-001A73E67581}.dat
+ 2009-10-16 03:27 . 2009-10-16 03:27 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D2D936D4-BA03-11DE-AEF5-001A73E67581}.dat
+ 2009-10-15 03:26 . 2009-10-15 03:26 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{96BD82DC-B93A-11DE-AEF5-001A73E67581}.dat
+ 2009-10-16 15:27 . 2009-10-16 15:27 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{719C4388-BA68-11DE-AEF5-001A73E67581}.dat
+ 2009-10-14 03:26 . 2009-10-14 03:26 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5E7817C1-B871-11DE-AEF5-001A73E67581}.dat
- 2004-08-04 11:00 . 2009-10-13 19:40 435594 c:\windows\system32\perfh009.dat
+ 2004-08-04 11:00 . 2009-10-14 02:58 435594 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"ruvarejize"="yevapare.dll" [BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.05.09 07:47 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.05.09 07:47 731840]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 12:07]

2009-10-15 c:\windows\Tasks\User_Feed_Synchronization-{F34E8F2C-8C39-43CD-83FC-3FBA467E8786}.job
- c:\windows\system32\msfeedssync.exe [2007-12-12 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: chase.com\chaseonline
Trusted Zone: google.com\www
FF - ProfilePath - c:\documents and settings\ivo\Application Data\Mozilla\Firefox\Profiles\1qh6lqc6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{d3ceb086-d1cb-41d2-8926-160eac6ca076} - bumisida.dll
HKLM-Run-02811517 - c:\docume~1\ALLUSE~1\APPLIC~1\02811517\02811517.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 10:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET Smart Security\\"
"DataDir"="ESET\\ESET Smart Security\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000001
"ProductCode"="{71CBF9BB-7E07-4A9D-BF30-84C11810B242}"
"ProductName"="ESET Smart Security"
"ProductType"="ess"
"ProductVersion"="4.0.437.0"
"UniqueId"="0003F0BA4AC65FBE"
"ScannerBuild"=dword:00001329
"ScannerVersionId"=dword:00000feb
"ScannerVersion"="Open window for status."
"FixId"=dword:00000005
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-16 10:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-16 15:39
ComboFix2.txt 2009-10-14 02:55

Pre-Run: 19 620 368 384 bytes free
Post-Run: 20 373 245 952 bytes free

355 --- E O F --- 2008-03-10 10:41

Attached Files

•  ComboFix2.txt   26.98K   9 downloads

[sUBs]

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
SWREG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V ruvarejize
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
c:\windows\system32\bijukotu.dll
c:\windows\system32\dagubawe.dll
c:\windows\system32\fopogufa.dll
c:\windows\system32\fotuwutu.exe
c:\windows\system32\gagadeda.dll
c:\windows\system32\gotevori.dll
c:\windows\system32\gubebusi.exe
c:\windows\system32\hariviza.dll
c:\windows\system32\hezekose.dll
c:\windows\system32\kizoraju.dll
c:\windows\system32\lezowafu.exe
c:\windows\system32\mavaturi.dll
c:\windows\system32\merumebe.dll
c:\windows\system32\merumebe.exe
c:\windows\system32\mevaseyu.dll
c:\windows\system32\mudurofo.dll
c:\windows\system32\nagefipi.dll
c:\windows\system32\najeriwa.dll
c:\windows\system32\nokosemu.dll
c:\windows\system32\pemewoma.dll
c:\windows\system32\pokumala.dll
c:\windows\system32\putirise.dll
c:\windows\system32\raditile.exe
c:\windows\system32\remowoka.exe
c:\windows\system32\sopiveri.dll
c:\windows\system32\temoliro.dll
c:\windows\system32\vehotora.exe
c:\windows\system32\vemejofa.dll
c:\windows\system32\vibohaji.dll
c:\windows\system32\wifofizo.dll
c:\windows\system32\wipirawu.exe
c:\windows\system32\yafubuge.dll
c:\windows\system32\yasukeki.dll
c:\windows\system32\yirobibu.dll
c:\windows\system32\yudasobe.dll
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[silverstar77]

sUBs, on Oct 16 2009, 07:57 AM, said:

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
SWREG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V ruvarejize
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
c:\windows\system32\bijukotu.dll
c:\windows\system32\dagubawe.dll
c:\windows\system32\fopogufa.dll
c:\windows\system32\fotuwutu.exe
c:\windows\system32\gagadeda.dll
c:\windows\system32\gotevori.dll
c:\windows\system32\gubebusi.exe
c:\windows\system32\hariviza.dll
c:\windows\system32\hezekose.dll
c:\windows\system32\kizoraju.dll
c:\windows\system32\lezowafu.exe
c:\windows\system32\mavaturi.dll
c:\windows\system32\merumebe.dll
c:\windows\system32\merumebe.exe
c:\windows\system32\mevaseyu.dll
c:\windows\system32\mudurofo.dll
c:\windows\system32\nagefipi.dll
c:\windows\system32\najeriwa.dll
c:\windows\system32\nokosemu.dll
c:\windows\system32\pemewoma.dll
c:\windows\system32\pokumala.dll
c:\windows\system32\putirise.dll
c:\windows\system32\raditile.exe
c:\windows\system32\remowoka.exe
c:\windows\system32\sopiveri.dll
c:\windows\system32\temoliro.dll
c:\windows\system32\vehotora.exe
c:\windows\system32\vemejofa.dll
c:\windows\system32\vibohaji.dll
c:\windows\system32\wifofizo.dll
c:\windows\system32\wipirawu.exe
c:\windows\system32\yafubuge.dll
c:\windows\system32\yasukeki.dll
c:\windows\system32\yirobibu.dll
c:\windows\system32\yudasobe.dll
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

