Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware coming back


  • This topic is locked This topic is locked
98 replies to this topic

#1 Vikesh

Vikesh

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 AM

Posted 05 January 2009 - 01:51 AM

Help! I use Security Task Manager and every time I connect on the internet, a fake 'svchost.exe' is being downloaded in "C:\WINDOWS\security." There are also a "kakijigu.dll" and "makezimu.dll" that appear in Security Task Manager. I use Avast and Malwarebytes but since I got this problem, I cannot update Avast, even by downloading the update through "avast.com" and Malwarebytes virus database is being deleted after I detect and remove some virus.

Another problem is that when I switch my modem on(I use a modem for wireless connection) and the fake "svchost.exe" is running, I get and error message on the "svchost.exe" and I cannot connect to the internet, I cannot open any program and the theme changes to Windows Classic.

Here is my DDS log:


DDS (Version 1.1.0) - NTFSx86
Run by Administrator at 10:21:45.17 on Mon 01/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.536 [GMT 4:00]

AV: avast! antivirus 4.8.1229 [VPS 080723-1] *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\WINDOWS\security\svchost.exe"
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {fc3a98a8-0ac8-4c4f-8dcf-64a280238522} - c:\windows\system32\makezimu.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [sohenodeso] Rundll32.exe "c:\windows\system32\kakijigu.dll",s
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\habupawe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Notification Packages = scecli c:\windows\system32\habupawe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\i2qajlt6.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [2008-11-26 137216]
R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [2008-11-26 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-26 78416]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-11-26 30720]
R3 sysdrv32;Host Port I/O Driver;c:\windows\system32\drivers\sysdrv32.sys [2008-12-15 11656]
R4 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-6-27 61424]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-26 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-11-26 147640]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-4 206096]
R4 WinHost32Svr;Windows Host32 Server Service;"c:\windows\security\svchost.exe" [2009-1-4 30208]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-26 250040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-11-26 348344]

=============== Created Last 30 ================

2009-01-04 20:49 <DIR> --d----- c:\program files\Trend Micro
2009-01-04 15:35 30,208 a------- c:\windows\system32\ir.exe.exe
2009-01-04 11:08 <DIR> --d----- c:\program files\common files\McAfee
2009-01-04 11:07 <DIR> --d----- c:\program files\McAfee
2008-12-30 18:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-12-30 18:01 <DIR> --d----- c:\program files\Security Task Manager
2008-12-28 20:49 188,547 a------- c:\windows\system32\ry.exe
2008-12-28 20:27 234 a------- c:\windows\system32\ld.exe
2008-12-26 10:26 <DIR> --d----- c:\program files\Monte Cristo
2008-12-25 16:58 319,456 a------- c:\windows\system32\drivers\DIFxAPI.dll
2008-12-25 16:58 <DIR> --d----- c:\program files\DevGuru
2008-12-25 16:58 249,856 a----r-- c:\windows\system32\mcs_dec2.ax
2008-12-25 16:58 172,032 a----r-- c:\windows\system32\mcs_cor2.dll
2008-12-25 16:58 114,688 a----r-- c:\windows\system32\mcs_enc.ax
2008-12-25 16:58 450,560 a----r-- c:\windows\system32\mcs_cor1.dll
2008-12-25 16:56 90,624 ac------ c:\windows\system32\dllcache\kswdmcap.ax
2008-12-25 16:56 61,952 ac------ c:\windows\system32\dllcache\kstvtune.ax
2008-12-25 16:56 43,008 ac------ c:\windows\system32\dllcache\ksxbar.ax
2008-12-25 16:56 28,672 ac------ c:\windows\system32\dllcache\vidcap.ax
2008-12-25 16:56 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2008-12-25 16:56 54,656 a----r-- c:\windows\system32\drivers\Camav.sys
2008-12-25 16:56 90,624 a------- c:\windows\system32\kswdmcap.ax
2008-12-25 16:56 61,952 a------- c:\windows\system32\kstvtune.ax
2008-12-25 16:56 43,008 a------- c:\windows\system32\ksxbar.ax
2008-12-25 16:56 28,672 a------- c:\windows\system32\vidcap.ax
2008-12-25 16:56 20,992 a------- c:\windows\system32\dshowext.ax
2008-12-25 16:56 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2008-12-25 16:56 53,760 a------- c:\windows\system32\vfwwdm32.dll
2008-12-25 16:55 31,616 ac------ c:\windows\system32\dllcache\usbccgp.sys
2008-12-25 16:55 31,616 a------- c:\windows\system32\drivers\usbccgp.sys
2008-12-21 10:33 <DIR> --d----- c:\program files\common files\DirectX
2008-12-21 09:22 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent
2008-12-21 09:21 <DIR> --d----- c:\program files\DNA
2008-12-21 09:21 <DIR> --d----- c:\docume~1\admini~1\applic~1\DNA
2008-12-21 09:21 <DIR> --d----- c:\program files\BitTorrent
2008-12-16 18:25 70,144 a------- c:\windows\system32\awtUoMgH.dll
2008-12-15 19:25 11,656 a------- c:\windows\system32\drivers\sysdrv32.sys
2008-12-14 15:19 <DIR> --d----- c:\program files\PANZERS - Phase1
2008-12-12 08:13 34,308 a------- C:\BASSMOD.DLL
2008-12-11 17:52 <DIR> --d----- c:\program files\Panzers
2008-12-11 10:11 <DIR> --d----- c:\documents and settings\administrator\dwhelper
2008-12-11 09:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-11 09:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 09:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-09 19:10 <DIR> --d----- c:\program files\RegistryFix7
2008-12-09 08:53 105,097 ---shr-- C:\2u.com
2008-12-08 17:06 <DIR> --d----- C:\Registry Backup
2008-12-06 16:39 <DIR> --d----- c:\program files\EA GAMES

