Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with MS AntiSpyware 2009 or 360 or Vundo


  • This topic is locked This topic is locked
18 replies to this topic

#1 rozzie chapman

rozzie chapman

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 20 December 2008 - 05:04 AM

I have run the Anti-Malware 1.31 but still have traces of infection. I'm not sure which one is still giving me grief.... sigh any help most humbly and gratefully appreciated...

When I run Anti-Malware it says I have this registry key to delete on reboot - after I reboot and rescan, it is still there:

Malwarebytes' Anti-Malware 1.31
Database version: 1525
Windows 5.1.2600 Service Pack 3

12/21/2008 6:41:55 PM
mbam-log-2008-12-21 (18-41-48).txt

Scan type: Quick Scan
Objects scanned: 43495
Time elapsed: 1 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.



When I run SUPERAntiSpyware it picks up the following and again fails to delete it on reboot:

Unclassified.Unknown Origin
-E:\WINDOWS\SYSTEM32\WUGUYIBU.DLL
-HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
-HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
-HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32
-HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32(ThreadingModel-)
-HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}


However when I look in the system32 directory I cannot find a file called WUGUYIBU.DLL

These are the other logs:

User:

Computer Name: ROZZIEPC
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 3
Source Name: SecurityCenter
Time Written: 20081219133043.000000+660
Event Type: information
User:

Computer Name: ROZZIEPC
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 2
Source Name: SecurityCenter
Time Written: 20081219132550.000000+660
Event Type: information
User:

Computer Name: ROZZIEPC
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 1
Source Name: SecurityCenter
Time Written: 20081219120843.000000+660
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Logfile of random's system information tool 1.05 (written by random/random)
Run by Rozzie Chapman at 2008-12-20 20:55:08
Microsoft Windows XP Professional Service Pack 3
System drive E: has 418 GB (88%) free of 477 GB
Total RAM: 2046 MB (76% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:21 PM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Rozzie Chapman\Desktop\RSIT.exe
E:\Program Files\trend micro\Rozzie Chapman.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [pesezujari] Rundll32.exe "E:\WINDOWS\system32\puyeyure.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pesezujari] Rundll32.exe "E:\WINDOWS\system32\puyeyure.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3C8A62A-B400-4076-85A9-9DBAF952256C}: NameServer = 10.0.0.138
O20 - AppInit_DLLs: E:\WINDOWS\system32\gowisese.dll e:\windows\system32\wuguyibu.dll e:\windows\system32\zukogulu.dll e:\windows\system32\pesakuga.dll e:\windows\system32\tinajepu.dll
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe

--
End of file - 4295 bytes

======Scheduled tasks folder======

E:\WINDOWS\tasks\F-PROT Antivirus - Weekly.job
E:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1221893911.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=E:\WINDOWS\system32\NvCpl.dll [2007-06-29 8466432]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=E:\WINDOWS\system32\NvMcTray.dll [2007-06-29 81920]
"F-PROT Antivirus Tray application"=E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe [2008-04-21 1597832]
"RTHDCPL"=E:\WINDOWS\RTHDCPL.EXE [2005-09-22 14854144]
"Alcmtr"=E:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware (reboot)"=E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2008-12-03 1265296]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-12-04 1809648]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
hp psc 2000 Series.lnk - E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
hpoddt01.exe.lnk - E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="E:\WINDOWS\system32\gowisese.dll e:\windows\system32\wuguyibu.dll e:\windows\system32\zukogulu.dll e:\windows\system32\pesakuga.dll e:\windows\system32\tinajepu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-03 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
E:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
E:\WINDOWS\system32\gowisese.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\FPAVServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableCAD"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\WINDOWS\explorer.exe"="E:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"E:\WINDOWS\system32\winlogon.exe"="E:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-12-20 20:55:09 ----D---- E:\Program Files\trend micro
2008-12-20 20:55:08 ----D---- E:\rsit
2008-12-20 20:11:20 ----D---- E:\Documents and Settings\Rozzie Chapman\Application Data\Malwarebytes
2008-12-20 20:11:16 ----D---- E:\Program Files\Malwarebytes' Anti-Malware
2008-12-20 20:11:16 ----D---- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-20 03:00:16 ----A---- E:\WINDOWS\system32\MRT.exe
2008-12-19 19:00:54 ----A---- E:\WINDOWS\ntbtlog.txt
2008-12-19 15:47:47 ----D---- E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-19 15:47:38 ----D---- E:\Program Files\SUPERAntiSpyware
2008-12-19 15:47:38 ----D---- E:\Documents and Settings\Rozzie Chapman\Application Data\SUPERAntiSpyware.com
2008-12-19 13:21:32 ----HDC---- E:\WINDOWS\$NtUninstallKB955839$
2008-12-19 13:21:03 ----HDC---- E:\WINDOWS\$NtUninstallKB958215$
2008-12-19 13:20:55 ----HDC---- E:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-19 13:20:48 ----HDC---- E:\WINDOWS\$NtUninstallKB960714$
2008-12-19 13:20:41 ----HDC---- E:\WINDOWS\$NtUninstallKB954600$
2008-12-19 13:20:33 ----HDC---- E:\WINDOWS\$NtUninstallKB956802$
2008-12-19 13:15:25 ----D---- E:\Documents and Settings\Rozzie Chapman\Application Data\Mozilla
2008-12-19 13:15:18 ----D---- E:\Program Files\Mozilla Firefox
2008-12-17 18:33:45 ----D---- E:\Program Files\Lavasoft
2008-12-17 18:33:45 ----D---- E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-17 18:32:51 ----D---- E:\Program Files\Common Files\Wise Installation Wizard
2008-12-13 19:46:39 ----D---- E:\WINDOWS\Minidump
2008-12-13 19:45:40 ----AD---- E:\Documents and Settings\All Users\Application Data\TEMP
2008-12-13 19:45:33 ----D---- E:\Program Files\Spyware Doctor
2008-12-13 19:45:33 ----D---- E:\Documents and Settings\Rozzie Chapman\Application Data\PC Tools
2008-12-12 22:48:45 ----D---- E:\2008-12-12
2008-12-12 05:34:54 ----A---- E:\WINDOWS\system32\SET41.tmp
2008-12-12 05:34:53 ----A---- E:\WINDOWS\system32\SET43.tmp
2008-12-12 05:34:53 ----A---- E:\WINDOWS\system32\SET42.tmp
2008-12-12 05:34:52 ----N---- E:\WINDOWS\system32\SET44.tmp
2008-11-24 14:43:51 ----D---- E:\Documents and Settings\Rozzie Chapman\Application Data\vlc
2008-11-24 14:41:53 ----D---- E:\Program Files\VideoLAN

