Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

sufohuwe.dll infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

sufohuwe.dll infection

Unread postby a4soccor » March 15th, 2010, 9:16 pm

Hi,
My computer seems to have been infected with the Sufohuwe.dll virus. The HiJackThis log posted below confirms this. I normally am able to figure out how to get ride of things like that but this one has me stumped. Thanks for any help you can provide.

-Adam-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:57 PM, on 3/15/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kodak\AiO\center\KodakSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ripohirev] Rundll32.exe "c:\windows\system32\sufohuwe.dll",a
O20 - AppInit_DLLs: c:\windows\system32\sufohuwe.dll,nusayuta.dll
O21 - SSODL: tudawugad - {0ec666f4-50eb-475e-8973-2d74ae230f32} - c:\windows\system32\sufohuwe.dll
O22 - SharedTaskScheduler: kupuhivus - {0ec666f4-50eb-475e-8973-2d74ae230f32} - c:\windows\system32\sufohuwe.dll
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\AiO\center\KodakSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3261 bytes
a4soccor
Regular Member
 
Posts: 15
Joined: March 15th, 2010, 9:01 pm
Advertisement
Register to Remove

Re: sufohuwe.dll infection

Unread postby gringo_pr » March 16th, 2010, 5:23 am

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

GMER:

    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
    Image
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

information and logs:

    In your next post I need the following

      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: sufohuwe.dll infection

Unread postby a4soccor » March 16th, 2010, 3:16 pm

Hi, per your request, attached is the results of the scans:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Adam Soccorsi at 12:28:48.53 on Tue 03/16/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.2008 [GMT -4:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Kodak\AiO\center\KodakSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adam Soccorsi\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uWinlogon: Shell=c:\documents and settings\adam soccorsi\application data\privacy center\ccmain.exe
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [ripohirev] Rundll32.exe "c:\windows\system32\sofodowi.dll",a
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
AppInit_DLLs: nusayuta.dll c:\windows\system32\sofodowi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: zejateded - {255efa85-7439-45d6-9333-187f32d8e3b5} - c:\windows\system32\sofodowi.dll
STS: mujuzedij: {255efa85-7439-45d6-9333-187f32d8e3b5} - c:\windows\system32\sofodowi.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli pimimoso.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\adamso~1\applic~1\mozilla\firefox\profiles\b0ygk3a8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli ... 706&query=
FF - plugin: c:\documents and settings\adam soccorsi\application data\mozilla\firefox\profiles\b0ygk3a8.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-9-27 15424]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\aio\center\KodakSvc.exe [2008-12-1 28672]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2008-9-27 552064]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-1-17 10880]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKDiscovery.exe [2008-10-10 274432]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-23 25832]
S4 gupdate1ca25f239b5547e;Google Update Service (gupdate1ca25f239b5547e);c:\program files\google\update\GoogleUpdate.exe [2009-8-25 133104]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-8-1 24652]

=============== Created Last 30 ================

2010-03-16 16:24:51 20 ----a-w- c:\documents and settings\adam soccorsi\defogger_reenable
2010-03-16 05:39:23 1 --sh--w- c:\windows\system32\kavumefe.dll
2010-03-15 05:39:13 1 --sh--w- c:\windows\system32\dukareyo.dll
2010-03-14 17:37:23 1 --sh--w- c:\windows\system32\kofipulo.dll
2010-02-22 04:15:52 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-22 04:15:52 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-22 04:15:51 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-22 04:15:51 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-02-22 04:15:14 0 d-----w- c:\docume~1\alluse~1\applic~1\94383633
2010-02-22 04:15:07 24 ----a-w- c:\docume~1\adamso~1\applic~1\cqfyto.dat
2010-02-22 04:15:02 4 ----a-w- c:\docume~1\adamso~1\applic~1\avdrn.dat

==================== Find3M ====================

2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-22 23:14:14 19403 ----a-w- c:\program files\common files\esobika.sys
2009-08-22 23:11:29 16323 ----a-w- c:\program files\common files\zolula.inf
2009-08-22 23:11:29 13876 ----a-w- c:\program files\common files\telofim.dat
2009-08-22 23:11:29 10957 ----a-w- c:\program files\common files\lulokumi.bat
1601-01-01 00:03:28 69632 --sha-w- c:\windows\system32\divosewo.dll
1601-01-01 00:03:28 46080 --sha-w- c:\windows\system32\jajulaze.dll
1601-01-01 00:03:28 46080 --sha-w- c:\windows\system32\jinuwayi.dll
1601-01-01 00:03:28 47104 --sha-w- c:\windows\system32\keminazo.dll
1601-01-01 00:03:28 69632 --sha-w- c:\windows\system32\kuwovogi.dll
1601-01-01 00:03:28 100864 --sha-w- c:\windows\system32\lipegamu.dll
1601-01-01 00:03:28 97280 --sha-w- c:\windows\system32\lozaguje.dll
1601-01-01 00:03:52 60928 --sha-w- c:\windows\system32\nusayuta.dll
1601-01-01 00:03:52 60928 --sha-w- c:\windows\system32\pimimoso.dll
1601-01-01 00:03:28 70656 --sha-w- c:\windows\system32\royetuki.dll
1601-01-01 00:03:28 100864 --sha-w- c:\windows\system32\sarepelo.dll
1601-01-01 00:03:28 47104 --sha-w- c:\windows\system32\semasema.dll
1601-01-01 00:03:28 100352 --sha-w- c:\windows\system32\sofodowi.dll
1601-01-01 00:03:52 60928 --sha-w- c:\windows\system32\vetahadu.dll
1601-01-01 00:03:28 43008 --sha-w- c:\windows\system32\yejedotu.dll
1601-01-01 00:03:28 60928 --sha-w- c:\windows\system32\yirumuno.dll
1601-01-01 00:03:28 97280 --sha-w- c:\windows\system32\yizimife.dll
1601-01-01 00:03:28 44032 --sha-w- c:\windows\system32\yotewari.dll
2008-09-22 01:55:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat

============= FINISH: 12:29:44.31 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/22/2006 9:36:39 PM
System Uptime: 3/16/2010 12:25:45 PM (0 hours ago)

Motherboard: Dell Inc. | | 0WG855
Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | Microprocessor | 2128/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 228 GiB total, 70.402 GiB free.
D: is CDROM ()
E: is FIXED (FAT32) - 931 GiB total, 923.394 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: LogMeIn, Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi

==== System Restore Points ===================

RP1211: 12/17/2009 3:00:25 AM - Software Distribution Service 3.0
RP1212: 12/20/2009 7:05:18 PM - Software Distribution Service 3.0
RP1213: 12/20/2009 7:24:04 PM - Software Distribution Service 3.0
RP1214: 12/21/2009 3:00:14 AM - Software Distribution Service 3.0
RP1215: 12/22/2009 3:00:16 AM - Software Distribution Service 3.0
RP1216: 12/23/2009 3:00:18 AM - Software Distribution Service 3.0
RP1217: 12/24/2009 3:00:18 AM - Software Distribution Service 3.0
RP1218: 12/25/2009 3:00:16 AM - Software Distribution Service 3.0
RP1219: 12/25/2009 1:14:47 PM - Installed iTunes
RP1220: 12/25/2009 1:55:05 PM - Software Distribution Service 3.0
RP1221: 12/25/2009 1:59:38 PM - Software Distribution Service 3.0
RP1222: 12/26/2009 3:00:16 AM - Software Distribution Service 3.0
RP1223: 12/27/2009 3:00:16 AM - Software Distribution Service 3.0
RP1224: 12/28/2009 3:00:13 AM - Software Distribution Service 3.0
RP1225: 12/28/2009 8:27:57 PM - Software Distribution Service 3.0
RP1226: 12/29/2009 8:38:59 PM - System Checkpoint
RP1227: 12/30/2009 8:40:21 PM - System Checkpoint
RP1228: 12/31/2009 9:40:22 PM - System Checkpoint
RP1229: 1/1/2010 9:53:58 PM - System Checkpoint
RP1230: 1/2/2010 10:04:30 PM - System Checkpoint
RP1231: 1/3/2010 6:08:45 AM - Software Distribution Service 3.0
RP1232: 1/4/2010 6:47:47 AM - System Checkpoint
RP1233: 1/5/2010 7:47:43 AM - System Checkpoint
RP1234: 1/6/2010 7:48:49 AM - System Checkpoint
RP1235: 1/7/2010 8:47:54 AM - System Checkpoint
RP1236: 1/8/2010 8:55:15 AM - System Checkpoint
RP1237: 1/9/2010 9:47:56 AM - System Checkpoint
RP1238: 1/10/2010 10:47:50 AM - System Checkpoint
RP1239: 1/11/2010 11:47:54 AM - System Checkpoint
RP1240: 1/11/2010 10:08:35 PM - Installed DirectX
RP1241: 1/13/2010 12:15:15 AM - System Checkpoint
RP1242: 1/13/2010 11:05:34 PM - Software Distribution Service 3.0
RP1243: 1/14/2010 2:12:33 PM - Software Distribution Service 3.0
RP1244: 1/14/2010 11:12:38 PM - Software Distribution Service 3.0
RP1245: 1/15/2010 11:17:20 PM - System Checkpoint
RP1246: 1/16/2010 11:19:23 PM - System Checkpoint
RP1247: 1/18/2010 12:14:18 AM - System Checkpoint
RP1248: 1/19/2010 12:26:24 AM - System Checkpoint
RP1249: 1/20/2010 1:17:24 AM - System Checkpoint
RP1250: 1/21/2010 2:18:35 AM - System Checkpoint
RP1251: 1/21/2010 7:11:02 PM - Software Distribution Service 3.0
RP1252: 1/22/2010 7:17:52 PM - System Checkpoint
RP1253: 1/22/2010 7:24:50 PM - Installed DirectX
RP1254: 1/24/2010 2:34:30 AM - Software Distribution Service 3.0
RP1255: 1/25/2010 12:32:16 AM - Software Distribution Service 3.0
RP1256: 1/25/2010 7:43:41 PM - Software Distribution Service 3.0
RP1257: 1/26/2010 10:50:23 PM - System Checkpoint
RP1258: 1/28/2010 12:01:48 AM - System Checkpoint
RP1259: 1/29/2010 1:12:08 AM - System Checkpoint
RP1260: 1/29/2010 8:01:43 AM - Software Distribution Service 3.0
RP1261: 1/31/2010 5:47:51 PM - Installed DirectX
RP1262: 1/31/2010 5:48:55 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP1263: 1/31/2010 5:49:45 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP1264: 1/31/2010 5:50:18 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP1265: 2/2/2010 12:43:28 AM - System Checkpoint
RP1266: 2/3/2010 12:45:23 AM - System Checkpoint
RP1267: 2/4/2010 1:20:55 AM - System Checkpoint
RP1268: 2/5/2010 1:44:22 AM - System Checkpoint
RP1269: 2/5/2010 6:25:09 PM - Installed DirectX
RP1270: 2/6/2010 6:27:57 PM - System Checkpoint
RP1271: 2/7/2010 6:44:28 PM - System Checkpoint
RP1272: 2/8/2010 8:00:50 PM - System Checkpoint
RP1273: 2/9/2010 8:14:04 PM - System Checkpoint
RP1274: 2/10/2010 2:48:29 PM - Installed DirectX
RP1275: 2/10/2010 2:50:09 PM - Installed DirectX
RP1276: 2/11/2010 2:53:52 PM - System Checkpoint
RP1277: 2/12/2010 6:12:21 PM - System Checkpoint
RP1278: 2/13/2010 2:03:26 PM - Installed DirectX
RP1279: 2/14/2010 10:27:46 PM - System Checkpoint
RP1280: 2/16/2010 12:14:19 AM - System Checkpoint
RP1281: 2/17/2010 12:53:54 AM - System Checkpoint
RP1282: 2/18/2010 1:54:03 AM - System Checkpoint
RP1283: 2/19/2010 2:53:58 AM - System Checkpoint
RP1284: 2/20/2010 3:54:00 AM - System Checkpoint
RP1285: 2/20/2010 2:08:05 PM - Installed DirectX
RP1286: 2/21/2010 7:13:27 PM - System Checkpoint
RP1287: 2/22/2010 9:01:19 PM - System Checkpoint
RP1288: 2/23/2010 10:28:15 PM - System Checkpoint
RP1289: 2/24/2010 3:33:29 PM - Removed Netflix Movie Viewer
RP1290: 2/25/2010 3:56:28 PM - System Checkpoint
RP1291: 2/26/2010 4:10:14 PM - System Checkpoint
RP1292: 2/27/2010 5:04:14 PM - System Checkpoint
RP1293: 2/28/2010 7:19:33 PM - System Checkpoint
RP1294: 3/1/2010 7:03:59 PM - Installed BioShock 2
RP1295: 3/2/2010 11:26:20 PM - System Checkpoint
RP1296: 3/4/2010 12:21:45 AM - System Checkpoint
RP1297: 3/5/2010 1:10:18 AM - System Checkpoint
RP1298: 3/6/2010 1:35:59 AM - System Checkpoint
RP1299: 3/7/2010 2:16:20 AM - System Checkpoint
RP1300: 3/7/2010 11:53:28 PM - Software Distribution Service 3.0
RP1301: 3/9/2010 12:05:52 AM - System Checkpoint
RP1302: 3/10/2010 12:46:30 AM - System Checkpoint
RP1303: 3/11/2010 1:23:38 AM - System Checkpoint
RP1304: 3/12/2010 1:57:28 AM - System Checkpoint
RP1305: 3/13/2010 3:14:07 AM - System Checkpoint
RP1306: 3/14/2010 1:25:52 PM - System Checkpoint
RP1307: 3/15/2010 2:21:36 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
Adobe Shockwave Player
AIM Toolbar
aiofw
aioprnt
aioscnnr
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Audacity 1.2.6
AusLogics Disk Defrag
AutoUpdate
Azureus Vuze
Banctec Service Agreement
BioShock 2
Bonjour
Bonjour Core for Windows
BufferChm
Call of Duty(R) - World at War(TM) 1.1 Patch
CCleaner
center
Copy
Counter-Strike: Source
Critical Update for Windows Media Player 11 (KB959772)
Data Lifeguard Diagnostic for Windows
Dell CinePlayer
Dell Driver Reset Tool
Dell Support 3.2.1
Dell System Restore
Destination Component
DeviceDiscovery
Digital Content Portal
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DJ_AIO_ProductContext
Documentation & Support Launcher
Dragon Age: Origins
F4100_Help
Free M4a to MP3 Converter 6.0
GCH Guitar academy
Google Earth
Google Update Helper
Google Updater
Goombah Partner COM Server
GTK+ 2.10.6-1 runtime environment
Hamachi 1.0.3.0
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB938759)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Imaging Device Functions 9.0
HP Photosmart Essential
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Solution Center 9.0
HP Update
HPProductAssistant
HPSSupply
Impulse
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™ Software
iTunes
J2SE Runtime Environment 5.0 Update 6
KODAK All-in-One Printer Software
ksDIP
Left 4 Dead
Logitech GamePanel Software 2.00
Magic DVD Copier Version 4.9 build 3
MagicDisc 2.7.105
Malwarebytes' Anti-Malware
Mass Effect
Mass Effect 2
MCU
Media Center Extender
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project 2007 Service Pack 2 (SP2)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Visio 2007 Service Pack 2 (SP2)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft redistributable runtime DLLs VS2005(x86)
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual J# .NET Redistributable Package 1.1
Mozilla Firefox (3.0.2)
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
neroxml
NOD32 Antivirus System
NVIDIA Drivers
NVIDIA PhysX
PowerISO
PreReq
Privacy Center
PSSWCORE
QuickTime
Razer DeathAdder(TM) Mouse
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978262)
Sid Meier's Civilization 4
Sins of a Solar Empire
Sins of a Solar Empire - Entrenchment
Skype 3.0
Skype Plugin Manager
SolutionCenter
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
SoundTaxi 2.5.9
Star Wars Empire at War
Status
Steam
System Requirements Lab
System Shock2
The GIMP 2.2.13
The Lord of the Rings Online™: Shadows of Angmar™ v01.05.00.811
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977719)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Ventrilo Client
VideoLAN VLC media player 0.8.6e
VideoToolkit01
Viewpoint Media Player
Warhammer 40,000: Dawn of War II
WebFldrs XP
West Point Bridge Designer 2007
Winamp
Winamp Remote
Windows 7 Upgrade Advisor
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

3/15/2010 8:58:24 PM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
3/15/2010 7:25:31 PM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/15/2010 7:25:26 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/15/2010 7:25:20 PM, error: Service Control Manager [7034] - The Kodak AiO Device Service service terminated unexpectedly. It has done this 1 time(s).
3/15/2010 7:25:12 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/14/2010 12:26:02 PM, error: Service Control Manager [7001] - The Kodak AiO Network Discovery Service service depends on the Bonjour Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/14/2010 1:38:32 AM, error: Service Control Manager [7031] - The Media Center Extender Resource Monitor service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/14/2010 1:38:21 AM, error: Service Control Manager [7031] - The Media Center Extender Resource Monitor service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/14/2010 1:38:14 AM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
3/14/2010 1:38:07 AM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/14/2010 1:38:02 AM, error: Service Control Manager [7031] - The Media Center Extender Resource Monitor service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/14/2010 1:37:58 AM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

==== End Of File ===========================

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-16 15:13:21
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADAMSO~1\LOCALS~1\Temp\pxtoapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset )

---- Threads - GMER 1.0.15 ----

Thread System [4:204] 89C68298

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0x60 0x8A 0x7C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xED 0xF2 0x8D 0x72 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1F 0x67 0xE2 0x87 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xBC 0xB2 0xB8 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x73 0x27 0x56 0x38 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0x60 0x8A 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xED 0xF2 0x8D 0x72 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1F 0x67 0xE2 0x87 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xBC 0xB2 0xB8 0x33 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x73 0x27 0x56 0x38 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x30 0xFE 0x74 0x85 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xED 0xF2 0x8D 0x72 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x77 0x9D 0x39 0xBA ...

---- EOF - GMER 1.0.15 ----

Thanks for all your help.

-Adam-
a4soccor
Regular Member
 
Posts: 15
Joined: March 15th, 2010, 9:01 pm

Re: sufohuwe.dll infection

Unread postby gringo_pr » March 16th, 2010, 5:42 pm

Hello

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

:P2P Warning!:

I must draw your attention to the >malwareremoval< policy regarding P2P programs. You must uninstall all P2P programs before I can continue with cleaning your computer.

remove the following programs:

µTorrent
Azureus Vuze


*NOTE* Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.


If you continue to use P2P programs, we see no purpose in cleaning your machine as it is pretty much certain that, if you continue to use them, your computer will get infected again.

uninstall some programs

    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    µTorrent
    Ask Toolbar
    AutoUpdate
    Azureus Vuze
    Privacy Center


    and click on remove

:run combofix:

    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:

      The Recovery Console was successfully installed.
    Please continue as follows:

    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"

    In your next post I need the following

    1. log from combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: sufohuwe.dll infection

Unread postby a4soccor » March 16th, 2010, 7:17 pm

Hey, thanks for the fast replies. I ran the removed the programs you asked me too as well as ran the Combofix application. The resulting log file is the result:

ComboFix 10-03-16.03 - Adam Soccorsi 03/16/2010 19:01:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.2007 [GMT -4:00]
Running from: c:\documents and settings\Adam Soccorsi\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Adam Soccorsi\Application Data\avdrn.dat
c:\documents and settings\Adam Soccorsi\Application Data\inst.exe
c:\documents and settings\Adam Soccorsi\Cookies\aremidy.inf
c:\documents and settings\Adam Soccorsi\Cookies\foxyma.com
c:\documents and settings\Adam Soccorsi\Cookies\hyfalaf.vbs
c:\documents and settings\Adam Soccorsi\Cookies\iradezej.com
c:\documents and settings\Adam Soccorsi\Cookies\jyfize.com
c:\documents and settings\Adam Soccorsi\Cookies\kodozuji.inf
c:\documents and settings\Adam Soccorsi\Cookies\ninyce.dl
c:\documents and settings\Adam Soccorsi\Cookies\udinopu.reg
c:\documents and settings\Adam Soccorsi\Cookies\umepidy.com
c:\program files\Common Files\lulokumi.bat
c:\program files\Common Files\zolula.inf
C:\setup.exe
c:\windows\bodoju.inf
c:\windows\egupozolud.reg
c:\windows\gubicalod.dll
c:\windows\jestertb.dll
c:\windows\syri.vbs
c:\windows\system32\AutoRun.inf
c:\windows\system32\BReWErS.dll
c:\windows\system32\dukareyo.dll
c:\windows\system32\jajulaze.dll
c:\windows\system32\jinuwayi.dll
c:\windows\system32\kavumefe.dll
c:\windows\system32\keminazo.dll
c:\windows\system32\kofipulo.dll
c:\windows\system32\nusayuta.dll
c:\windows\system32\pimimoso.dll
c:\windows\system32\semasema.dll
c:\windows\system32\welatili.dll
c:\windows\system32\yejedotu.dll
c:\windows\system32\yhumixafoh.inf
c:\windows\system32\yotewari.dll
c:\windows\system32\ziwediya.dll
c:\windows\Temp\_ex-08.exe
E:\autorun.inf

-- Previous Run --

c:\windows\system32\mstsc.exe . . . is infected!!

--------

c:\windows\system32\mstsc.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-16 23:00 . 2010-03-16 23:00 -------- d-----w- c:\windows\LastGood
2010-03-04 23:41 . 2010-03-04 23:41 -------- d-----w- c:\documents and settings\Adam Soccorsi\Local Settings\Application Data\The Lord of the Rings Online
2010-02-22 04:15 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-22 04:15 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-22 04:15 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-22 04:15 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-02-22 04:15 . 2010-02-22 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\94383633
2010-02-22 04:15 . 2010-02-22 04:15 1036800 ----a-w- c:\documents and settings\All Users\Application Data\94383633\94383633.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 22:24 . 2007-12-16 20:25 -------- d-----w- c:\program files\Azureus
2010-03-16 22:22 . 2007-08-02 01:56 -------- d-----w- c:\program files\Common Files\Apple
2010-03-09 21:48 . 2007-03-05 23:44 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\gtk-2.0
2010-03-08 04:54 . 2007-03-05 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-07 04:45 . 2010-02-10 19:52 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\Bioshock2
2010-03-07 03:44 . 2009-10-03 15:29 -------- d-----w- c:\program files\Steam
2010-02-27 22:31 . 2008-09-06 15:52 -------- d-----w- c:\program files\MagicDVDCopier
2010-02-25 22:49 . 2009-09-13 21:00 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\Temp
2010-02-24 20:34 . 2009-12-21 23:14 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\runic games
2010-02-24 20:34 . 2009-12-21 22:42 -------- d-----w- c:\program files\Runic Games
2010-02-24 20:34 . 2010-01-12 03:08 -------- d-----w- c:\program files\Cryptic Studios
2010-02-22 04:15 . 2010-02-22 04:15 24 ----a-w- c:\documents and settings\Adam Soccorsi\Application Data\cqfyto.dat
2010-02-10 03:33 . 2005-08-17 02:58 -------- d-----w- c:\program files\RGB
2010-02-09 05:56 . 2006-12-21 00:53 -------- d-----w- c:\program files\Google
2010-01-24 05:34 . 2010-01-24 05:34 -------- d-----w- c:\program files\GCH Guitar academy
2010-01-22 00:09 . 2006-12-26 02:42 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\Skype
2010-01-05 10:00 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-22 23:14 . 2009-08-22 23:14 19403 ----a-w- c:\program files\Common Files\esobika.sys
2009-08-22 23:11 . 2009-08-22 23:11 13876 ----a-w- c:\program files\Common Files\telofim.dat
1601-01-01 00:03 . 1601-01-01 00:03 69632 --sha-w- c:\windows\system32\divosewo.dll
1601-01-01 00:03 . 1601-01-01 00:03 69632 --sha-w- c:\windows\system32\kuwovogi.dll
1601-01-01 00:03 . 1601-01-01 00:03 100864 --sha-w- c:\windows\system32\lipegamu.dll
1601-01-01 00:03 . 1601-01-01 00:03 97280 --sha-w- c:\windows\system32\lozaguje.dll
1601-01-01 00:03 . 1601-01-01 00:03 56832 --sha-w- c:\windows\system32\mapuzivi.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 70656 --sha-w- c:\windows\system32\royetuki.dll
1601-01-01 00:03 . 1601-01-01 00:03 100864 --sha-w- c:\windows\system32\sarepelo.dll
1601-01-01 00:03 . 1601-01-01 00:03 60928 --sha-w- c:\windows\system32\vetahadu.dll
1601-01-01 00:03 . 1601-01-01 00:03 56832 --sha-w- c:\windows\system32\wumadibu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 60928 --sha-w- c:\windows\system32\yirumuno.dll
1601-01-01 00:03 . 1601-01-01 00:03 97280 --sha-w- c:\windows\system32\yizimife.dll
1601-01-01 00:03 . 1601-01-01 00:03 56832 --sha-w- c:\windows\system32\zawawiza.dll.tmp
.

------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42763e8b-9915-4476-ba80-1ec31c37ed0b}]
1601-01-01 00:03 60928 --sha-w- c:\windows\system32\vetahadu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 1687824]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-05-07 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^ImpulseNow.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\ImpulseNow.lnk
backup=c:\windows\pss\ImpulseNow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^monnid32.exe]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\monnid32.exe
backup=c:\windows\pss\monnid32.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\94383633]
2010-02-22 04:15 1036800 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\94383633\94383633.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 00:12 27648 ----a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
c:\windows\system32\ctfmon.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-01-17 16:51 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2008-10-22 11:54 1310720 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 01:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-07-06 13:15 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
2008-09-29 19:14 949376 ----a-w- c:\program files\ESET\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-06-10 12:29 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 16:20 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-26 21:36 1217808 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-26 02:08 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-10-10 05:28 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NBService"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)
"IAANTMON"=2 (0x2)
"ELService"=2 (0x2)
"aawservice"=2 (0x2)
"PnkBstrA"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate1ca25f239b5547e"=2 (0x2)
"WZCSVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
comptrol REG_SZ c:\windows\system32\disketup.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"\\\\D90K36B1\\SW_Galactic_Battlegrounds\\Game\\Battlegrounds.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\Adam Soccorsi\\Desktop\\My Stuff\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire Entrenchment.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [9/27/2008 5:06 PM 15424]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [12/1/2008 7:58 PM 28672]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [1/17/2008 10:49 PM 10880]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [10/10/2008 10:33 AM 274432]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/23/2009 9:03 PM 25832]
S4 gupdate1ca25f239b5547e;Google Update Service (gupdate1ca25f239b5547e);c:\program files\Google\Update\GoogleUpdate.exe [8/25/2009 10:09 PM 133104]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/3/2008 4:12 PM 716272]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/1/2009 12:59 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-26 02:08]

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 02:09]

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\Adam Soccorsi\Application Data\Mozilla\Firefox\Profiles\b0ygk3a8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli ... 706&query=
FF - plugin: c:\documents and settings\Adam Soccorsi\Application Data\Mozilla\Firefox\Profiles\b0ygk3a8.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKLM-Run-ripohirev - c:\windows\system32\ziwediya.dll
HKLM-Run-goriwegipo - pimimoso.dll
SharedTaskScheduler-{e3215f1f-c683-445d-8666-1f2ec80fb9ac} - c:\windows\system32\ziwediya.dll
SSODL-rarilumof-{e3215f1f-c683-445d-8666-1f2ec80fb9ac} - c:\windows\system32\ziwediya.dll
Notify-WgaLogon - (no file)
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-braviax - c:\windows\system32\braviax.exe
MSConfigStartUp-ccagent - c:\documents and settings\Adam Soccorsi\Application Data\Privacy Center\ccagent.exe
MSConfigStartUp-CTFMON - c:\windows\Temp\_ex-08.exe
MSConfigStartUp-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe
MSConfigStartUp-here - c:\docume~1\ADAMSO~1\LOCALS~1\Temp\53341here.exe
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe
MSConfigStartUp-ripohirev - c:\windows\system32\sufohuwe.dll
MSConfigStartUp-SiteAdvisor - c:\program files\SiteAdvisor\6066\SiteAdv.exe
MSConfigStartUp-SpyHunter Security Suite - c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-ttool - c:\windows\9129837.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-Orb - c:\program files\Winamp Remote\uninstall.exe
AddRemove-SShockDeinstallKey - c:\sshock2\SShocku.log
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 19:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3334565574-2233302197-4235952509-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:74,c1,94,0f,b3,9e,43,42,53,10,7b,38,48,d1,4a,a2,1c,55,14,13,96,4e,b6,
45,66,fe,ed,82,a1,52,20,d0,9c,16,6c,4a,be,c4,6f,5a,d7,ea,86,3f,c5,ce,80,cc,\
"??"=hex:32,6d,17,bd,ce,bc,fe,c7,b0,58,a8,8f,4a,f8,bf,a3

[HKEY_USERS\S-1-5-21-3334565574-2233302197-4235952509-1006\Software\SecuROM\License information*]
"datasecu"=hex:75,fe,40,0e,a8,0d,46,9a,9a,28,c1,45,4b,d3,00,39,3b,ad,c4,0a,31,
ae,df,f1,6e,20,bf,dc,87,fe,ea,30,38,fa,35,dc,8d,7a,aa,36,42,b1,e2,37,49,91,\
"rkeysecu"=hex:7b,8e,a2,a8,44,1c,80,c2,21,43,0e,46,48,f0,df,8d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(816)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(2448)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-16 19:11:15
ComboFix-quarantined-files.txt 2010-03-16 23:10

Pre-Run: 75,450,511,360 bytes free
Post-Run: 75,412,004,864 bytes free

- - End Of File - - BC6F80ABAD753D4E8A37A4749C614D9F
a4soccor
Regular Member
 
Posts: 15
Joined: March 15th, 2010, 9:01 pm

Re: sufohuwe.dll infection

Unread postby a4soccor » March 16th, 2010, 10:10 pm

Hi again,

After using my computer for a couple hours I am no longer seeing the symptoms of my previous infection. If I experience any further infections I'll be sure to let you know. Thank you very much for all your help, you've been very helpful.

-Adam-
a4soccor
Regular Member
 
Posts: 15
Joined: March 15th, 2010, 9:01 pm

Re: sufohuwe.dll infection

Unread postby gringo_pr » March 17th, 2010, 12:10 am

Hello Adam

We are not done yet. please stay with me until I say you are clean.

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:filefind
*mstsc*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
http://malwareremoval.com/forum/viewtopic.php?f=11&t=50138&p=511981#p511981

Collect::
c:\documents and settings\Adam Soccorsi\Application Data\cqfyto.dat
c:\program files\Common Files\esobika.sys
c:\windows\system32\divosewo.dll
c:\windows\system32\kuwovogi.dll
c:\windows\system32\lipegamu.dll
c:\windows\system32\lozaguje.dll
c:\windows\system32\mapuzivi.dll.tmp
c:\windows\system32\royetuki.dll
c:\windows\system32\sarepelo.dll
c:\windows\system32\vetahadu.dll
c:\windows\system32\wumadibu.dll.tmp
c:\windows\system32\yirumuno.dll
c:\windows\system32\yizimife.dll
c:\windows\system32\zawawiza.dll.tmp
c:\docume~1\ALLUSE~1\APPLIC~1\94383633\94383633.exe
c:\program files\Common Files\telofim.dat
c:\windows\system32\disketup.dll

Registry::
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]

Folder::
c:\documents and settings\All Users\Application Data\94383633
c:\program files\Azureus

FMove::
 c:\windows\ServicePackFiles\i386\ctfmon.exe | c:\windows\System32\ctfmon.exe


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

"information and logs"

    In your next post I need the following

    1. log from combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: sufohuwe.dll infection

Unread postby a4soccor » March 17th, 2010, 5:23 pm

Hi again, here is the information you requested. When I restarted my computer this morning I received a virus notification from NOD 32 about an infection from a virus with the word SuperJuan in the title.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:53 on 17/03/2010 by Adam Soccorsi (Administrator - Elevation successful)

========== filefind ==========

Searching for "*mstsc*"
C:\i386\mstsc.chm --a--- 67569 bytes [08:52 28/12/2006] [11:00 10/08/2004] 8068620487FBEA6C43F8A89034EC1767
C:\i386\mstsc.exe --a--- 407552 bytes [08:47 28/12/2006] [11:00 10/08/2004] 8148D865276C330ED47160728816BF12
C:\i386\mstscax.dll --a--- 655360 bytes [08:47 28/12/2006] [11:00 10/08/2004] B202B160C128CCB5265082A94EE01A6C
C:\WINDOWS\$hf_mig$\KB956744\SP2QFE\lhmstsc.exe --a--- 677888 bytes [23:43 23/11/2009] [09:12 09/06/2009] FF01FF8F5D0DC429DAC6BB5471E53382
C:\WINDOWS\$hf_mig$\KB956744\SP2QFE\lhmstsc.mui --a--- 49152 bytes [23:43 23/11/2009] [12:48 27/05/2009] 117807BD79ABAA3F17BA968F7FC3C9EA
C:\WINDOWS\$hf_mig$\KB956744\SP2QFE\lhmstscx.dll --a--- 2067968 bytes [23:43 23/11/2009] [14:53 09/06/2009] C20058158BE6E443C648F16AA22BCC08
C:\WINDOWS\$hf_mig$\KB956744\SP2QFE\lhmstscx.mui --a--- 86016 bytes [23:43 23/11/2009] [12:48 27/05/2009] 827DB7EEA823A2C8FF02EED550215704
C:\WINDOWS\$hf_mig$\KB956744\SP3GDR\lhmstscx.dll --a--- 2066432 bytes [14:19 10/06/2009] [14:19 10/06/2009] 1556E21CAF3C187D3F3808F9C0612C4E
C:\WINDOWS\$hf_mig$\KB956744\SP3QFE\lhmstscx.dll --a--- 2067968 bytes [18:08 11/08/2009] [15:21 09/06/2009] 36944FAEF57260BAAE0B4D120072B422
C:\WINDOWS\$NtServicePackUninstall$\mstsc.chm -----c 67569 bytes [01:44 22/09/2008] [11:00 10/08/2004] 8068620487FBEA6C43F8A89034EC1767
C:\WINDOWS\$NtServicePackUninstall$\mstsc.exe -----c 407552 bytes [01:44 22/09/2008] [11:00 10/08/2004] 8148D865276C330ED47160728816BF12
C:\WINDOWS\$NtServicePackUninstall$\mstscax.dll -----c 655360 bytes [01:44 22/09/2008] [11:00 10/08/2004] B202B160C128CCB5265082A94EE01A6C
C:\WINDOWS\$NtUninstallKB956744$\mstscax.dll -----c 2061824 bytes [07:03 12/08/2009] [00:11 14/04/2008] ACD3B2A1BC785A8B9FBC70280E1D8663
C:\WINDOWS\Help\mstsc.chm --a--- 101723 bytes [10:18 16/08/2005] [13:56 02/01/2007] 80EE04DBCC37C007B8D52CA9227F7998
C:\WINDOWS\ServicePackFiles\i386\lhmstsc.chm ------ 101723 bytes [21:15 26/08/2008] [13:56 02/01/2007] 80EE04DBCC37C007B8D52CA9227F7998
C:\WINDOWS\ServicePackFiles\i386\lhmstsc.exe ------ 677888 bytes [21:15 26/08/2008] [00:12 14/04/2008] 8DD5CF6D82BD78433E95D86EFA117D67
C:\WINDOWS\ServicePackFiles\i386\lhmstsc.mui ------ 49152 bytes [21:15 26/08/2008] [14:57 25/01/2008] 563CDF9F8C3647E74E8BBDD02290690F
C:\WINDOWS\ServicePackFiles\i386\lhmstscx.dll ------ 2061824 bytes [21:15 26/08/2008] [00:11 14/04/2008] ACD3B2A1BC785A8B9FBC70280E1D8663
C:\WINDOWS\ServicePackFiles\i386\lhmstscx.mui ------ 86016 bytes [21:15 26/08/2008] [14:57 25/01/2008] C23AD419533F95EF50AA00FBFEC5965E
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\lhmstsc.exe --a--- 677888 bytes [09:59 24/11/2009] [00:12 14/04/2008] 8DD5CF6D82BD78433E95D86EFA117D67
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\lhmstscx.dll --a--- 2061824 bytes [09:59 24/11/2009] [00:11 14/04/2008] ACD3B2A1BC785A8B9FBC70280E1D8663
C:\WINDOWS\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\SP2GDR\lhmstscx.dll --a--- 1871872 bytes [12:45 08/03/2010] [15:06 09/06/2009] B2B61994124628FFE899BE03DB0B8C61
C:\WINDOWS\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\SP2QFE\lhmstsc.exe --a--- 677888 bytes [12:45 08/03/2010] [09:12 09/06/2009] FF01FF8F5D0DC429DAC6BB5471E53382
C:\WINDOWS\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\SP2QFE\lhmstsc.mui --a--- 49152 bytes [12:45 08/03/2010] [12:48 27/05/2009] 117807BD79ABAA3F17BA968F7FC3C9EA
C:\WINDOWS\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\SP2QFE\lhmstscx.dll --a--- 2067968 bytes [12:45 08/03/2010] [14:53 09/06/2009] C20058158BE6E443C648F16AA22BCC08
C:\WINDOWS\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\SP2QFE\lhmstscx.mui --a--- 86016 bytes [12:45 08/03/2010] [12:48 27/05/2009] 827DB7EEA823A2C8FF02EED550215704
C:\WINDOWS\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\SP3GDR\lhmstscx.dll --a--- 2066432 bytes [14:19 10/06/2009] [14:19 10/06/2009] 1556E21CAF3C187D3F3808F9C0612C4E
C:\WINDOWS\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\SP3QFE\lhmstscx.dll --a--- 2067968 bytes [12:45 08/03/2010] [15:21 09/06/2009] 36944FAEF57260BAAE0B4D120072B422
C:\WINDOWS\system32\dllcache\mstscax.dll ------ 2066432 bytes [13:19 10/06/2009] [13:19 10/06/2009] 1556E21CAF3C187D3F3808F9C0612C4E
C:\WINDOWS\system32\en-US\mstsc.exe.mui ------ 49152 bytes [21:15 26/08/2008] [14:57 25/01/2008] 563CDF9F8C3647E74E8BBDD02290690F
C:\WINDOWS\system32\en-US\mstscax.dll.mui ------ 86016 bytes [21:15 26/08/2008] [14:57 25/01/2008] C23AD419533F95EF50AA00FBFEC5965E
C:\WINDOWS\system32\mstsc.exe --a--- 677888 bytes [10:37 16/08/2005] [00:12 14/04/2008] A07532F1E519C6769C6AB031AC0471A5
C:\WINDOWS\system32\mstscax.dll --a--- 2066432 bytes [10:37 16/08/2005] [13:19 10/06/2009] 1556E21CAF3C187D3F3808F9C0612C4E

-=End Of File=-

ComboFix 10-03-16.03 - Adam Soccorsi 03/17/2010 17:00:45.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.1963 [GMT -4:00]
Running from: c:\documents and settings\Adam Soccorsi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adam Soccorsi\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active


file zipped: c:\docume~1\ALLUSE~1\APPLIC~1\94383633\94383633.exe
file zipped: c:\program files\Common Files\esobika.sys
file zipped: c:\program files\Common Files\telofim.dat
file zipped: c:\windows\system32\divosewo.dll
file zipped: c:\windows\system32\kuwovogi.dll
file zipped: c:\windows\system32\lipegamu.dll
file zipped: c:\windows\system32\lozaguje.dll
file zipped: c:\windows\system32\mapuzivi.dll.tmp
file zipped: c:\windows\system32\royetuki.dll
file zipped: c:\windows\system32\sarepelo.dll
file zipped: c:\windows\system32\vetahadu.dll
file zipped: c:\windows\system32\wumadibu.dll.tmp
file zipped: c:\windows\system32\yirumuno.dll
file zipped: c:\windows\system32\yizimife.dll
file zipped: c:\windows\system32\zawawiza.dll.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\94383633\94383633.exe
c:\documents and settings\All Users\Application Data\94383633
c:\documents and settings\All Users\Application Data\94383633\94383633.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Azureus
c:\program files\Azureus\hs_err_pid3056.log
c:\program files\Azureus\plugins\azemp\azemp_1.9.11.jar
c:\program files\Azureus\plugins\azemp\azemp_1.9.11.zip
c:\program files\Azureus\plugins\azemp\azemp_1.9.6.jar
c:\program files\Azureus\plugins\azemp\azemp_1.9.6.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.14.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.14.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.16.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.16.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.28.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.28.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.30.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.30.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.32.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.32.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.34.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.34.zip
c:\program files\Azureus\plugins\azemp\azemp_2.1.02.jar
c:\program files\Azureus\plugins\azemp\azemp_2.1.02.zip
c:\program files\Azureus\plugins\azemp\azmplay.exe.bak
c:\program files\Azureus\plugins\azemp\cp1250-a.raw.bak
c:\program files\Azureus\plugins\azemp\cp1250-b.raw.bak
c:\program files\Azureus\plugins\azemp\font.desc.bak
c:\program files\Azureus\plugins\azemp\libInfoGetter.dll
c:\program files\Azureus\plugins\azemp\mplayer\config
c:\program files\Azureus\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Azureus\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Azureus\plugins\azemp\plugin.properties_1.9.11
c:\program files\Azureus\plugins\azemp\plugin.properties_1.9.6
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.14
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.16
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.28
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.30
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.32
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.34
c:\program files\Azureus\plugins\azemp\plugin.properties_2.1.02
c:\program files\Azureus\plugins\azupdater\azupdater_1.8.12.zip
c:\program files\Azureus\plugins\azupdater\azupdater_1.8.8.zip
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.12.jar
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.8.jar
c:\program files\Azureus\plugins\azupdater\Azureus2_4.2.0.4_P4.pax
c:\program files\Azureus\plugins\azupdater\plugin.properties_1.8.12
c:\program files\Azureus\plugins\azupdater\plugin.properties_1.8.8
c:\program files\Azureus\plugins\azupdater\Updater.jar.bak
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.1.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.1.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.17.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.17.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.21.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.21.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.5.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.5.zip
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.1
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.17
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.21
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.5
c:\program files\Common Files\esobika.sys
c:\program files\Common Files\telofim.dat
c:\windows\system32\dakabedu.dll
c:\windows\system32\divosewo.dll
c:\windows\system32\kuwovogi.dll
c:\windows\system32\lipegamu.dll
c:\windows\system32\lozaguje.dll
c:\windows\system32\mapuzivi.dll.tmp
c:\windows\system32\pikumivu.dll
c:\windows\system32\roboyove.dll
c:\windows\system32\royetuki.dll
c:\windows\system32\sarepelo.dll
c:\windows\system32\vetahadu.dll
c:\windows\system32\wumadibu.dll.tmp
c:\windows\system32\yirumuno.dll
c:\windows\system32\yizimife.dll
c:\windows\system32\zawawiza.dll.tmp
c:\windows\system32\zehigipu.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.138
c:\windows\system32\mstsc.exe . . . is infected!!

.
--------------- FMove ---------------

c:\windows\ServicePackFiles\i386\ctfmon.exe --> c:\windows\System32\ctfmon.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-17 21:00 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-03-17 21:00 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
2010-03-04 23:41 . 2010-03-04 23:41 -------- d-----w- c:\documents and settings\Adam Soccorsi\Local Settings\Application Data\The Lord of the Rings Online
2010-02-22 04:15 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-22 04:15 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-22 04:15 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-22 04:15 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 22:22 . 2007-08-02 01:56 -------- d-----w- c:\program files\Common Files\Apple
2010-03-09 21:48 . 2007-03-05 23:44 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\gtk-2.0
2010-03-08 04:54 . 2007-03-05 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-07 04:45 . 2010-02-10 19:52 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\Bioshock2
2010-03-07 03:44 . 2009-10-03 15:29 -------- d-----w- c:\program files\Steam
2010-02-27 22:31 . 2008-09-06 15:52 -------- d-----w- c:\program files\MagicDVDCopier
2010-02-25 22:49 . 2009-09-13 21:00 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\Temp
2010-02-24 20:34 . 2009-12-21 23:14 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\runic games
2010-02-24 20:34 . 2009-12-21 22:42 -------- d-----w- c:\program files\Runic Games
2010-02-24 20:34 . 2010-01-12 03:08 -------- d-----w- c:\program files\Cryptic Studios
2010-02-22 04:15 . 2010-02-22 04:15 24 ----a-w- c:\documents and settings\Adam Soccorsi\Application Data\cqfyto.dat
2010-02-10 03:33 . 2005-08-17 02:58 -------- d-----w- c:\program files\RGB
2010-02-09 05:56 . 2006-12-21 00:53 -------- d-----w- c:\program files\Google
2010-01-24 05:34 . 2010-01-24 05:34 -------- d-----w- c:\program files\GCH Guitar academy
2010-01-22 00:09 . 2006-12-26 02:42 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\Skype
2010-01-05 10:00 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
1601-01-01 00:03 . 1601-01-01 00:03 101376 --sha-w- c:\windows\system32\hazetosi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 1687824]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-05-07 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"goriwegipo"="pimimoso.dll" [BU]
"ripohirev"="c:\windows\system32\pikumivu.dll" [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^ImpulseNow.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\ImpulseNow.lnk
backup=c:\windows\pss\ImpulseNow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^monnid32.exe]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\monnid32.exe
backup=c:\windows\pss\monnid32.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 00:12 27648 ----a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-01-17 16:51 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2008-10-22 11:54 1310720 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 01:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-07-06 13:15 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
2008-09-29 19:14 949376 ----a-w- c:\program files\ESET\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-06-10 12:29 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 16:20 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-26 21:36 1217808 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-26 02:08 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-10-10 05:28 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NBService"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)
"IAANTMON"=2 (0x2)
"ELService"=2 (0x2)
"aawservice"=2 (0x2)
"PnkBstrA"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate1ca25f239b5547e"=2 (0x2)
"WZCSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"\\\\D90K36B1\\SW_Galactic_Battlegrounds\\Game\\Battlegrounds.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\Adam Soccorsi\\Desktop\\My Stuff\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire Entrenchment.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Razer\\DeathAdder\\razertra.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [9/27/2008 5:06 PM 15424]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [12/1/2008 7:58 PM 28672]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [1/17/2008 10:49 PM 10880]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [10/10/2008 10:33 AM 274432]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/23/2009 9:03 PM 25832]
S4 gupdate1ca25f239b5547e;Google Update Service (gupdate1ca25f239b5547e);c:\program files\Google\Update\GoogleUpdate.exe [8/25/2009 10:09 PM 133104]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/3/2008 4:12 PM 716272]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/1/2009 12:59 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-26 02:08]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 02:09]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\Adam Soccorsi\Application Data\Mozilla\Firefox\Profiles\b0ygk3a8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli ... 706&query=
FF - plugin: c:\documents and settings\Adam Soccorsi\Application Data\Mozilla\Firefox\Profiles\b0ygk3a8.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{42763e8b-9915-4476-ba80-1ec31c37ed0b} - vetahadu.dll
SharedTaskScheduler-{7437b146-d727-45a1-b58c-7879ef803336} - c:\windows\system32\pikumivu.dll
SSODL-zuhubudab-{7437b146-d727-45a1-b58c-7879ef803336} - c:\windows\system32\pikumivu.dll
MSConfigStartUp-94383633 - c:\docume~1\ALLUSE~1\APPLIC~1\94383633\94383633.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 17:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3334565574-2233302197-4235952509-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:74,c1,94,0f,b3,9e,43,42,53,10,7b,38,48,d1,4a,a2,1c,55,14,13,96,4e,b6,
45,66,fe,ed,82,a1,52,20,d0,9c,16,6c,4a,be,c4,6f,5a,d7,ea,86,3f,c5,ce,80,cc,\
"??"=hex:32,6d,17,bd,ce,bc,fe,c7,b0,58,a8,8f,4a,f8,bf,a3

[HKEY_USERS\S-1-5-21-3334565574-2233302197-4235952509-1006\Software\SecuROM\License information*]
"datasecu"=hex:75,fe,40,0e,a8,0d,46,9a,9a,28,c1,45,4b,d3,00,39,3b,ad,c4,0a,31,
ae,df,f1,6e,20,bf,dc,87,fe,ea,30,38,fa,35,dc,8d,7a,aa,36,42,b1,e2,37,49,91,\
"rkeysecu"=hex:7b,8e,a2,a8,44,1c,80,c2,21,43,0e,46,48,f0,df,8d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(1600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
c:\program files\Eset\nod32krn.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
c:\program files\Razer\DeathAdder\razertra.exe
c:\program files\Razer\DeathAdder\razerofa.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-17 17:17:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-17 21:17
ComboFix2.txt 2010-03-16 23:11

Pre-Run: 75,498,848,256 bytes free
Post-Run: 75,462,537,216 bytes free

- - End Of File - - 61D4BE82F729D405CB403737AB973971

Thanks,

-Adam-
a4soccor
Regular Member
 
Posts: 15
Joined: March 15th, 2010, 9:01 pm

Re: sufohuwe.dll infection

Unread postby gringo_pr » March 18th, 2010, 7:02 am

Hello

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


extra combofix report

I need to see one of the extra reports combofix makes

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
Code: Select all
C:\Qoobox\ComboFix-quarantined-files.txt

  • click ok
  • copy and paste the report into this topic for me to review


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
FCopy::
C:\i386\mstsc.exe | c:\windows\system32\mstsc.exe

File::
c:\windows\system32\hazetosi.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"goriwegipo"=-
"ripohirev"=-


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


: Malwarebytes' Anti-Malware :

    Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


"information and logs"

    In your next post I need the following

    1. extra log from combofix
    2. log from combofix
    3. log from MBAM
    4. let me know of any problems you may have had
    5. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: sufohuwe.dll infection

Unread postby a4soccor » March 18th, 2010, 8:38 pm

ComboFix 10-03-16.03 - Adam Soccorsi 03/18/2010 20:29:40.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.1998 [GMT -4:00]
Running from: c:\documents and settings\Adam Soccorsi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adam Soccorsi\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active


FILE ::
"c:\windows\system32\hazetosi.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\i386\mstsc.exe --> c:\windows\system32\mstsc.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-17 21:14 . 2010-03-18 11:21 -------- d-----w- c:\windows\LastGood
2010-03-17 21:00 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-03-17 21:00 . 2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
2010-03-04 23:41 . 2010-03-04 23:41 -------- d-----w- c:\documents and settings\Adam Soccorsi\Local Settings\Application Data\The Lord of the Rings Online
2010-02-22 04:15 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-22 04:15 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-22 04:15 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-22 04:15 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 22:22 . 2007-08-02 01:56 -------- d-----w- c:\program files\Common Files\Apple
2010-03-09 21:48 . 2007-03-05 23:44 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\gtk-2.0
2010-03-08 04:54 . 2007-03-05 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-07 04:45 . 2010-02-10 19:52 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\Bioshock2
2010-03-07 03:44 . 2009-10-03 15:29 -------- d-----w- c:\program files\Steam
2010-02-27 22:31 . 2008-09-06 15:52 -------- d-----w- c:\program files\MagicDVDCopier
2010-02-25 22:49 . 2009-09-13 21:00 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\Temp
2010-02-24 20:34 . 2009-12-21 23:14 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\runic games
2010-02-24 20:34 . 2009-12-21 22:42 -------- d-----w- c:\program files\Runic Games
2010-02-24 20:34 . 2010-01-12 03:08 -------- d-----w- c:\program files\Cryptic Studios
2010-02-22 04:15 . 2010-02-22 04:15 24 ----a-w- c:\documents and settings\Adam Soccorsi\Application Data\cqfyto.dat
2010-02-10 03:33 . 2005-08-17 02:58 -------- d-----w- c:\program files\RGB
2010-02-09 05:56 . 2006-12-21 00:53 -------- d-----w- c:\program files\Google
2010-01-24 05:34 . 2010-01-24 05:34 -------- d-----w- c:\program files\GCH Guitar academy
2010-01-22 00:09 . 2006-12-26 02:42 -------- d-----w- c:\documents and settings\Adam Soccorsi\Application Data\Skype
2010-01-05 10:00 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-16_23.08.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-17 21:07 . 2010-03-17 21:07 16384 c:\windows\Temp\Perflib_Perfdata_484.dat
+ 2010-03-18 01:03 . 2010-03-18 01:03 22528 c:\windows\Installer\d8bb6b.msi
+ 2005-08-16 10:37 . 2008-04-14 00:12 677888 c:\windows\system32\dllcache\lhmstsc.exe
+ 2010-03-18 11:21 . 2004-08-10 11:00 407552 c:\windows\LastGood\system32\mstsc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 1687824]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-05-07 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^ImpulseNow.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\ImpulseNow.lnk
backup=c:\windows\pss\ImpulseNow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^monnid32.exe]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\monnid32.exe
backup=c:\windows\pss\monnid32.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Adam Soccorsi^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Adam Soccorsi\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 00:12 27648 ----a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-01-17 16:51 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2008-10-22 11:54 1310720 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 01:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-07-06 13:15 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
2008-09-29 19:14 949376 ----a-w- c:\program files\ESET\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-06-10 12:29 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 16:20 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-26 21:36 1217808 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-26 02:08 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-10-10 05:28 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NBService"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)
"IAANTMON"=2 (0x2)
"ELService"=2 (0x2)
"aawservice"=2 (0x2)
"PnkBstrA"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate1ca25f239b5547e"=2 (0x2)
"WZCSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"\\\\D90K36B1\\SW_Galactic_Battlegrounds\\Game\\Battlegrounds.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\Adam Soccorsi\\Desktop\\My Stuff\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire Entrenchment.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Razer\\DeathAdder\\razertra.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [9/27/2008 5:06 PM 15424]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [12/1/2008 7:58 PM 28672]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [1/17/2008 10:49 PM 10880]
S2 gupdate1ca25f239b5547e;Google Update Service (gupdate1ca25f239b5547e);c:\program files\Google\Update\GoogleUpdate.exe [8/25/2009 10:09 PM 133104]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [10/10/2008 10:33 AM 274432]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/23/2009 9:03 PM 25832]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/3/2008 4:12 PM 716272]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/1/2009 12:59 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2010-03-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-26 02:08]

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 02:09]

2010-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\Adam Soccorsi\Application Data\Mozilla\Firefox\Profiles\b0ygk3a8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli ... 706&query=
FF - plugin: c:\documents and settings\Adam Soccorsi\Application Data\Mozilla\Firefox\Profiles\b0ygk3a8.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-18 20:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3334565574-2233302197-4235952509-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:74,c1,94,0f,b3,9e,43,42,53,10,7b,38,48,d1,4a,a2,1c,55,14,13,96,4e,b6,
45,66,fe,ed,82,a1,52,20,d0,9c,16,6c,4a,be,c4,6f,5a,d7,ea,86,3f,c5,ce,80,cc,\
"??"=hex:32,6d,17,bd,ce,bc,fe,c7,b0,58,a8,8f,4a,f8,bf,a3

[HKEY_USERS\S-1-5-21-3334565574-2233302197-4235952509-1006\Software\SecuROM\License information*]
"datasecu"=hex:75,fe,40,0e,a8,0d,46,9a,9a,28,c1,45,4b,d3,00,39,3b,ad,c4,0a,31,
ae,df,f1,6e,20,bf,dc,87,fe,ea,30,38,fa,35,dc,8d,7a,aa,36,42,b1,e2,37,49,91,\
"rkeysecu"=hex:7b,8e,a2,a8,44,1c,80,c2,21,43,0e,46,48,f0,df,8d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(1788)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-18 20:35:07
ComboFix-quarantined-files.txt 2010-03-19 00:35
ComboFix2.txt 2010-03-18 11:30
ComboFix3.txt 2010-03-17 21:17
ComboFix4.txt 2010-03-16 23:11

Pre-Run: 75,385,270,272 bytes free
Post-Run: 75,344,752,640 bytes free

- - End Of File - - B89AB1309A87BC90F02FF63BA1144123

2010-03-17 21:17:08 . 2010-03-17 21:17:08 614 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-94383633.reg.dat
2010-03-17 21:17:07 . 2010-03-17 21:17:07 373 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-zuhubudab-{7437b146-d727-45a1-b58c-7879ef803336}.reg.dat
2010-03-17 21:17:06 . 2010-03-17 21:17:06 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{7437b146-d727-45a1-b58c-7879ef803336}.reg.dat
2010-03-17 21:17:02 . 2010-03-17 21:17:02 351 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{42763e8b-9915-4476-ba80-1ec31c37ed0b}.reg.dat
2010-03-17 21:00:42 . 2010-03-17 21:00:43 1,772,515 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-03-17_17.00.25.zip
2010-03-17 17:27:12 . 2010-03-17 17:27:12 2,713 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dakabedu.dll.vir
2010-03-16 23:10:21 . 2010-03-16 23:10:21 1,182 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{7B63B2922B174135AFC0E1377DD81EC2}.reg.dat
2010-03-16 23:10:21 . 2010-03-16 23:10:21 482 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-SShockDeinstallKey.reg.dat
2010-03-16 23:10:20 . 2010-03-16 23:10:20 902 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Orb.reg.dat
2010-03-16 23:10:10 . 2010-03-16 23:10:10 592 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-uTorrent.reg.dat
2010-03-16 23:10:09 . 2010-03-16 23:10:09 542 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ttool.reg.dat
2010-03-16 23:10:09 . 2010-03-16 23:10:09 658 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-TkBellExe.reg.dat
2010-03-16 23:10:09 . 2010-03-16 23:10:09 672 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SpyHunter Security Suite.reg.dat
2010-03-16 23:10:08 . 2010-03-16 23:10:08 604 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SiteAdvisor.reg.dat
2010-03-16 23:10:08 . 2010-03-16 23:10:08 612 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ripohirev.reg.dat
2010-03-16 23:10:08 . 2010-03-16 23:10:08 686 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-PC Antispyware 2010.reg.dat
2010-03-16 23:10:08 . 2010-03-16 23:10:08 634 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-NeroFilterCheck.reg.dat
2010-03-16 23:10:08 . 2010-03-16 23:10:08 620 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MsnMsgr.reg.dat
2010-03-16 23:10:08 . 2010-03-16 23:10:08 700 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Malwarebytes Anti-Malware (reboot).reg.dat
2010-03-16 23:10:08 . 2010-03-16 23:10:08 610 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-here.reg.dat
2010-03-16 23:10:07 . 2010-03-16 23:10:07 638 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DriverCure.reg.dat
2010-03-16 23:10:07 . 2010-03-16 23:10:07 552 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-CTFMON.reg.dat
2010-03-16 23:10:07 . 2010-03-16 23:10:07 684 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ccagent.reg.dat
2010-03-16 23:10:07 . 2010-03-16 23:10:07 566 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-braviax.reg.dat
2010-03-16 23:10:07 . 2010-03-16 23:10:07 716 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}.reg.dat
2010-03-16 23:10:07 . 2010-03-16 23:10:07 622 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Aim6.reg.dat
2010-03-16 23:10:06 . 2010-03-16 23:10:06 332 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2010-03-16 23:10:05 . 2010-03-16 23:10:05 373 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-rarilumof-{e3215f1f-c683-445d-8666-1f2ec80fb9ac}.reg.dat
2010-03-16 23:09:55 . 2010-03-16 23:10:04 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{e3215f1f-c683-445d-8666-1f2ec80fb9ac}.reg.dat
2010-03-16 23:09:52 . 2010-03-16 23:09:52 128 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-goriwegipo.reg.dat
2010-03-16 23:09:52 . 2010-03-16 23:09:52 150 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-ripohirev.reg.dat
2010-03-16 23:09:51 . 2010-03-16 23:09:51 1,947 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2010-03-16 23:08:38 . 2010-03-16 23:08:38 246 ----a-w- C:\Qoobox\Quarantine\E\av1.zip
2010-03-16 23:08:38 . 2008-11-05 17:19:36 52 ----a-w- C:\Qoobox\Quarantine\E\autorun.inf.vir
2010-03-16 22:52:53 . 2010-03-17 21:04:12 6,377 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-03-16 22:46:12 . 2010-03-17 20:59:23 204 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-03-16 05:39:23 . 2010-03-16 05:39:23 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\kavumefe.dll.vir
2010-03-15 05:39:13 . 2010-03-15 05:39:13 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dukareyo.dll.vir
2010-03-14 17:37:23 . 2010-03-14 17:37:23 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\kofipulo.dll.vir
2010-02-22 04:15:14 . 2010-02-22 04:15:14 1,036,800 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\ALLUSE~1\APPLIC~1\94383633\94383633.exe.vir
2010-02-22 04:15:02 . 2010-02-22 04:15:02 4 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Application Data\avdrn.dat.vir
2009-10-17 14:58:14 . 2009-10-17 14:58:15 16,933 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\hs_err_pid3056.log.vir
2009-10-17 04:17:13 . 2009-10-17 04:17:13 3,621 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.12.jar.vir
2009-10-17 04:17:13 . 2009-10-17 04:17:13 19,792 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupdater\Azureus2_4.2.0.4_P4.pax.vir
2009-10-17 04:17:13 . 2009-10-17 04:17:13 193 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.12.vir
2009-10-17 04:17:13 . 2009-10-17 04:17:13 42,032 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupdater\azupdater_1.8.12.zip.vir
2009-08-22 23:14:14 . 2009-08-22 23:14:14 13,717 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Cookies\jyfize.com.vir
2009-08-22 23:14:14 . 2009-08-22 23:14:14 16,956 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Cookies\kodozuji.inf.vir
2009-08-22 23:14:14 . 2009-08-22 23:14:14 16,845 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Cookies\ninyce.dl.vir
2009-08-22 23:14:14 . 2009-08-22 23:14:14 19,403 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\esobika.sys.vir
2009-08-22 23:14:14 . 2009-08-22 23:14:14 18,498 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Cookies\foxyma.com.vir
2009-08-22 23:14:14 . 2009-08-22 23:14:14 18,348 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\bodoju.inf.vir
2009-08-22 23:14:14 . 2009-08-22 23:14:14 18,125 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\syri.vbs.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 18,609 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Cookies\aremidy.inf.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 17,142 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Cookies\udinopu.reg.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 10,957 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\lulokumi.bat.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 11,543 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Cookies\umepidy.com.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 19,116 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\gubicalod.dll.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 18,263 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yhumixafoh.inf.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 16,323 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\zolula.inf.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 19,808 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\egupozolud.reg.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 19,222 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Cookies\hyfalaf.vbs.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 12,357 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Cookies\iradezej.com.vir
2009-08-22 23:11:29 . 2009-08-22 23:11:29 13,876 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\telofim.dat.vir
2009-08-15 19:05:07 . 2009-08-15 19:05:07 20,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\jestertb.dll.vir
2009-08-15 15:56:45 . 2009-08-15 15:56:45 217,512 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\azupnpav_0.2.21.jar.vir
2009-08-15 15:56:44 . 2009-08-15 15:56:44 201,669 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\azupnpav_0.2.21.zip.vir
2009-08-15 15:56:44 . 2009-08-15 15:56:44 125 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\plugin.properties_0.2.21.vir
2009-08-13 18:47:03 . 2009-07-10 08:55:50 506,560 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\autorun.inf.vir
2009-06-07 02:45:56 . 2009-06-07 02:45:56 210,455 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\azupnpav_0.2.17.jar.vir
2009-06-07 02:45:56 . 2009-06-07 02:45:56 125 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\plugin.properties_0.2.17.vir
2009-06-07 02:45:56 . 2009-06-07 02:45:56 194,790 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\azupnpav_0.2.17.zip.vir
2009-06-07 02:45:33 . 2009-06-07 02:45:33 325,992 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.1.02.jar.vir
2009-06-07 02:45:33 . 2009-06-07 02:45:33 205 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\plugin.properties_2.1.02.vir
2009-06-07 02:45:33 . 2009-06-07 02:45:33 3,307,056 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.1.02.zip.vir
2009-01-30 22:16:44 . 2009-01-30 22:16:44 125 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\plugin.properties_0.2.5.vir
2009-01-30 22:16:44 . 2009-01-30 22:16:44 136,492 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\azupnpav_0.2.5.jar.vir
2009-01-30 22:16:44 . 2009-01-30 22:16:44 126,061 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\azupnpav_0.2.5.zip.vir
2009-01-30 22:16:24 . 2009-01-30 22:16:24 325,672 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.34.jar.vir
2009-01-30 22:16:24 . 2009-01-30 22:16:24 205 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\plugin.properties_2.0.34.vir
2009-01-30 22:16:24 . 2009-01-30 22:16:24 2,619,999 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.34.zip.vir
2008-12-09 17:54:48 . 2008-12-09 17:54:48 324,886 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.32.jar.vir
2008-12-09 17:54:48 . 2008-12-09 17:54:48 205 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\plugin.properties_2.0.32.vir
2008-12-09 17:54:48 . 2008-12-09 17:54:48 2,619,426 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.32.zip.vir
2008-11-27 01:41:54 . 2008-11-27 01:41:54 324,282 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.30.jar.vir
2008-11-27 01:41:54 . 2008-11-27 01:41:54 205 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\plugin.properties_2.0.30.vir
2008-11-27 01:41:54 . 2008-11-27 01:41:54 2,619,011 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.30.zip.vir
2008-11-10 04:44:38 . 2008-11-10 04:44:38 376,832 ----a-w- C:\Qoobox\Quarantine\C\setup.exe.vir
2008-11-05 15:32:01 . 2008-11-05 15:32:01 323,218 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.28.jar.vir
2008-11-05 15:32:01 . 2008-11-05 15:32:01 205 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\plugin.properties_2.0.28.vir
2008-11-05 15:32:00 . 2008-11-05 15:32:00 2,617,998 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.28.zip.vir
2008-09-06 15:52:58 . 2008-09-06 15:52:58 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Adam Soccorsi\Application Data\inst.exe.vir
2008-06-23 00:31:34 . 2008-06-23 00:31:34 132,149 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar.vir
2008-06-23 00:31:34 . 2008-06-23 00:31:34 125 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\plugin.properties_0.2.2.vir
2008-06-23 00:31:34 . 2008-06-23 00:31:34 121,678 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip.vir
2008-06-23 00:31:08 . 2008-06-23 00:31:08 282,177 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.16.jar.vir
2008-06-23 00:31:08 . 2008-06-23 00:31:08 205 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\plugin.properties_2.0.16.vir
2008-06-23 00:31:08 . 2008-06-23 00:31:08 2,574,614 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.16.zip.vir
2008-03-27 01:22:05 . 2008-03-27 01:22:05 132,114 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\azupnpav_0.2.1.jar.vir
2008-03-27 01:22:05 . 2008-03-27 01:22:05 125 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\plugin.properties_0.2.1.vir
2008-03-27 01:22:05 . 2008-03-27 01:22:05 121,594 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupnpav\azupnpav_0.2.1.zip.vir
2008-03-27 01:21:27 . 2008-03-27 01:21:27 293,226 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.14.jar.vir
2008-03-27 01:21:27 . 2008-03-27 01:21:27 205 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\plugin.properties_2.0.14.vir
2008-03-27 01:21:27 . 2008-03-27 01:21:27 2,587,950 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_2.0.14.zip.vir
2008-03-27 01:19:40 . 2008-03-27 01:19:40 3,621 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.8.jar.vir
2008-03-27 01:19:40 . 2008-03-27 01:19:40 24,846 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupdater\azupdater_1.8.8.zip.vir
2008-03-27 01:19:40 . 2008-03-27 01:19:40 192 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.8.vir
2008-02-08 04:55:01 . 2009-06-10 01:06:00 4,608 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\BReWErS.dll.vir
2008-02-03 03:48:42 . 2008-02-03 03:48:42 224,371 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_1.9.11.jar.vir
2008-02-03 03:48:42 . 2008-02-03 03:48:42 205 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\plugin.properties_1.9.11.vir
2008-02-03 03:48:41 . 2008-02-03 03:48:41 2,525,409 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_1.9.11.zip.vir
2007-12-17 05:11:29 . 2007-12-17 05:11:29 47 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\mplayer\config.vir
2007-12-16 20:29:11 . 2007-12-16 20:29:11 23,076 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\libInfoGetter.dll.vir
2007-12-16 20:29:10 . 2007-12-16 20:29:10 227,977 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_1.9.6.jar.vir
2007-12-16 20:29:10 . 2007-12-16 20:29:10 204 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\plugin.properties_1.9.6.vir
2007-12-16 20:29:10 . 2007-12-16 20:29:10 2,534,883 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azemp_1.9.6.zip.vir
2007-12-16 20:25:20 . 2008-03-27 01:19:40 22,128 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azupdater\Updater.jar.bak.vir
2007-12-16 20:25:20 . 2009-01-30 22:16:26 8,864 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\osd-mplayer-a.raw.bak.vir
2007-12-16 20:25:20 . 2009-01-30 22:16:24 8,864 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\osd-mplayer-b.raw.bak.vir
2007-12-16 20:25:20 . 2009-01-30 22:16:26 6,696 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\font.desc.bak.vir
2007-12-16 20:25:20 . 2009-01-30 22:16:26 106,464 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\cp1250-b.raw.bak.vir
2007-12-16 20:25:19 . 2009-01-30 22:16:26 106,464 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\cp1250-a.raw.bak.vir
2007-12-16 20:25:19 . 2009-01-30 22:16:25 5,472,734 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Azureus\plugins\azemp\azmplay.exe.bak.vir
2006-12-21 00:53:47 . 2010-03-17 17:45:12 6,534 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2006-12-21 00:53:47 . 2010-03-17 17:37:14 7,849 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
1601-01-01 00:03:52 . 1601-01-01 00:03:52 56,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mapuzivi.dll.tmp.vir
1601-01-01 00:03:52 . 1601-01-01 00:03:52 60,928 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\nusayuta.dll.vir
1601-01-01 00:03:52 . 1601-01-01 00:03:52 60,928 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\pimimoso.dll.vir
1601-01-01 00:03:52 . 1601-01-01 00:03:52 60,928 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\vetahadu.dll.vir
1601-01-01 00:03:52 . 1601-01-01 00:03:52 56,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wumadibu.dll.tmp.vir
1601-01-01 00:03:52 . 1601-01-01 00:03:52 56,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\zawawiza.dll.tmp.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 69,632 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\divosewo.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 46,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jajulaze.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 46,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jinuwayi.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\keminazo.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 69,632 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\kuwovogi.dll.vir
1601-01-01 00:03:28 . 2010-03-17 21:00:31 100,864 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\lipegamu.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 97,280 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\lozaguje.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 100,352 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\pikumivu.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\roboyove.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 70,656 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\royetuki.dll.vir
1601-01-01 00:03:28 . 2010-03-17 21:00:37 100,864 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sarepelo.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\semasema.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\welatili.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 43,008 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yejedotu.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 60,928 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yirumuno.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 97,280 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yizimife.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 44,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yotewari.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\zehigipu.dll.vir
1601-01-01 00:03:28 . 1601-01-01 00:03:28 101,376 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ziwediya.dll.vir
a4soccor
Regular Member
 
Posts: 15
Joined: March 15th, 2010, 9:01 pm

Re: sufohuwe.dll infection

Unread postby gringo_pr » March 18th, 2010, 11:03 pm

Hello

These logs are looking good. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

  1. Please visit this site:
  2. In the Link to topic where this file was requested: area, copy and paste this
      Code: Select all
      http://malwareremoval.com/forum/viewtopic.php?f=11&t=50138&p=511981#p511981

  3. In the Browse to the file you want to submit: area, copy and paste this

      Code: Select all
      C:\Qoobox\Quarantine\[4]-Submit_2010-03-17_17.00.25.zip

  4. Then click Send File.

    • Once it shows:
      Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
  5. Close the site and continue with the steps below.


uninstall some programs

    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 7.0.9
    J2SE Runtime Environment 5.0 Update 6


    and click on remove

Update Adobe Reader

    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

    Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


:Kaspersky scan:

    Please go to Kaspersky website and perform an online antivirus scan.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.

"information and logs"

    In your next post I need the following

    1. Log From MBAM
    2. Log From Kaspersky
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: sufohuwe.dll infection

Unread postby a4soccor » March 19th, 2010, 1:26 pm

Hi, I've ran both programs and this is the results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, March 19, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, March 19, 2010 12:02:11
Records in database: 3815627
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 142107
Threats found: 24
Infected objects found: 41
Suspicious objects found: 0
Scan duration: 03:15:30


File name / Threat / Threats count
C:\Program Files\ESET\infected\3NAFMKBA.NQF Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Program Files\ESET\infected\CAUC2WCA.NQF Infected: Trojan-Downloader.Win32.Agent.ahdb 1
C:\Program Files\ESET\infected\CDAIQQCA.NQF Infected: Trojan-Dropper.Win32.FrauDrop.bj 1
C:\Program Files\ESET\infected\L1VJSRDA.NQF Infected: Trojan.Win32.Small.ycy 1
C:\Program Files\ESET\infected\NHVAV2AA.NQF Infected: Trojan-Downloader.Win32.FraudLoad.fim 1
C:\Program Files\ESET\infected\OWD14CAA.NQF Infected: Backdoor.Win32.Papras.t 1
C:\Program Files\ESET\infected\PVZUUGBA.NQF Infected: Trojan-Downloader.Win32.Firu.aqw 1
C:\Program Files\ESET\infected\QUQNX2CA.NQF Infected: Trojan-Downloader.Win32.BHO.pe 1
C:\Program Files\ESET\infected\SLWLB1DA.NQF Infected: Rootkit.Win32.Agent.aioy 1
C:\Program Files\ESET\infected\SMTNHIAA.NQF Infected: Trojan.Win32.FraudPack.qys 1
C:\Program Files\ESET\infected\SZOCXNDA.NQF Infected: Trojan-Downloader.Win32.BHO.pe 1
C:\Program Files\ESET\infected\TB2HRRBA.NQF Infected: Trojan-Downloader.Win32.Firu.aot 1
C:\Program Files\ESET\infected\WRMSYMBA.NQF Infected: Rootkit.Win32.Agent.kwr 1
C:\Program Files\ESET\infected\XSMIXABA.NQF Infected: Trojan-Downloader.Win32.Mufanom.ksd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jajulaze.dll.vir Infected: Trojan.Win32.Monder.ddeq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jinuwayi.dll.vir Infected: Trojan.Win32.Monder.dczf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\keminazo.dll.vir Infected: Trojan.Win32.Monder.ddbk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\semasema.dll.vir Infected: Trojan.Win32.Monder.dcvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yejedotu.dll.vir Infected: Trojan.Win32.Monder.dcvg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yotewari.dll.vir Infected: Trojan.Win32.Monder.dcsb 1
C:\Qoobox\Quarantine\[4]-Submit_2010-03-17_17.00.25.zip Infected: Trojan.Win32.FraudPack.amef 1
C:\Qoobox\Quarantine\[4]-Submit_2010-03-17_17.00.25.zip Infected: Trojan.Win32.Monder.dcwf 1
C:\Qoobox\Quarantine\[4]-Submit_2010-03-17_17.00.25.zip Infected: Trojan.Win32.Monder.dcsj 3
C:\Qoobox\Quarantine\[4]-Submit_2010-03-17_17.00.25.zip Infected: Trojan.Win32.Monder.dcvc 1
C:\Qoobox\Quarantine\[4]-Submit_2010-03-17_17.00.25.zip Infected: Trojan.Win32.Monder.dcvk 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1305\A0119799.dll Infected: Trojan.Win32.Monder.dcsj 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1305\A0119800.dll Infected: Trojan.Win32.Monder.dcsj 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1305\A0119801.dll Infected: Trojan.Win32.Monder.dcsj 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1306\A0119805.dll Infected: Trojan.Win32.Monder.dcvz 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1306\A0119806.dll Infected: Trojan.Win32.Monder.dcwf 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1312\A0121182.dll Infected: Trojan.Win32.Monder.ddeq 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1312\A0121183.dll Infected: Trojan.Win32.Monder.dczf 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1312\A0121185.dll Infected: Trojan.Win32.Monder.ddbk 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1312\A0121189.dll Infected: Trojan.Win32.Monder.dcvz 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1312\A0121191.dll Infected: Trojan.Win32.Monder.dcvg 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1312\A0121193.dll Infected: Trojan.Win32.Monder.dcsb 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1312\A0122468.dll Infected: Trojan.Win32.Monder.dcwf 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1312\A0122473.dll Infected: Trojan.Win32.Monder.dcvc 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1312\A0122477.dll Infected: Trojan.Win32.Monder.dcvk 1

Selected area has been scanned.


Malwarebytes' Anti-Malware 1.44
Database version: 3885
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

3/19/2010 9:30:55 AM
mbam-log-2010-03-19 (09-30-55).txt

Scan type: Quick Scan
Objects scanned: 138127
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Again thanks for all the time your spending helping me with this
a4soccor
Regular Member
 
Posts: 15
Joined: March 15th, 2010, 9:01 pm

Re: sufohuwe.dll infection

Unread postby gringo_pr » March 19th, 2010, 6:33 pm

Hello

Very well done!! This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are.

ESET is only reporting backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

:Uninstall ComboFix:

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Image

:DeFogger:

    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.

:Make your Internet Explorer more secure:


:Turn On Automatic Updates:

    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:
    you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also

    I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
    • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

    • Malwarebytes' Anti-Malware- Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
      totally free but for real-time protection you will have to pay a small one-time fee.
    • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.


please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints
If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: sufohuwe.dll infection

Unread postby a4soccor » March 21st, 2010, 12:45 pm

Gringo,

Thank you for all your help, everything is running the way it should now. I appreciate you spending so much time helping me fix this. If I have any other problems i will let you know. Thanks again, take care!

-Adam-
a4soccor
Regular Member
 
Posts: 15
Joined: March 15th, 2010, 9:01 pm

Re: sufohuwe.dll infection

Unread postby NonSuch » March 22nd, 2010, 6:09 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 499 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware