Computer is slow, programs can't be opened, won't shutdown.
Opened task manager and found a process running between 20 and 40% of the cpu. Name varies, but one was deiniiq.exe.
Process can't be killed (no taskkill). Hard restarted.
Ran Malwarebytes Quick scan. Found 7 viruses (trojan, but didn't record the names).
More problems the next day. Ran MB full scan, more viruses (didn't record the names). Booted in
SAFEMODE/Administrator; Found two more viruses didn't record the names.
On restart, windows loads, then the folder c:\documents and settings\%user% pops up. Along with standard folders,
there were these files:
msn.bat
google.bat
yahoo.bat
luresult.txt
logfile.txt
duddud (application, icon like text file)
xeuxex (application, icon like text file)
zoizoz (application, icon like text file)
runme (application, icon like text folder)
Double clicking "runme" shuts down current oddly named process, and opens another.
Moved files into another folder, and hard restarted. Files reappared.
Checked Bootfile, nothing unusual.
Ran MSCONFIG--> Startup
There was a entry to c:\documents and settings\%user%\Application Data\, where I found a bunch of oddly named
folders. Only one contained an .exe cycycv.exe (I think). I removed those folders from that directory, and hard
restarted. While it a little while longer to pop up the %user% directory, it did pop up. And the odd processes
were running, the folders were back in both places with different names. Runme was the only constant in naming.
Downloaded RKill.exe and ran it. Only the one odd running process was found.
Processes didn't restart, although I believe they will after another restart.
---Next Day---
Started computer, files appeared in all the likely places.
Plugged in an usb drive, couldn't get to the drive via explorer, but got into via command:
dds.scr file was deleted, gmer.zip was left; the virus added a bunch of files including
x.mpeg
secret.exe
sexy.exe
porn.exe
passwords.exe
Downloaded new copies of gmer and dds. Ran dds.scr and got the results file (below and attached);
ran the gmer (attached); since this is a work computer, I've removed/redacted some sensitive information;
e.g., user for the actual user, etc.
found antivirus logs:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zoouc (Trojan.Downloader.ic) -> Data: C:\Documents and Settings\user\zoouc.exe /k -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{9D4E28EC-11C3-AD7A-A2B9-402D8134633F} (Trojan.Zbot) -> Data: "C:\Documents and Settings\user\Application Data\Waofef\huozop.exe" -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|fiinim (Trojan.Downloader.ic) -> Data: C:\Documents and Settings\user\fiinim.exe /n -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|kuaidi (Trojan.Downloader.ic) -> Data: C:\Documents and Settings\user\kuaidi.exe /l -> Quarantined and deleted successfully.
C:\Documents and Settings\user\zoouc.exe (Trojan.Downloader.ic) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Waofef\huozop.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\fiinim.exe (Trojan.Downloader.ic) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\kuaidi.exe (Trojan.Downloader.ic) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\tmp2a2e58e0\8449.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\tmp2f576c77\8449.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Secret.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Passwords.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Porn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Sexy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
I have access to a windows install disk.
********************************
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by User at 11:18:04 on 2013-01-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.494.79 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP UT LEDM\bin\hppusg.exe
C:\Documents and Settings\user\Local Settings\Application Data\Plaxo\3.34.0.3\PlaxoHelper_en.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Cactus Spam Filter 2.13\cactusspamfilter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\user\prpuh.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.userwebsite.com/
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*Yahoo! SearchBar Home Page
uProxyServer = www.userwebsite.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*Yahoo!