I am very, very sorry, but I didn't expect you to reply so fast. So I tried to run Malwarebytes once again. The installation went just fine and the tool eliminated 6 trojans and Rogue.security tool. Shall I make this fix.bat file right now or you think I'm done with the bugs?

Attached Files

•  mbam_log_2009_10_16__10_56_00_.txt   1.42K   15 downloads

[sUBs]

No worries. Just perform the instructs from post #5

[silverstar77]

OK, this was the message:
..................................................

Delete of value 'ruvarejize' in 'hklm\software\microsoft\windows\currentverssion\run' failed

Deleted Successfully!!

Press any key to continue..
..................................................

By the way, I didn't have the chance to thank you. I am so happy and relieved that the tool finally runs. Thank you so much!!!

[sUBs]

Quote

Delete of value 'ruvarejize' in 'hklm\software\microsoft\windows\currentverssion\run' failed

This is because the malware key is no long existing. MBAM took it out in the previous run.



Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

• Uninstall ComboFix ... do not skip this step
  This process will perform some post cleanup measures.
  Do this by going to to Start > Run & typing in ComboFix /u
  
  
  
  
• ANTIVIRUS SOFTWARE
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
  
  
• Microsoft Windows Update → http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
  
• http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
  
• http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywarein...showtopic=60955

After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[silverstar77]

Thanx once again for the help and the good piece of advice. By the way, it seemed to me ComboFix didn't uninstall, but simply ran again, but probably it's OK.

Have a nice day as well!

sUBs, on Oct 16 2009, 09:03 AM, said:

This is because the malware key is no long existing. MBAM took it out in the previous run.



Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

• Uninstall ComboFix ... do not skip this step
  This process will perform some post cleanup measures.
  Do this by going to to Start > Run & typing in ComboFix /u
  
  
  
  
• ANTIVIRUS SOFTWARE
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
  
  
• Microsoft Windows Update → http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
  
• http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
  
• http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywarein...showtopic=60955

After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[sUBs]

Quote

By the way, it seemed to me ComboFix didn't uninstall, but simply ran again, but probably it's OK.

Does the folder C:\QooBox still exist?

[silverstar77]

sUBs, on Oct 16 2009, 09:42 AM, said:

Does the folder C:\QooBox still exist?

It existed after the RUN operation, but I deleted it. When I ran the command in Start> run it ask me if it could update itself from the server, I said yes and the tool performed the 50 stages of checking, when a log file was generated. I had two folders: Qoobox and Combo-Fix and deleted both of them, only the .exe file remains on my desktop

[sUBs]

Try running the command ComboFix /U again. There's still some other stuff it needs to uninstall

[silverstar77]

sUBs, on Oct 16 2009, 10:01 AM, said:

Try running the command ComboFix /U again. There's still some other stuff it needs to uninstall

I did it. The folders Qoobox and Combo-Fix appeared again on the disc. Obviously it doesn't want to uninstall by some reason. Here is the log file:

Attached Files

•  ComboFix.txt   21.1K   9 downloads

[sUBs]

HeHe .. I guess it must be because ComboFix enjoys the warmth & hospitality of your machine

Quote

Running from: c:\documents and settings\ivo\Desktop\Combo-Fix.exe
Command switches used :: / U
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

Or maybe because you had a blank space between the '/' and 'U'

Combofix /U .. works

Combofix /<space>U .. doesn't work

[silverstar77]

[quote name='sUBs' date='Oct 16 2009, 10:26 AM' post='144144']
HeHe .. I guess it must be because ComboFix enjoys the warmth & hospitality of your machine

Or maybe because you had a blank space between the '/' and 'U'


Hahahaha.... you may be joking, but my machine seems really irresistible for nesting.. now I have sth like a copy of my whole file system, called Combo-Fix26251C.... How about that? This smartie left me with its serial number baby?!

[sUBs]

Quote

a copy of my whole file system, called Combo-Fix26251C

Lol .. how did it end up getting this complicated. Is ESET NOD32 running?

Please delete that Combo-Fix26251C or any other ComboFix folders.
Ensure that ESET isnt running before attempting it again

[silverstar77]

sUBs, on Oct 16 2009, 10:53 AM, said:

Lol .. how did it end up getting this complicated. Is ESET NOD32 running?

Please delete that Combo-Fix26251C or any other ComboFix folders.
Ensure that ESET isnt running before attempting it again

Sorry.. it's my fault. I installed several Windows updates, Windows search update among them. I didn't notice it was indexing my computer while I uninstalled CF. Everything is just fine now, thanx again for the help and have a nice computing day!