======List of files/folders modified in the last 1 months======

2008-12-20 20:55:15 ----D---- E:\WINDOWS\Prefetch
2008-12-20 20:55:09 ----RD---- E:\Program Files
2008-12-20 20:31:35 ----D---- E:\WINDOWS\Temp
2008-12-20 20:31:34 ----D---- E:\WINDOWS\system32
2008-12-20 20:27:16 ----D---- E:\WINDOWS\system32\Lang
2008-12-20 20:26:10 ----A---- E:\WINDOWS\SchedLgU.Txt
2008-12-20 20:19:25 ----D---- E:\WINDOWS\system32\CatRoot2
2008-12-20 20:18:17 ----D---- E:\WINDOWS\system32\drivers
2008-12-20 20:10:33 ----SD---- E:\WINDOWS\Tasks
2008-12-20 19:54:49 ----D---- E:\Documents and Settings\Rozzie Chapman\Application Data\MailWasherPro
2008-12-19 23:05:36 ----D---- E:\Documents and Settings\Rozzie Chapman\Application Data\PocoMail
2008-12-19 23:04:36 ----D---- E:\Program Files\PocoMail4
2008-12-19 22:54:24 ----D---- E:\WINDOWS
2008-12-19 22:32:07 ----SD---- E:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-19 15:47:44 ----SHD---- E:\WINDOWS\Installer
2008-12-19 15:46:47 ----D---- E:\downloads
2008-12-19 13:29:27 ----HD---- E:\WINDOWS\inf
2008-12-19 13:29:26 ----D---- E:\WINDOWS\system32\CatRoot
2008-12-19 13:21:09 ----A---- E:\WINDOWS\imsins.BAK
2008-12-19 13:21:07 ----RSHDC---- E:\WINDOWS\system32\dllcache
2008-12-19 13:21:00 ----HD---- E:\WINDOWS\$hf_mig$
2008-12-19 12:08:26 ----SHD---- E:\WINDOWS\CSC
2008-12-17 18:32:51 ----D---- E:\Program Files\Common Files
2008-12-16 11:43:13 ----ASH---- E:\WINDOWS\system32\mureyiwa.dll
2008-12-13 22:50:57 ----D---- E:\Program Files\Cakewalk Express Gold
2008-12-13 22:28:58 ----D---- E:\~piano rolls
2008-12-13 19:50:55 ----A---- E:\WINDOWS\system32\PerfStringBackup.INI
2008-12-13 04:01:00 ----A---- E:\WINDOWS\system32\mshtml.dll
2008-12-12 22:34:25 ----SD---- E:\WINDOWS\Downloaded Program Files
2008-12-03 18:11:13 ----D---- E:\WINDOWS\Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 IKSysFlt;System Filter Driver; E:\WINDOWS\system32\drivers\iksysflt.sys [2008-08-25 66952]
R1 IKSysSec;System Security Driver; E:\WINDOWS\system32\drivers\iksyssec.sys [2008-08-25 81288]
R1 intelppm;Intel Processor Driver; E:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 SASDIFSV;SASDIFSV; \??\E:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\E:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 irda;IrDA Protocol; E:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-14 88192]
R3 Arp1394;1394 ARP Client Protocol; E:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; E:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 HidUsb;Microsoft HID Class Driver; E:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; E:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-09 51024]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; E:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-09 16080]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; E:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-09 21456]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); E:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-23 3966976]
R3 irsir;Microsoft Serial Infrared Driver; E:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-18 18688]
R3 NIC1394;1394 Net Driver; E:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; E:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-06-29 6807328]
R3 Rasirda;WAN Miniport (IrDA); E:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-18 19584]
R3 SASENUM;SASENUM; \??\E:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbaudio;USB Audio Driver (WDM); E:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; E:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; E:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; E:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbprint;Microsoft USB PRINTER Class; E:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; E:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
R3 USBSTOR;USB Mass Storage Driver; E:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; E:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; E:\WINDOWS\system32\DRIVERS\yk51x86.sys [2006-03-15 244608]
S1 kbdhid;Keyboard HID Driver; E:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 MSICPL;MSICPL; \??\D:\install4\MSICPL.sys []
S3 NTACCESS;NTACCESS; \??\D:\NTACCESS.sys []
S3 rtl8029;Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver; E:\WINDOWS\system32\DRIVERS\RTL8029.SYS [2001-08-17 19017]
S3 SetupNTGLM7X;SetupNTGLM7X; \??\D:\NTGLM7X.sys []
S4 IntelIde;IntelIde; E:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 FPAVServer;F-PROT Antivirus for Windows system; E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [2008-04-21 45960]
R2 Irmon;Infrared Monitor; E:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 NVSvc;NVIDIA Display Driver Service; E:\WINDOWS\system32\nvsvc32.exe [2007-06-29 155716]
R2 sdAuxService;PC Tools Auxiliary Service; E:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R3 Pml Driver HPZ12;Pml Driver HPZ12; E:\WINDOWS\system32\HPZipm12.exe [2003-03-09 65795]

-----------------EOF-----------------

Edited by rozzie chapman, 21 December 2008 - 03:02 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:20 PM

Posted 21 December 2008 - 09:32 AM

Hello! :thumbsup:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 rozzie chapman

rozzie chapman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 22 December 2008 - 04:06 AM

Hi there Sam,

Thank you for your assistance - I've been tearing my hair out! I downloaded the Combofix program and double clicked it. This is the error message I got:

Windows cannot find '32788R22FWFW\nircmd.com'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

I clicked search but the file was not found...

