Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Vundo issues - please help!


  • This topic is locked This topic is locked
8 replies to this topic

#1 wildzero

wildzero

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 13 January 2009 - 12:47 AM

So I've been having recent trouble w/ a Trojan called Vundo. It continues to disable my antivirus, and just recently it is giving me multiple about:blank pages upon internet access. I have run Malware Bytes numerous times and it continues to come back. My logs:

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:17 AM, on 1/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080320
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080320
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz.del...amp;ibd=2080320
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7dad6d8a-613d-4d95-98b5-eb6c0f0d1483} - C:\WINDOWS\system32\wawugiju.dll (file missing)
O2 - BHO: (no name) - {89207B00-69E4-4982-AECB-1A266DF4F434} - C:\WINDOWS\system32\tuvWpOeD.dll (file missing)
O2 - BHO: {50015030-afa2-9a99-6444-68ae64f30cdc} - {cdc03f46-ea86-4446-99a9-2afa03051005} - C:\WINDOWS\system32\anbofd.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CPM8305549a] Rundll32.exe "c:\windows\system32\zefukava.dll",a
O4 - HKLM\..\Run: [buduhalini] Rundll32.exe "C:\WINDOWS\system32\seropapu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [buduhalini] Rundll32.exe "C:\WINDOWS\system32\seropapu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [buduhalini] Rundll32.exe "C:\WINDOWS\system32\seropapu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://fpass.ed.gov/vdesk/terminal/InstallerControl.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://fpass.ed.gov/vdesk/terminal/urTermP...,2008,0122,2001
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://fpass.ed.gov/vdesk/terminal/urxshos...,2008,0122,2005
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://fpass.ed.gov/vdesk/terminal/urxhost...,2008,0122,2004
O20 - AppInit_DLLs: satlmc.dll C:\WINDOWS\system32\lunemupa.dll anbofd.dll c:\windows\system32\zefukava.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zefukava.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zefukava.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10171 bytes


MALWAREBYTES:

Malwarebytes' Anti-Malware 1.30
Database version: 1402
Windows 5.1.2600 Service Pack 2

1/13/2009 12:35:21 AM
mbam-log-2009-01-13 (00-35-21).txt

Scan type: Quick Scan
Objects scanned: 53665
Time elapsed: 7 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 8
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\lagojugo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jojopedu.dll (Trojan.BHO) -> Delete on reboot.
c:\WINDOWS\system32\sagobuho.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\gunubizu.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7dad6d8a-613d-4d95-98b5-eb6c0f0d1483} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7dad6d8a-613d-4d95-98b5-eb6c0f0d1483} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm8305549a (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buduhalini (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\jojopedu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\jojopedu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\sagobuho.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\sagobuho.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\gunubizu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\gunubizu.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dowegowo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\owogewod.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jujivane.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\enavijuj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lagojugo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ogujogal.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\polekove.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\evokelop.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rifizipo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opizifir.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tunirufa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afurinut.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yivikova.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avokiviy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wawugiju.dll (Trojan.BHO.H) -> Delete on reboot.
c:\WINDOWS\system32\jojopedu.dll (Trojan.BHO) -> Delete on reboot.
c:\WINDOWS\system32\sagobuho.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\gunubizu.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\seropapu.dll (Trojan.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:10 AM

Posted 13 January 2009 - 05:53 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 wildzero

wildzero
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 13 January 2009 - 08:23 PM

ComboFix 09-01-13.03 - Gregory 2009-01-13 20:14:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1564 [GMT -5:00]
Running from: c:\documents and settings\Gregory\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\anbofd.dll
c:\windows\system32\balomane.dll
c:\windows\system32\bebamaka.dll
c:\windows\system32\bimasubo.dll
c:\windows\system32\buzimofa.dll
c:\windows\system32\DeOpWvut.ini
c:\windows\system32\DeOpWvut.ini2
c:\windows\system32\depiwore.dll
c:\windows\system32\efojigil.ini
c:\windows\system32\kivepizu.dll
c:\windows\system32\kqleqkuo.ini
c:\windows\system32\lunemupa.dll
c:\windows\system32\namoboke.dll
c:\windows\system32\nibanofe.dll
c:\windows\system32\suredufi.dll
c:\windows\system32\tarurozi.dll
c:\windows\system32\wokumoya.dll
c:\windows\system32\yetikohu.dll
c:\windows\system32\zefukava.dll
c:\windows\Tasks\dvzcfvwz.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2008-12-29 22:21 . 2008-12-29 22:22 <DIR> d-------- c:\program files\FinePixViewerS
2008-12-29 22:20 . 2008-12-29 22:22 <DIR> d-------- c:\documents and settings\Gregory\Application Data\FUJIFILM
2008-12-15 22:07 . 2008-12-15 22:07 70,144 --a------ c:\windows\system32\jkkKbbXp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 03:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-16 03:06 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-08 23:45 --------- d-----w c:\program files\Acoustica CD Label Maker
2008-12-08 23:41 --------- d-----w c:\documents and settings\Gregory\Application Data\Acoustica
2008-11-17 04:46 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-16 13:04 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-16 13:04 --------- d-----w c:\documents and settings\Gregory\Application Data\Malwarebytes
2008-11-16 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
1601-01-01 00:12 52,224 --sha-w c:\windows\system32\juwefisi.dll
2008-09-24 00:28 2,048 --sha-w c:\windows\system32\kusewovi.dll
1601-01-01 00:12 6,144 --sha-w c:\windows\system32\zitovovi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-23 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-23 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-23 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-09-07 1236992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 169984]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"NVHotkey"="nvHotkey.dll" [2007-09-23 c:\windows\system32\nvhotkey.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-03-20 50688]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-12-29 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\lunemupa.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-10-09 18:57 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 22:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 09:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-23 22:12 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10118:TCP"= 10118:TCP:Service
"10133:TCP"= 10133:TCP:Service

R4 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-08-23 5376]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI7
.
Contents of the 'Scheduled Tasks' folder

2008-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7dad6d8a-613d-4d95-98b5-eb6c0f0d1483} - c:\windows\system32\wawugiju.dll
BHO-{89207B00-69E4-4982-AECB-1A266DF4F434} - c:\windows\system32\tuvWpOeD.dll
BHO-{cdc03f46-ea86-4446-99a9-2afa03051005} - c:\windows\system32\anbofd.dll
HKLM-Run-buduhalini - c:\windows\system32\seropapu.dll
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080320
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 20:18:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-01-13 20:22:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 01:21:59

Pre-Run: 137,183,354,880 bytes free
Post-Run: 137,192,177,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

192 --- E O F --- 2008-12-20 14:06:10

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:10 AM

Posted 14 January 2009 - 03:26 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\jkkKbbXp.dll
c:\windows\system32\juwefisi.dll
c:\windows\system32\kusewovi.dll
c:\windows\system32\zitovovi.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 wildzero

wildzero
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 15 January 2009 - 12:42 AM

ComboFix 09-01-13.03 - Gregory 2009-01-15 0:34:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1546 [GMT -5:00]
Running from: c:\documents and settings\Gregory\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gregory\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\jkkKbbXp.dll
c:\windows\system32\juwefisi.dll
c:\windows\system32\kusewovi.dll
c:\windows\system32\zitovovi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jkkKbbXp.dll
c:\windows\system32\juwefisi.dll
c:\windows\system32\kusewovi.dll
c:\windows\system32\zitovovi.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2008-12-29 22:21 . 2008-12-29 22:22 <DIR> d-------- c:\program files\FinePixViewerS
2008-12-29 22:20 . 2008-12-29 22:22 <DIR> d-------- c:\documents and settings\Gregory\Application Data\FUJIFILM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 03:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-16 03:06 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-08 23:45 --------- d-----w c:\program files\Acoustica CD Label Maker
2008-12-08 23:41 --------- d-----w c:\documents and settings\Gregory\Application Data\Acoustica
2008-11-17 04:46 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-16 13:04 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-16 13:04 --------- d-----w c:\documents and settings\Gregory\Application Data\Malwarebytes
2008-11-16 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_20.21.18.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-13 05:43:22 53,838 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-14 01:52:54 53,838 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-13 05:43:22 382,260 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-14 01:52:54 382,260 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-23 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-23 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-23 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-09-07 1236992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 169984]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"NVHotkey"="nvHotkey.dll" [2007-09-23 c:\windows\system32\nvhotkey.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-03-20 50688]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-12-29 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-10-09 18:57 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 22:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 09:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-23 22:12 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10118:TCP"= 10118:TCP:Service
"10133:TCP"= 10133:TCP:Service

R4 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-08-23 5376]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI7
.
Contents of the 'Scheduled Tasks' folder

2008-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080320
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 00:38:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-01-15 0:41:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-15 05:41:45
ComboFix2.txt 2009-01-14 01:22:03

Pre-Run: 136,190,902,272 bytes free
Post-Run: 136,407,314,432 bytes free

163 --- E O F --- 2008-12-20 14:06:10

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:10 AM

Posted 15 January 2009 - 03:46 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 wildzero

wildzero
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 16 January 2009 - 11:23 PM

Thanks - everything is working much better now! I appreciate all your help!

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:10 AM

Posted 17 January 2009 - 04:02 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:10 AM

Posted 21 January 2009 - 09:25 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users