Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Malware Removal Help

942 views 2 replies 1 participant last post by  Jreg 
#1 ·
Hi there everyone. I am prettty new to the whole Hijack this scene but I have a family friends computer that I was given to fix, and I am looking for a spot of help.
The computer uses Dial-up Internet via PeoplesPC (???) I will try to include as much information as I can but I will probably forget to include something

The issue - The computer will not let you access the internet via a web browser even though it connects to a working network.

What I have already done - I installed AVG and ran a full virus scan on the computer and also a full computer comandline check in Safe Mode. It doesn't seem to be working as right after it says it has quarantined/ move to vault, the problems just keep showing up on a rescan.

I also tried to do a windows update but it kicked it back telling me that certain services were missing, ie the Windows Update Service and some other services

I have included in this a Log I generated Via HijackThis, followed by a DDS Log (I suppose this may help?) and a RootReal log

Computer specs -

Dell Inspiron 6000
Microsoft Windows XP - Media Center Edition - Version 2002 - Service Pack 3
Intel Pentium M Processor 1.73GHZ
504MB Ram

Here is the HijackThis log that was generated when I scanned it -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:12 PM, on 1/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PeoplePC\ISP6300\Browser\Bartshel.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\PeoplePC\ISP6300\Browser\PPShared.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
E:\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\IPSBHO.DLL
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [zugudoniw] Rundll32.exe "c:\windows\system32\piseraho.dll",a
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Texas%20Holdem%20Poker/Images/stg_drm.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1239373010171
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Texas%20Holdem%20Poker/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter hijack: text/html - {917f720f-21a3-455d-81ce-d84a4bd330f3} - C:\WINDOWS\mark_32.dll
O20 - AppInit_DLLs: tuyubeva.dll c:\windows\system32\piseraho.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: yizesukus - {c6db6ea0-e144-471a-a48a-45e1c95400d2} - c:\windows\system32\piseraho.dll
O22 - SharedTaskScheduler: gahurihor - {c6db6ea0-e144-471a-a48a-45e1c95400d2} - c:\windows\system32\piseraho.dll
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 
See less See more
#2 ·
Here are the DDS and RootRepeal Logs (wouldn't let me fit em in with the original report)

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 19:55:07.35 on Sun 01/31/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.109 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\PeoplePC\ISP6300\Browser\Bartshel.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
svchost.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\PeoplePC\ISP6300\Browser\PPShared.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.peoplepc.com/websearch
uSearch Bar = hxxp://home.peoplepc.com/search
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://home.peoplepc.com/search
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.1.0.19\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.1.0.19\IPSBHO.DLL
BHO: PeoplePal Toolbar: {a8fb8eb3-183b-4598-924d-86f0e5e37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.1.0.19\coIEPlg.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Bart Station] c:\program files\peoplepc\isp6300\bin\PPCOLink.exe -STATION
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [zugudoniw] Rundll32.exe "c:\windows\system32\piseraho.dll",a
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Texas%20Holdem%20Poker/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239373010171
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Texas%20Holdem%20Poker/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/html - {917f720f-21a3-455d-81ce-d84a4bd330f3} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: tuyubeva.dll c:\windows\system32\piseraho.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yizesukus - {c6db6ea0-e144-471a-a48a-45e1c95400d2} - c:\windows\system32\piseraho.dll
STS: gahurihor: {c6db6ea0-e144-471a-a48a-45e1c95400d2} - c:\windows\system32\piseraho.dll
LSA: Notification Packages = scecli kedohugu.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-31 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-31 161800]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1101000.013\SymDS.sys [2009-12-31 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1101000.013\SymEFA.sys [2009-12-31 171056]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-31 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-31 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-31 360584]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20091013.001\BHDrvx86.sys [2009-12-31 508976]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1101000.013\cchpx86.sys [2009-12-31 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1101000.013\Ironx86.sys [2009-12-31 114736]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-1-31 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-31 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-1-31 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-1-31 5832712]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-12-31 126392]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-1-31 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-31 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-31 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-31 25736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-31 102448]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-1-31 30104]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20090911.001\IDSxpx86.sys [2009-12-31 329080]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20091020.006\NAVENG.SYS [2009-12-31 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20091020.006\NAVEX15.SYS [2009-12-31 1323568]
S3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [2009-6-2 79393]

=============== Created Last 30 ================

2010-01-31 20:47:44 0 d--h--w- C:\$AVG
2010-01-31 20:47:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-31 20:47:09 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-01-31 20:47:07 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-31 20:47:05 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-31 20:46:59 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-31 20:46:31 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-31 20:44:59 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-31 20:44:59 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-31 20:44:57 0 d-----w- c:\program files\AVG
2010-01-31 20:44:47 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-31 20:44:18 0 d-----w- c:\windows\SxsCaPendDel
2010-01-12 20:35:24 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-31 23:25:14 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-31 23:25:14 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-31 23:25:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-31 23:25:14 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
1601-01-01 00:03:28 30447 --sha-w- c:\windows\system32\limereju.dll
1601-01-01 00:03:28 37888 --sha-w- c:\windows\system32\meyufivi.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\piseraho.dll
1601-01-01 00:03:28 37888 --sha-w- c:\windows\system32\tenagoki.dll
2009-09-05 22:21:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090520090906\index.dat

============= FINISH: 19:56:57.81 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/31 20:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA5D4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B12000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA95E0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xF8329000 Size: 352256 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF82EB000 Size: 180224 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RECYCLER\S-1-5-21-329068152-1958367476-725345543-500\13TRAC~1.WMA
Status: Locked to the Windows API!

Path: c:\windows\temp\0bbfb591-f744-41ff-a802-e692b5436782.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc10.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc11.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc12.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc13.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc14.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc15.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc16.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc17.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc18.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc19.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc21.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc22.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc23.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc24.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc25.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Music\Unknown Artist\Majestic Peace\Dc26.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091020.006\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x82ac20d0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x82ac10c0

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x82b05440

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x82ad7440

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x820ee8d0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaade9210

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x82b8c450

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x82b94450

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x82a7bcd0

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x82ad5490

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaade9490

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaade99f0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x82aa6a00

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x82b80760

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x82acfb40

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x82acc220

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x820b0eb8

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x82c15758

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x82ad2b00

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaade97a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf893b470

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x82a9cd38

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x82ad4940

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x82a94f20

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x82b92aa0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x82ab6568

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x82aa86a8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x82b845a8

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x82ad5458

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaade9c40

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x82ad4868

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x82ab5590

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf893b520

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf893b5c0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x82a9d850

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf893b660

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x82b7eaa0

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x82b70ce8

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x82b653c8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x82b7c400

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x82b9ee30

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x82a790b0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x82b962a0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x82a7cc00

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x82af6980

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x82a929d0

==EOF==
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top