Spyware/Malware ... worm.win32.netsky et. al

View previous topic View next topic Go down

Spyware/Malware ... worm.win32.netsky et. al

Post by mts5b on Fri Jan 22, 2010 8:41 pm

Hello -

Saw a similar post to my issue @ [You must be registered and logged in to see this link.]

Same issue with the task manager being locked and popup with the message: "Application cannot be executed. The file is infected. Please activate your antivirus software."

Had the green background but that went away upon rebooting after installing latest windows update definitions. Same popup when i start Windows XP about being infected with worm.win32.netsky.

Also have a recurring problem with popup of "Generic host process for Win32 has encountered a problem and needs to close." Upon hitting OK, many times I receive a window shortly thereafter with ""Windows must now restart because the DCOM Server Process Launcher Service terminated unexpectedly." This has happened about 8 times within the past 2 days.

I saw Combofix as part of the solution in the other thread i posted above, but didn't want to download it without knowing how to use it etc. Also saw a direction to d/l Malwarebytes, which i've actually had for awhile. I updated to the most recent version, but when I try to open it, i get an error popup: "Error Code: 730 (0,0)" and it directs me to the Malwarebytes support staff. Looked that issue up, didn't really get too far.

I'm pretty much lost in the dark on this one. Any help provided would be greatly appreciated. Thanks so much.

mts5b
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2010-01-22
OS : Windows XP

View user profile

Back to top Go down

Re: Spyware/Malware ... worm.win32.netsky et. al

Post by mts5b on Fri Jan 22, 2010 8:44 pm

Also, here's my latest HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:04 PM, on 1/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Student\Application Data\SystemProc\lsass.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [hetijupop] Rundll32.exe "c:\windows\system32\lahuyofu.dll",a
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Student\Application Data\SystemProc\lsass.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AIM Search - [You must be registered and logged in to see this link.] Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = virginia.edu
O17 - HKLM\Software\..\Telephony: DomainName = virginia.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = virginia.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = virginia.edu
O20 - AppInit_DLLs: hokibewi.dll c:\windows\system32\lahuyofu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbxxwuv - cbxxwuv.dll (file missing)
O20 - Winlogon Notify: hgggfca - hgggfca.dll (file missing)
O20 - Winlogon Notify: mljhfdc - mljhfdc.dll (file missing)
O20 - Winlogon Notify: rqrsrol - rqrsrol.dll (file missing)
O20 - Winlogon Notify: wvuuuvw - wvuuuvw.dll (file missing)
O20 - Winlogon Notify: xxyywwt - xxyywwt.dll (file missing)
O21 - SSODL: dotubapew - {802d8076-e95e-4989-98ff-bd7fd48ccbbb} - c:\windows\system32\lahuyofu.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {802d8076-e95e-4989-98ff-bd7fd48ccbbb} - c:\windows\system32\lahuyofu.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Unknown owner - C:\WINDOWS\System32\basfipm.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. (ITC) VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 12398 bytes

mts5b
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2010-01-22
OS : Windows XP

View user profile

Back to top Go down

Re: Spyware/Malware ... worm.win32.netsky et. al

Post by Dr Jay on Fri Jan 22, 2010 9:06 pm

Please visit this webpage for instructions for downloading and running ComboFix:

[You must be registered and logged in to see this link.]

Post the log from ComboFix when you've accomplished that.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13712
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Spyware/Malware ... worm.win32.netsky et. al