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
dURLSearchHooks: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [PlaxoUpdate] c:\documents and settings\user\local settings\application data\plaxo\3.34.0.3\PlaxoHelper_en.exe -a
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [PlaxoSysTray] c:\documents and settings\user\local settings\application data\plaxo\3.34.0.3\PlaxoSysTray.exe
uRun: [com.codeode.cactusspamfilter] "c:\program files\cactus spam filter 2.13\cactusspamfilter.exe" -minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{9D4E28EC-11C3-AD7A-A2B9-402D8134633F}] "c:\documents and settings\user\application data\ydwuyt\ruun.exe"
uRun: [yoraj] c:\documents and settings\user\yoraj.exe /g
uRun: [prpuh] c:\documents and settings\user\prpuh.exe /t
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HPUsageTrackingLEDM] "c:\program files\hp\hp ut ledm\bin\hppusg.exe" "c:\program files\hp\hp ut ledm\"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smartprint\smartprintsetup.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: NameServer = 192.168.10.2 66.242.34.4
TCP: Interfaces\{3C751E06-830D-4D35-9F1D-706D34C34D35} : DHCPNameServer = 192.168.10.2 66.242.34.4
TCP: Interfaces\{531D3D38-B38F-4A40-9052-52EFBA55506B} : DHCPNameServer = 192.168.10.2
TCP: Interfaces\{78D93326-FED8-4403-8EEB-EE58AB4CE685} : DHCPNameServer = 192.168.10.2 66.242.34.4
TCP: Interfaces\{F72518B6-1C35-4A22-A80B-207B103E833C} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\sntu04ad.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.userwebsite.com/
FF - prefs.js: network.proxy.ftp - www.userwebsite.com
FF - prefs.js: network.proxy.http - www.userwebsite.com
FF - prefs.js: network.proxy.socks - www.userwebsite.com
FF - prefs.js: network.proxy.ssl - www.userwebsite.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_146.dll
.
============= SERVICES / DRIVERS ===============
.
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVENG.sys [2010-10-19 86064]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVEX15.sys [2010-10-19 1371184]
.
=============== Created Last 30 ================
.
2013-01-16 16:05:48 217088 --sh--r- c:\documents and settings\user\prpuh.exe
2013-01-16 16:05:02 131072 ----a-w- c:\documents and settings\user\foofof.exe
2013-01-13 21:51:41 217088 --sh--r- c:\documents and settings\user\yoraj.exe
2013-01-13 21:51:12 90112 ----a-w- c:\documents and settings\user\goigog.exe
2013-01-10 20:22:29 217088 ----a-w- c:\documents and settings\user\runme.exe
2013-01-10 20:22:21 106496 ----a-w- c:\documents and settings\user\neonen.exe
2013-01-10 19:50:25 -------- d-----w- c:\documents and settings\user\badfiles
.
==================== Find3M ====================
.
2013-01-10 19:15:18 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-10 19:15:17 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 11:21:04.13 ===============
Opened task manager and found a process running between 20 and 40% of the cpu. Name varies, but one was deiniiq.exe.
Process can't be killed (no taskkill). Hard restarted.
Ran Malwarebytes Quick scan. Found 7 viruses (trojan, but didn't record the names).
More problems the next day. Ran MB full scan, more viruses (didn't record the names). Booted in
SAFEMODE/Administrator; Found two more viruses didn't record the names.
On restart, windows loads, then the folder c:\documents and settings\%user% pops up. Along with standard folders,
there were these files:
msn.bat
google.bat
yahoo.bat
luresult.txt
logfile.txt
duddud (application, icon like text file)
xeuxex (application, icon like text file)
zoizoz (application, icon like text file)
runme (application, icon like text folder)
Double clicking "runme" shuts down current oddly named process, and opens another.
Moved files into another folder, and hard restarted. Files reappared.
Checked Bootfile, nothing unusual.
Ran MSCONFIG--> Startup
There was a entry to c:\documents and settings\%user%\Application Data\, where I found a bunch of oddly named
folders. Only one contained an .exe cycycv.exe (I think). I removed those folders from that directory, and hard
restarted. While it a little while longer to pop up the %user% directory, it did pop up. And the odd processes
were running, the folders were back in both places with different names. Runme was the only constant in naming.
Downloaded RKill.exe and ran it. Only the one odd running process was found.
Processes didn't restart, although I believe they will after another restart.
---Next Day---
Started computer, files appeared in all the likely places.
Plugged in an usb drive, couldn't get to the drive via explorer, but got into via command:
dds.scr file was deleted, gmer.zip was left; the virus added a bunch of files including
x.mpeg
secret.exe
sexy.exe
porn.exe
passwords.exe
Downloaded new copies of gmer and dds. Ran dds.scr and got the results file (below and attached);
ran the gmer (attached); since this is a work computer, I've removed/redacted some sensitive information;
e.g., user for the actual user, etc.
found antivirus logs:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zoouc (Trojan.Downloader.ic) -> Data: C:\Documents and Settings\user\zoouc.exe /k -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{9D4E28EC-11C3-AD7A-A2B9-402D8134633F} (Trojan.Zbot) -> Data: "C:\Documents and Settings\user\Application Data\Waofef\huozop.exe" -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|fiinim (Trojan.Downloader.ic) -> Data: C:\Documents and Settings\user\fiinim.exe /n -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|kuaidi (Trojan.Downloader.ic) -> Data: C:\Documents and Settings\user\kuaidi.exe /l -> Quarantined and deleted successfully.
C:\Documents and Settings\user\zoouc.exe (Trojan.Downloader.ic) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Waofef\huozop.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\fiinim.exe (Trojan.Downloader.ic) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\kuaidi.exe (Trojan.Downloader.ic) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\tmp2a2e58e0\8449.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\tmp2f576c77\8449.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Secret.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Passwords.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Porn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Sexy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
I have access to a windows install disk.
********************************
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by User at 11:18:04 on 2013-01-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.494.79 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP UT LEDM\bin\hppusg.exe
C:\Documents and Settings\user\Local Settings\Application Data\Plaxo\3.34.0.3\PlaxoHelper_en.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Cactus Spam Filter 2.13\cactusspamfilter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\user\prpuh.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.userwebsite.com/
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*Yahoo! SearchBar Home Page
uProxyServer = www.userwebsite.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*Yahoo!
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
dURLSearchHooks: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [PlaxoUpdate] c:\documents and settings\user\local settings\application data\plaxo\3.34.0.3\PlaxoHelper_en.exe -a
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [PlaxoSysTray] c:\documents and settings\user\local settings\application data\plaxo\3.34.0.3\PlaxoSysTray.exe
uRun: [com.codeode.cactusspamfilter] "c:\program files\cactus spam filter 2.13\cactusspamfilter.exe" -minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{9D4E28EC-11C3-AD7A-A2B9-402D8134633F}] "c:\documents and settings\user\application data\ydwuyt\ruun.exe"
uRun: [yoraj] c:\documents and settings\user\yoraj.exe /g
uRun: [prpuh] c:\documents and settings\user\prpuh.exe /t
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HPUsageTrackingLEDM] "c:\program files\hp\hp ut ledm\bin\hppusg.exe" "c:\program files\hp\hp ut ledm\"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smartprint\smartprintsetup.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: NameServer = 192.168.10.2 66.242.34.4
TCP: Interfaces\{3C751E06-830D-4D35-9F1D-706D34C34D35} : DHCPNameServer = 192.168.10.2 66.242.34.4
TCP: Interfaces\{531D3D38-B38F-4A40-9052-52EFBA55506B} : DHCPNameServer = 192.168.10.2
TCP: Interfaces\{78D93326-FED8-4403-8EEB-EE58AB4CE685} : DHCPNameServer = 192.168.10.2 66.242.34.4
TCP: Interfaces\{F72518B6-1C35-4A22-A80B-207B103E833C} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\sntu04ad.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.userwebsite.com/
FF - prefs.js: network.proxy.ftp - www.userwebsite.com
FF - prefs.js: network.proxy.http - www.userwebsite.com
FF - prefs.js: network.proxy.socks - www.userwebsite.com
FF - prefs.js: network.proxy.ssl - www.userwebsite.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_146.dll
.
============= SERVICES / DRIVERS ===============
.
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVENG.sys [2010-10-19 86064]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVEX15.sys [2010-10-19 1371184]
.
=============== Created Last 30 ================
.
2013-01-16 16:05:48 217088 --sh--r- c:\documents and settings\user\prpuh.exe
2013-01-16 16:05:02 131072 ----a-w- c:\documents and settings\user\foofof.exe
2013-01-13 21:51:41 217088 --sh--r- c:\documents and settings\user\yoraj.exe
2013-01-13 21:51:12 90112 ----a-w- c:\documents and settings\user\goigog.exe
2013-01-10 20:22:29 217088 ----a-w- c:\documents and settings\user\runme.exe
2013-01-10 20:22:21 106496 ----a-w- c:\documents and settings\user\neonen.exe
2013-01-10 19:50:25 -------- d-----w- c:\documents and settings\user\badfiles
.
==================== Find3M ====================
.
2013-01-10 19:15:18 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-10 19:15:17 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 11:21:04.13 ===============