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:20 PM

Posted 22 December 2008 - 10:36 AM

Did you save Combofix.exe to your desktop?

Try renaming combofix.exe to cf.exe and then run the program.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 rozzie chapman

rozzie chapman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 23 December 2008 - 02:23 AM

Yes, I saved it to the desktop. I downloaded another copy from one of the other mirror sites to see if it was a corrupted file - same result. I renamed to cf.com as you suggested. Same again. I took a look in the directory E:\32788R22FWJFW and found a file that looks similar to the one the program was looking for - NirCmdC.cfexe - should I try renaming this to NirCmd.exe?

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:20 PM

Posted 23 December 2008 - 11:33 AM

I'm puzzled by this directory. What else is in this folder?

E:\32788R22FWJFW

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 rozzie chapman

rozzie chapman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 23 December 2008 - 06:31 PM

The directory is created by combofix - when I renamed the folder and re-ran combofix it made another folder with the same name. Interesting thing is that in my midnight scan, f-prot picked up the files as containing w32/trojan3.0e and w32/trojan3.0d - also the archive contains NirCmd.exe but for some reason when I click on the archive it does not copy the file to the E-drive directory. F-prot has marked this file as a trojan also. Here is a directory listing for the folder. My boot drive is E rather than C but I have created a C drive should this be important.


E:\32788R22FWJFW>dir
Volume in drive E has no label.
Volume Serial Number is B0DD-9FB9

Directory of E:\32788R22FWJFW


E:\32788R22FWJFW>

Edited by Buckeye_Sam, 23 December 2008 - 07:25 PM.
removed info


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:20 PM

Posted 23 December 2008 - 07:29 PM

Ok. I edited your post to remove that info. Malware developers are known to frequent these forums to see the methods that we use to remove malware. We don't want to give them any info that might be used against us.

It's not uncommon for Combofix to be falsely identified as malware. Have you disabled F-Secure and Spyware Doctor before attempting to run Combofix?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 rozzie chapman

rozzie chapman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 23 December 2008 - 09:24 PM

Yes, I disabled all the security stuff - same problem. I think it might be a problem with something being read-only maybe? The NirCmd.exe file is in the archive but it won't write to the hard disk...

I thought the trojan warning might have been a false positive - with all the background stuff it needs to do and access it isn't surprising that it would ring a few alarms....

#10 rozzie chapman

rozzie chapman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 24 December 2008 - 06:28 AM

After giving this some thought, my theory is that combofix expects the system to be installed on the C drive whereas on my PC it is on the E drive. Any ideas on how to get around this?

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:20 PM

Posted 24 December 2008 - 11:49 AM

Let's see if we can skip Combofix and work around it that way. It may take another step or two but we should be able to get there.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 rozzie chapman

rozzie chapman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 24 December 2008 - 11:27 PM

Worked first time - here is the log:


SDFix: Version 1.240
Run by Rozzie Chapman on Thu 12/25/2008 at 02:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: E:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 15:23:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\\WINDOWS\\explorer.exe"="E:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"E:\\WINDOWS\\system32\\winlogon.exe"="E:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Tue 16 Sep 2008 65,788 A.SH. --- E:\WINDOWS\SYSTEM32\HARAPU~1.TMP
Tue 16 Dec 2008 65,788 A.SH. --- E:\WINDOWS\SYSTEM32\MUREYIWA.DLL
Tue 16 Sep 2008 65,788 A.SH. --- E:\WINDOWS\SYSTEM32\NAMURE~1.TMP
Tue 16 Sep 2008 65,788 A.SH. --- E:\WINDOWS\SYSTEM32\RIVOVO~1.TMP

Finished!

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:20 PM

Posted 25 December 2008 - 07:04 PM

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    E:\WINDOWS\SYSTEM32\HARAPU~1.TMP
    E:\WINDOWS\SYSTEM32\MUREYIWA.DLL
    E:\WINDOWS\SYSTEM32\NAMURE~1.TMP
    E:\WINDOWS\SYSTEM32\RIVOVO~1.TMP
    
    :reg
    [-HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}]
    [-HKEY_CLASSES_ROOT\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}]
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Let me know how your computer is behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 rozzie chapman

rozzie chapman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 26 December 2008 - 02:06 AM

Here is the log file:

========== FILES ==========
E:\WINDOWS\SYSTEM32\harapupi.dll.tmp moved successfully.
DllUnregisterServer procedure not found in E:\WINDOWS\SYSTEM32\mureyiwa.dll
E:\WINDOWS\SYSTEM32\mureyiwa.dll NOT unregistered.
E:\WINDOWS\SYSTEM32\mureyiwa.dll moved successfully.
E:\WINDOWS\SYSTEM32\namurelu.dll.tmp moved successfully.
E:\WINDOWS\SYSTEM32\rivovowo.dll.tmp moved successfully.
========== REGISTRY ==========
Unable to delete registry key HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}\\ .
Registry key HKEY_CLASSES_ROOT\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\\ deleted successfully.
========== COMMANDS ==========
File delete failed. E:\DOCUME~1\ROZZIE~1\LOCALS~1\Temp\etilqs_pC7er2ZQy1AfU8YSvbEy scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. E:\WINDOWS\temp\Perflib_Perfdata_d4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. E:\Documents and Settings\Rozzie Chapman\Local Settings\Application Data\Mozilla\Firefox\Profiles\zav9tkz7.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Rozzie Chapman\Local Settings\Application Data\Mozilla\Firefox\Profiles\zav9tkz7.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Rozzie Chapman\Local Settings\Application Data\Mozilla\Firefox\Profiles\zav9tkz7.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Rozzie Chapman\Local Settings\Application Data\Mozilla\Firefox\Profiles\zav9tkz7.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Rozzie Chapman\Local Settings\Application Data\Mozilla\Firefox\Profiles\zav9tkz7.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12262008_175911

Files moved on Reboot...
File E:\DOCUME~1\ROZZIE~1\LOCALS~1\Temp\etilqs_pC7er2ZQy1AfU8YSvbEy not found!
File move failed. E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File E:\WINDOWS\temp\Perflib_Perfdata_d4.dat not found!
E:\Documents and Settings\Rozzie Chapman\Local Settings\Application Data\Mozilla\Firefox\Profiles\zav9tkz7.default\Cache\_CACHE_001_ moved successfully.
E:\Documents and Settings\Rozzie Chapman\Local Settings\Application Data\Mozilla\Firefox\Profiles\zav9tkz7.default\Cache\_CACHE_002_ moved successfully.
E:\Documents and Settings\Rozzie Chapman\Local Settings\Application Data\Mozilla\Firefox\Profiles\zav9tkz7.default\Cache\_CACHE_003_ moved successfully.
E:\Documents and Settings\Rozzie Chapman\Local Settings\Application Data\Mozilla\Firefox\Profiles\zav9tkz7.default\Cache\_CACHE_MAP_ moved successfully.
E:\Documents and Settings\Rozzie Chapman\Local Settings\Application Data\Mozilla\Firefox\Profiles\zav9tkz7.default\urlclassifier3.sqlite moved successfully.


I'll do a scan and see if those files are gone and report back in a few minutes

#15 rozzie chapman

rozzie chapman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 26 December 2008 - 02:32 AM

Looks good - fingers crossed... Thank you so much for all your help. Those malware things are really noxious - a thousand curses on malware developers!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users