Post by mts5b on Fri Jan 22, 2010 10:51 pm

ComboFix 10-01-21.08 - Student 01/22/2010 17:03:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.554 [GMT -5:00]
Running from: c:\documents and settings\Student\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
c:\documents and settings\Student\Application Data\AntiVirus Plus
c:\documents and settings\Student\Application Data\avp.ico
c:\documents and settings\Student\Application Data\none
c:\documents and settings\Student\Application Data\SystemProc
c:\documents and settings\Student\Application Data\SystemProc\lsass.exe
c:\program files\Internet Explorer\msimg32.dll
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\recycler\S-1-5-21-134902150-1225436931-3051327940-1008
c:\recycler\S-1-5-21-134902150-1225436931-3051327940-500
c:\windows\system32\18467.exe
c:\windows\system32\26500.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\acocsefp.ini
c:\windows\system32\aycgfhft.ini
c:\windows\SYSTEM32\ayyay.bak1
c:\windows\system32\ayyay.ini
c:\windows\system32\bkxnpgad.ini
c:\windows\system32\bqckdvft.ini
c:\windows\system32\cjmwhkcv.ini
c:\windows\system32\cofpspfa.ini
c:\windows\system32\comrepl.exe
c:\windows\system32\cubqgyfx.ini
c:\windows\system32\dbnvdymk.ini
c:\windows\system32\dbxbapmi.ini
c:\windows\system32\denunime.dll
c:\windows\system32\dlvpocyu.ini
c:\windows\system32\ejclgmkk.ini
c:\windows\system32\entxnrqs.ini
c:\windows\system32\epmwubnb.ini
c:\windows\SYSTEM32\fgjlm.bak1
c:\windows\SYSTEM32\fgjlm.ini
c:\windows\SYSTEM32\fgjlm.tmp
c:\windows\system32\fuibpupm.ini
c:\windows\system32\fvdilhrk.ini
c:\windows\SYSTEM32\gghhk.bak1
c:\windows\system32\gghhk.ini
c:\windows\system32\gqcnswlo.ini
c:\windows\system32\gupuvefa.dll
c:\windows\system32\helper32.dll
c:\windows\system32\htnnmkgs.ini
c:\windows\system32\huoyycwq.ini
c:\windows\system32\icjusjuc.ini
c:\windows\system32\iefkqgwl.ini
c:\windows\system32\ikjujvul.ini
c:\windows\system32\IS15.exe
c:\windows\system32\jaaacxig.ini
c:\windows\SYSTEM32\jlllm.bak1
c:\windows\system32\jlllm.ini
c:\windows\system32\jrlthexy.ini
c:\windows\system32\jvwggwwc.ini
c:\windows\system32\khrupqbd.ini
c:\windows\system32\kymyihhi.ini
c:\windows\system32\lbonkppt.ini
c:\windows\system32\mclqfrao.ini
c:\windows\system32\mdstrhjw.ini
c:\windows\system32\meckdbgk.ini
c:\windows\system32\mhdfbvww.ini
c:\windows\SYSTEM32\mlnnn.bak1
c:\windows\SYSTEM32\mlnnn.bak2
c:\windows\system32\mlnnn.ini
c:\windows\system32\mqecsqln.ini
c:\windows\system32\mybujkmp.ini
c:\windows\SYSTEM32\nmmoq.bak1
c:\windows\SYSTEM32\nmmoq.ini
c:\windows\system32\oabdomwe.ini
c:\windows\system32\oarjbels.ini
c:\windows\system32\obtpsrrt.ini
c:\windows\system32\omatgrll.ini
c:\windows\system32\oqrkrtow.ini
c:\windows\system32\oumefanf.ini
c:\windows\system32\ovyfafbj.ini
c:\windows\system32\oxmwrbdx.ini
c:\windows\system32\pkvnvdip.ini
c:\windows\system32\pnslhdye.ini
c:\windows\system32\pqnvpqtt.ini
c:\windows\SYSTEM32\pqtwa.bak1
c:\windows\system32\pqtwa.ini
c:\windows\system32\qjpsotfm.ini
c:\windows\system32\qlbjkyom.ini
c:\windows\system32\qnltsscr.ini
c:\windows\system32\qtfuoyxn.ini
c:\windows\system32\qwheuoat.ini
c:\windows\system32\qxvpmivh.ini
c:\windows\system32\rbmvpqne.ini
c:\windows\SYSTEM32\rtutv.bak1
c:\windows\SYSTEM32\rtutv.bak2
c:\windows\SYSTEM32\rtutv.ini
c:\windows\system32\ruketuno.dll
c:\windows\system32\rwlxfkmp.ini
c:\windows\system32\sbbgvxih.ini
c:\windows\system32\smss32.exe
c:\windows\system32\smxxcgoi.ini
c:\windows\system32\soqnpdcv.ini
c:\windows\SYSTEM32\srsut.bak1
c:\windows\SYSTEM32\srsut.ini
c:\windows\SYSTEM32\sttss.bak1
c:\windows\SYSTEM32\sttss.bak2
c:\windows\SYSTEM32\sttss.ini
c:\windows\system32\svirdjol.ini
c:\windows\system32\tiguqpyr.ini
c:\windows\system32\tjktymky.ini
c:\windows\system32\tmjjdqxq.ini
c:\windows\SYSTEM32\twwvw.bak1
c:\windows\system32\twwvw.ini
c:\windows\system32\tycfyctu.ini
c:\windows\system32\ujhvxpot.ini
c:\windows\system32\umyygtyb.ini
c:\windows\system32\upyrsjpj.ini
c:\windows\system32\uvxbmdgc.ini
c:\windows\SYSTEM32\uvyxx.bak1
c:\windows\SYSTEM32\uvyxx.ini
c:\windows\system32\vhlydgbk.ini
c:\windows\system32\votmnrxe.ini
c:\windows\system32\vwycf.ini
c:\windows\system32\winlogon32.exe
c:\windows\system32\wwvut.ini
c:\windows\system32\wxxhkttd.ini
c:\windows\system32\wyrqkovv.ini
c:\windows\system32\xaabc.ini
c:\windows\system32\xbcdd.ini
c:\windows\system32\xgsbfeam.ini
c:\windows\system32\xtodwvwk.ini
c:\windows\system32\xvprmbrl.ini
c:\windows\system32\yaadd.ini
c:\windows\system32\yeddevvq.ini
c:\windows\system32\ytvlpiuf.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\version.txt

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-22 18:31 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-22 18:31 . 2010-01-22 18:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware012210
2010-01-22 18:31 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-22 17:38 . 2009-08-07 00:23 215904 ----a-w- c:\windows\system32\muweb.dll
2010-01-22 17:34 . 2010-01-22 17:34 18432 ----a-w- c:\windows\system32\emp44.exe
2010-01-22 16:13 . 2010-01-22 16:13 -------- d-----w- C:\232b5cf781721eb98c06572a
2010-01-22 05:05 . 2010-01-22 05:05 147456 ----a-w- C:\autoexec.exe
2010-01-22 01:09 . 2010-01-22 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-22 01:09 . 2010-01-22 01:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-22 01:09 . 2010-01-22 01:09 -------- d-----w- c:\documents and settings\Student\Application Data\SUPERAntiSpyware.com
2010-01-20 12:16 . 2010-01-20 12:17 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2010-01-15 01:23 . 2010-01-15 01:23 -------- d-----w- c:\program files\Windows Defender
2010-01-15 01:11 . 2010-01-15 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 11410
2010-01-03 18:29 . 2010-01-03 18:29 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 22:34 . 2006-01-09 07:57 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-22 20:15 . 2009-08-23 22:54 157288 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-22 17:36 . 2009-04-21 20:57 -------- d-----w- c:\program files\MSECache
2010-01-22 16:45 . 2008-11-08 18:43 -------- d-----w- c:\documents and settings\Student\Application Data\Juniper Networks
2010-01-22 01:08 . 2004-08-28 15:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-21 22:33 . 2008-10-11 23:22 -------- d-----w- c:\documents and settings\Student\Application Data\HPAppData
2010-01-21 22:33 . 2008-09-22 19:45 -------- d-----w- c:\documents and settings\Student\Application Data\ComcastToolbar
2010-01-20 23:47 . 2004-05-19 14:35 11383 ----a-w- c:\windows\system32\nvModes.dat
2010-01-20 22:40 . 2004-05-27 14:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-12 00:58 . 2008-09-20 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-10 17:32 . 2008-02-10 22:50 -------- d-----w- c:\program files\PokerStars
2010-01-03 22:40 . 2009-01-04 06:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2010-01-03 22:35 . 2009-01-04 06:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\COMCASTTOOLBAR
2009-12-06 17:45 . 2009-12-06 17:45 -------- d-----w- c:\program files\Trend Micro
2009-11-23 12:19 . 2009-01-04 06:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
1601-01-01 00:03 . 1601-01-01 00:03 93696 --sha-w- c:\windows\SYSTEM32\fiyajofo.dll
1601-01-01 00:03 . 1601-01-01 00:03 52736 --sha-w- c:\windows\SYSTEM32\gawosige.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\SYSTEM32\gesodape.dll
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\SYSTEM32\gusowigi.dll
1601-01-01 00:03 . 1601-01-01 00:03 93696 --sha-w- c:\windows\SYSTEM32\jamuyobo.dll
2007-11-08 00:40 . 2007-11-07 18:18 43723 -csh--w- c:\windows\SYSTEM32\lnppo.tmp
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\SYSTEM32\megonoki.dll
2007-10-22 22:31 . 2007-10-22 21:38 57682 -csh--w- c:\windows\SYSTEM32\rutwa.tmp
2007-10-01 19:29 . 2007-10-01 19:28 2136863 -csha-w- c:\windows\SYSTEM32\svwvw.tmp
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\SYSTEM32\vupehoga.dll
1601-01-01 00:03 . 1601-01-01 00:03 52736 --sha-w- c:\windows\SYSTEM32\wezorewe.dll.tmp
2007-09-14 03:19 . 2007-09-14 03:19 693605 -csh--w- c:\windows\SYSTEM32\ytvlpiuf.tmp
1601-01-01 00:03 . 1601-01-01 00:03 52736 --sha-w- c:\windows\SYSTEM32\zehubedu.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2007-11-19 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-itŪ Software Notes Lite.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Post-itŪ Software Notes Lite.lnk
backup=c:\windows\pss\Post-itŪ Software Notes Lite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Student^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Student\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2004-05-26 15:31 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2003-05-15 23:41 163840 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 00:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-10-26 16:01 4632576 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 18:03 36975 -c--a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2005-06-24 00:27 85696 ----a-w- c:\progra~1\SYMANT~2\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\mshta.exe"=
"c:\\Program Files\\LimeWire\\LimeWire 4.0.8\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EA SPORTS\\NHL07\\nhl2007.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Eidos\\Pyro Studios\\Commandos 3 - Destination Berlin\\commandos3.exe"=
"c:\program files\Cisco Systems\VPN Client\cvpnd.exe"= c:\program files\Cisco Systems\VPN Client\cvpnd.exe:LocalSubNet,128.143.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,192.35.0.0/255.255.0.0,198.32.44.0/255.255.255.0,198.32.48.0/255.255.255.0,199.111.0.0/255.255.0.0:Enabled:CiscoVPN2
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Documents and Settings\\Student\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Documents and Settings\\Student\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Eidos\\Pyro Studios\\Commandos 2 - Men of Courage\\comm2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38293:UDP"= 38293:UDP:LocalSubNet,128.143.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,192.35.0.0/255.255.0.0,199.111.0.0/255.255.0.0:Enabled:SymantecManagedAVUDP38293
"500:UDP"= 500:UDP:LocalSubNet,128.143.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,192.35.0.0/255.255.0.0,198.32.44.0/255.255.255.0,198.32.48.0/255.255.255.0,199.111.0.0/255.255.0.0:Enabled:CiscoVPN(ISAKMP)
"62515:UDP"= 62515:UDP:LocalSubNet,128.143.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,192.35.0.0/255.255.0.0,198.32.44.0/255.255.255.0,198.32.48.0/255.255.255.0,199.111.0.0/255.255.0.0:Enabled:CiscoVPN
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowInboundEchoRequest"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [4/18/2008 4:30 AM 204800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/8/2008 6:52 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilDrvI9;EraserUtilDrvI9;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [12/26/2009 5:33 PM 102448]
R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [1/1/1980 59328]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Student\Application Data\Mozilla\Firefox\Profiles\m7tqr3zr.Default User\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\Student\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-hetijupop - c:\windows\system32\lahuyofu.dll
HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\Student\Application Data\SystemProc\lsass.exe
SharedTaskScheduler-{802d8076-e95e-4989-98ff-bd7fd48ccbbb} - c:\windows\system32\lahuyofu.dll
ShellExecuteHooks-{C86F6040-61A0-43FC-A455-53B0FB5C6E65} - (no file)
SSODL-dotubapew-{802d8076-e95e-4989-98ff-bd7fd48ccbbb} - c:\windows\system32\lahuyofu.dll
Notify-cbxxwuv - cbxxwuv.dll
Notify-hgggfca - hgggfca.dll
Notify-mljhfdc - mljhfdc.dll
Notify-rqrsrol - rqrsrol.dll
Notify-wvuuuvw - wvuuuvw.dll
Notify-xxyywwt - xxyywwt.dll
MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
AddRemove-SPRINT II v2.0 - c:\sprint2\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-22 17:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Student\Application Data\SystemProc\lsass.exe?????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1231516556-414407275-1844061413-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(432)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\java.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-01-22 17:49:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-22 22:48