==================== Find3M ====================

2008-12-09 09:51 84,992 ---shr-- c:\windows\system32\gasretyw0.dll
2008-12-06 08:50 84,992 ---shr-- c:\windows\system32\gasretyw1.dll
2008-12-04 14:14 2,864 a------- c:\windows\system32\winsock.dll
2008-12-03 16:11 108,698 ---shr-- C:\e.cmd
2008-12-02 18:16 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-26 20:40 29,480 a------- c:\windows\system32\msxml3a.dll
2008-11-26 20:22 234 a--sh--- c:\documents and settings\administrator\setupC.exe
2008-11-26 17:19 86,016 a------- c:\windows\system32\dpl100.dll
2008-11-26 16:30 315,392 a------- c:\windows\HideWin.exe
2008-11-25 20:41 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
1601-01-01 04:12 61,183 a--sh--- c:\windows\system32\vawirofa.dll
1601-01-01 04:12 61,183 a--sh--- c:\windows\system32\wefeyubi.dll

============= FINISH: 10:21:53.54 ===============

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 05 January 2009 - 05:49 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Vikesh

Vikesh
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 AM

Posted 06 January 2009 - 02:36 AM

Thanks :thumbsup: It removed a lot a malware but I'm still having the svchost.exe problem when I connect to the internet.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 06 January 2009 - 05:33 AM

Well, where's the log please?..

Go and find C:\combofix.txt and post its content here..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Vikesh

Vikesh
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 AM

Posted 06 January 2009 - 07:43 AM

My ComboFix log is in the attachment.

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 06 January 2009 - 09:36 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
sysdrv32
WinHost32Svr
msddll

File::
c:\windows\system32\mq.exe
c:\windows\system32\kb.exe
c:\windows\system32\hj.exe
c:\windows\system32\wp.exe
c:\windows\system32\ry.exe
c:\windows\system32\awtUoMgH.dll
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\vawirofa.dll
c:\windows\system32\wefeyubi.dll
c:\windows\system32\habupawe.dll
c:\WINDOWS\security\svchost.exe
c:\WINDOWS\\system\msddll.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\security\\svchost.exe"=-
"c:\\WINDOWS\\system\\msddll.exe"=-
"c:\\WINDOWS\\System32\\wp.exe"=-
"c:\\WINDOWS\\System32\\hj.exe"=-
"c:\\WINDOWS\\System32\\kb.exe"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by fenzodahl512, 06 January 2009 - 09:36 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Vikesh

Vikesh
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 AM

Posted 07 January 2009 - 07:39 AM

It isn't working. Every time I try it ComboFix opens and it the CFScript dissapear and nothing happens. I waited for 30 mins and still nothing happens. The HijackThis log is in the attachment.

Can I try to delete the files manually?

Attached Files


Edited by Vikesh, 07 January 2009 - 07:42 AM.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 07 January 2009 - 09:48 AM

Lets do this then...


The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE



NEXT


Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    sysdrv32
    WinHost32Svr
    msddll
    
    :files
    c:\windows\system32\mq.exe
    c:\windows\system32\kb.exe
    c:\windows\system32\hj.exe
    c:\windows\system32\wp.exe
    c:\windows\system32\ry.exe
    c:\windows\system32\awtUoMgH.dll
    c:\windows\system32\drivers\sysdrv32.sys
    c:\windows\system32\vawirofa.dll
    c:\windows\system32\wefeyubi.dll
    c:\windows\system32\habupawe.dll
    c:\WINDOWS\security\svchost.exe
    c:\WINDOWS\\system\msddll.exe
    
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\security\\svchost.exe"=-
    "c:\\WINDOWS\\system\\msddll.exe"=-
    "c:\\WINDOWS\\System32\\wp.exe"=-
    "c:\\WINDOWS\\System32\\hj.exe"=-
    "c:\\WINDOWS\\System32\\kb.exe"=-
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Run ComboFix again normally.. Post these logs in your next reply..

1. OTMoveIt3
2. ComboFix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Vikesh

Vikesh
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 AM

Posted 08 January 2009 - 01:19 AM

I deleted the following files manually:

c:\windows\system32\mq.exe
c:\windows\system32\kb.exe
c:\windows\system32\hj.exe
c:\windows\system32\wp.exe
c:\windows\system32\ry.exe

I don't think I did somthing bad. :thumbsup:

The logs are in the attachment.

Attached Files



#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 08 January 2009 - 02:36 AM

You did the right thing.. Lets do this...

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Vikesh

Vikesh
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 AM

Posted 08 January 2009 - 03:12 AM

Thanks a lot! :thumbsup: I am not having and problems now. (I still can't update Avast. I think I should reinstall it.)

The logs are in the attachments.

Attached Files



#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 08 January 2009 - 03:32 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\WINDOWS\security\svchost.exe
c:\WINDOWS\System32\pb.exe
c:\windows\system32\habupawe.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\pb.exe"=-
"c:\\WINDOWS\\security\\svchost.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Vikesh

Vikesh
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 AM

Posted 08 January 2009 - 07:38 AM

It isn't working like I described above.

Is there any other way to do it?

The svchost.exe doesn't load in memory now.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 08 January 2009 - 08:54 AM

Lets do this then..


Repeat the OTMoveIt3 step but this time with below script.. Post the log here after that..

:processes
explorer.exe

:services

:files
c:\WINDOWS\security\svchost.exe
c:\WINDOWS\System32\pb.exe
c:\windows\system32\habupawe.dll

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]



NEXT


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Run DDS again.. Post these logs in your next reply..

1. OTMoveIt3
2. ESET Online Scanner
3. DDS.txt
4. Tell me, how's the computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Vikesh

Vikesh
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 AM

Posted 08 January 2009 - 12:51 PM

Thanks! :thumbsup: My computer is running more smoothly specially while playing games.
It detected some OTMoveIt3 files as virus and ComboFix files in the its folder (Qoobox) and some other viruses. (The files that were scheduled to be deleted on reboot and were never deleted)

I don't know how you wanted me to post the online scanner log because there was no log and I wasn't able to copy/paste the results.

Some virus are still being downloaded when I connect to the internet. There are some Backdoor.Bot which was detected by Malwarebytes and the driver "sysdrv32.sys" appeared again and Malwarebytes crashed after removing it.

Attached Files


Edited by Vikesh, 08 January 2009 - 12:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users