Pre-Run: 1,956,360,192 bytes free
Post-Run: 2,339,201,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 10A8B84C98615E971778B20D22667690

mts5b
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2010-01-22
OS : Windows XP

View user profile

Back to top Go down

Re: Spyware/Malware ... worm.win32.netsky et. al

Post by Dr Jay on Fri Jan 22, 2010 11:26 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
Alternate link: [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13712
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Spyware/Malware ... worm.win32.netsky et. al

Post by mts5b on Sat Jan 23, 2010 2:12 am

Malwarebytes' Anti-Malware 1.44
Database version: 3618
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/22/2010 9:11:45 PM
mbam-log-2010-01-22 (21-11-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 251918
Time elapsed: 2 hour(s), 40 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c2b5aab8-2183-4be7-81a6-f11493c45872} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\fiyajofo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\gesodape.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\gusowigi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jamuyobo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\megonoki.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vupehoga.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\autoexec.exe (Backdoor.Poison) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Student\Application Data\SystemProc\lsass.exe.vir (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\smss32.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon32.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1601\A0218397.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1603\A0220370.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1603\A0220376.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1606\A0228491.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1607\A0229489.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1607\A0229492.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1607\A0229562.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1607\A0229585.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1607\A0229587.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1607\A0229657.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1607\A0229742.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1607\A0229764.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1607\A0229852.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\emp44.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\0000625c.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

mts5b
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2010-01-22
OS : Windows XP

View user profile

Back to top Go down

Re: Spyware/Malware ... worm.win32.netsky et. al

Post by Dr Jay on Sat Jan 23, 2010 2:34 am

There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
[You must be registered and logged in to see this link.] are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: [You must be registered and logged in to see this link.]
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13712
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum