Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Vundo infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 aoc442

aoc442

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 16 January 2009 - 10:26 PM

The computer I am using suffered from a Vundo infection back in 2005, but with the help of Vundofix and similar programs, it appeared to be gone. A little over a month ago, seemingly out of the blue, I began getting popups. Some Java-based content on the web started taking a very long time to load or stopped being displayed altogether. So I downloaded Malwarebytes’ Anti-Malware, which showed that my computer was suffering from another Vundo infection. When I tried to use system restore, I found that all my restore points had been deleted. The trojan also routinely turns off my automatic updates. Malwarebytes’ Anti-Malware seems to clean the computer, but hardly a day passes before I start getting the popups again. I tried Vundofix, but that didn’t find anything. I also tried updating Java and IE, but that didn’t seem to have any effect.

In the last few days, Firefox has also become affected. I’m not sure if this is related to the Vundo infection, but I cannot use the program at all. Upon trying to open it, sometimes Firefox immediately announces it has encountered a problem and needs to close, without so much as the browser window opening up. If that doesn’t happen, the browser window doesn’t appear, but I can see Firefox running in the processes section of the Task Manager. So now, I’ve gotten a little desperate. I hate having to use IE, where I know I am more vulnerable to further infection. I would greatly appreciate any help.

Here is my most recent HijackThis log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Admin at 17:46:52.37 on Fri 01/16/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.159 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Admin\Application Data\U3\0461FA6082524A0B\LaunchPad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Admin\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page =
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: {0e3d24ce-fab7-4d70-a784-86940e9b694c} - c:\windows\system32\kolabuyu.dll
BHO: {44f7abb7-6105-4537-a4f4-fa6a4146f1d5} - c:\windows\system32\jazoloya.dll
BHO: {7c41631d-ab45-f1c8-9344-da7fc65dfa05}: {50afd56c-f7ad-4439-8c1f-54bad13614c7} - c:\windows\system32\bonhlp.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {8dc1b6b0-2440-412f-9452-e75567372073} - c:\windows\system32\ssqPjjJy.dll
BHO: {9fe19765-4580-4834-af93-4fea2faa11e0} - c:\windows\system32\tutedase.dll
BHO: {d1464d74-4628-45b4-8e44-50844d04558a} - c:\windows\system32\zeladugu.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow! Deluxe]
uRun: [swg] "c:\program files\google\googletoolbarnotifier\1.0.720.3640\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SfKg6wIP] c:\documents and settings\admin\application data\microsoft\windows\ejcuih.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
mRun: [fopatarive] Rundll32.exe "c:\windows\system32\tewiseni.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: mozilla.com\www
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: krwjli.dll c:\windows\system32\riwiliko.dll c:\windows\system32\jazoloya.dll c:\windows\system32\larifise.dll bonhlp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Notification Packages = scecli c:\windows\system32\jazoloya.dll c:\windows\system32\larifise.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\3c6bc829.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-10-19 235120]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-10-19 255600]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-10-19 87664]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2004-12-10 30336]

=============== Created Last 30 ================

2009-01-15 21:10 131,821 a--sh--- c:\windows\system32\bonhlp.dll
2009-01-15 20:10 1,327,740 ---sh--- c:\windows\system32\utopuzug.ini
2009-01-15 20:10 2,713 ---sh--- c:\windows\system32\rozodobu.dll
2009-01-12 19:16 131,722 a--sh--- c:\windows\system32\bjvtdz.dll
2009-01-11 23:23 1,212,876 ---sh--- c:\windows\system32\evowovom.ini
2009-01-11 20:07 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-10 23:12 1,212,876 ---sh--- c:\windows\system32\omedipob.ini
2009-01-10 23:07 1,212,876 ---sh--- c:\windows\system32\uzaroyod.ini
2009-01-06 19:51 1,277,739 ---sh--- c:\windows\system32\ebaludon.ini
2009-01-06 06:05 1,262,993 ---sh--- c:\windows\system32\ohajeyam.ini
2009-01-05 17:12 1,262,676 ---sh--- c:\windows\system32\asodesil.ini
2009-01-04 23:45 1,262,640 ---sh--- c:\windows\system32\eworusuw.ini
2009-01-04 11:46 1,262,640 ---sh--- c:\windows\system32\eyezuzaj.ini
2009-01-03 14:02 1,262,640 ---sh--- c:\windows\system32\ohenovim.ini
2009-01-02 18:32 1,262,640 ---sh--- c:\windows\system32\irogired.ini
2009-01-02 01:17 1,262,640 ---sh--- c:\windows\system32\anenihay.ini
2009-01-01 13:17 1,262,640 ---sh--- c:\windows\system32\asatohas.ini
2008-12-31 21:45 1,262,640 ---sh--- c:\windows\system32\adufuduf.ini
2008-12-31 09:46 1,262,640 ---sh--- c:\windows\system32\ahedupul.ini
2008-12-30 17:09 1,262,640 ---sh--- c:\windows\system32\ovotabef.ini
2008-12-30 17:03 1,262,640 ---sh--- c:\windows\system32\uyoyewun.ini
2008-12-29 21:13 1,262,633 ---sh--- c:\windows\system32\ejawasiy.ini
2008-12-29 09:08 1,262,950 ---sh--- c:\windows\system32\ihisolel.ini
2008-12-28 12:53 1,261,704 ---sh--- c:\windows\system32\uyadupeh.ini
2008-12-28 00:03 1,261,704 ---sh--- c:\windows\system32\adiyivan.ini
2008-12-27 12:06 1,256,005 ---sh--- c:\windows\system32\elinukib.ini
2008-12-26 15:11 1,685,430 ---sh--- c:\windows\system32\aripebuk.ini
2008-12-25 22:42 1,603,449 ---sh--- c:\windows\system32\efirewuz.ini
2008-12-25 10:42 1,603,449 ---sh--- c:\windows\system32\iririmaf.ini
2008-12-24 18:02 1,603,449 ---sh--- c:\windows\system32\apimufuj.ini
2008-12-24 06:02 1,603,449 ---sh--- c:\windows\system32\ahetabew.ini
2008-12-23 16:50 1,603,449 ---sh--- c:\windows\system32\uyuhakum.ini
2008-12-23 16:45 1,603,449 ---sh--- c:\windows\system32\ilegeday.ini
2008-12-22 21:16 1,603,449 ---sh--- c:\windows\system32\apenikom.ini
2008-12-21 00:41 <DIR> --dsh--- c:\documents and settings\admin\PrivacIE
2008-12-21 00:00 <DIR> --d----- c:\windows\ie8updates
2008-12-20 23:49 <DIR> -cd-h--- c:\windows\ie8
2008-12-20 23:11 1,603,449 ---sh--- c:\windows\system32\emayivuj.ini
2008-12-20 00:01 <DIR> --dsh--- c:\windows\TUlDSEFFTA

==================== Find3M ====================

2009-01-15 21:10 131,821 a--sh--- c:\windows\system32\babopeni.dll
2009-01-15 20:10 68,838 a--sh--- c:\windows\system32\riseweke.dll
2009-01-15 20:10 127,812 a--sh--- c:\windows\system32\hejivole.dll
2009-01-12 19:16 131,722 a--sh--- c:\windows\system32\vagiluke.dll
2009-01-12 18:15 99,399 a--sh--- c:\windows\system32\porupiri.dll
2009-01-12 18:15 64,101 a--sh--- c:\windows\system32\setevari.dll
2009-01-11 23:23 105,726 a--sh--- c:\windows\system32\dakegopu.dll
2009-01-10 23:07 105,526 a--sh--- c:\windows\system32\sinuvili.dll
2009-01-10 23:07 69,174 a--sh--- c:\windows\system32\yuzizowa.dll
2009-01-06 18:43 69,370 a--sh--- c:\windows\system32\zidanoso.dll
2009-01-03 14:02 97,472 a--sh--- c:\windows\system32\rifupopi.dll
2009-01-01 13:17 100,593 a--sh--- c:\windows\system32\zumowita.dll
2008-12-31 09:45 99,140 a--sh--- c:\windows\system32\duwalafa.dll
2008-12-30 17:09 97,877 a--sh--- c:\windows\system32\zipemona.dll
2008-12-30 17:03 61,599 a--sh--- c:\windows\system32\niwesiti.dll
2008-12-29 21:13 97,503 a--sh--- c:\windows\system32\pohefito.dll
2008-12-29 21:07 62,586 a--sh--- c:\windows\system32\bikujire.dll
2008-12-29 09:08 98,999 a--sh--- c:\windows\system32\zebeniki.dll
2008-12-28 12:53 99,115 a--sh--- c:\windows\system32\jehoyasi.dll
2008-12-28 00:03 96,559 a--sh--- c:\windows\system32\sanezudi.dll
2008-12-27 12:06 99,898 a--sh--- c:\windows\system32\mizokaki.dll
2008-12-27 11:57 99,102 a--sh--- c:\windows\system32\bubesovo.dll
2008-12-27 11:57 64,292 a--sh--- c:\windows\system32\bavadobu.dll
2008-12-26 15:11 99,026 a--sh--- c:\windows\system32\poredovi.dll
2008-12-25 22:42 97,921 a--sh--- c:\windows\system32\wimineja.dll
2008-12-25 10:42 97,851 a--sh--- c:\windows\system32\gurehavo.dll
2008-12-24 18:02 99,635 a--sh--- c:\windows\system32\zatoliye.dll
2008-12-24 06:02 95,928 a--sh--- c:\windows\system32\tofobuda.dll
2008-12-23 16:50 97,906 a--sh--- c:\windows\system32\jisizosa.dll
2008-12-23 16:44 63,601 a--sh--- c:\windows\system32\yijowuzo.dll
2008-12-22 21:16 95,917 a--sh--- c:\windows\system32\jowutasi.dll
2008-12-22 06:18 94,906 a--sh--- c:\windows\system32\gatosisu.dll
2008-12-21 14:18 94,978 a--sh--- c:\windows\system32\jepewosi.dll
2008-12-21 02:18 98,034 a--sh--- c:\windows\system32\jijeruwa.dll
2008-12-20 22:05 62,518 a--sh--- c:\windows\system32\reditika.dll
2008-12-19 19:09 85,274 a--sh--- c:\windows\system32\vuzizele.dll
2008-12-18 22:39 95,028 a--sh--- c:\windows\system32\kadavasu.dll
2008-12-18 21:05 62,518 a--sh--- c:\windows\system32\falayomo.dll
2008-12-18 21:05 95,798 a--sh--- c:\windows\system32\mupabevu.dll
2008-12-16 19:05 63,542 a--sh--- c:\windows\system32\bilelovi.dll
2008-12-14 08:59 5,699,584 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 22:04 78,991 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-12 17:07 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 13:21 90,883 a--sh--- c:\windows\system32\bodozanu.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-10 21:27 62,567 a--sh--- c:\windows\system32\sofalule.dll
2008-12-10 20:27 62,060 a--sh--- c:\windows\system32\kaleguli.dll
2008-12-09 19:06 64,054 a--sh--- c:\windows\system32\pufafube.dll
2008-12-08 23:15 1,995 ---sh--- c:\windows\system32\tohedida.exe
2008-11-10 17:26 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-08-27 20:11 4,251 a------- c:\program files\mirc.ini
2008-08-27 20:11 279 a------- c:\program files\urls.ini
2008-08-27 19:49 44,143 a------- c:\program files\upload.log
2006-10-22 13:16 29,132 a---h--- c:\program files\mirc.GID
2005-12-06 22:29 51,752 a------- c:\docume~1\admin\applic~1\GDIPFONTCACHEV1.DAT
2004-03-10 11:38 1,937,408 a------- c:\program files\mirc.exe
2004-03-10 11:38 229,917 a------- c:\program files\mirc.hlp
2004-03-10 11:38 68,949 a------- c:\program files\ircintro.hlp
2004-03-10 11:38 30,496 a------- c:\program files\versions.txt
2004-03-10 11:38 1,104 a------- c:\program files\readme.txt
2003-10-12 08:31 59,605 a------- c:\program files\sysreset.txt
2002-06-12 20:40 92,272 a------- c:\program files\sysreset.hlp
2002-06-12 20:40 679 a------- c:\program files\sysreset.cnt
2001-05-24 12:59 162,304 a------- c:\program files\UNWISE.EXE
2001-04-06 04:50 0 a------- c:\program files\page.log
2008-09-16 19:05 63,542 a--sh--- c:\windows\system32\budifene.dll
2008-09-27 11:57 64,292 a--sh--- c:\windows\system32\dodeduru.dll
2008-09-16 19:05 63,542 a--sh--- c:\windows\system32\dofimete.dll
0000-00-00 00:00 90,624 a--sh--- c:\windows\system32\fewuyeku.dll
2008-09-16 19:00 64,517 a--sh--- c:\windows\system32\gogaduso.dll
2008-09-18 21:00 64,517 a--sh--- c:\windows\system32\gotofiba.dll
2008-09-18 21:00 64,517 a--sh--- c:\windows\system32\huvarera.dll
2008-09-29 21:08 62,586 a--sh--- c:\windows\system32\joriyodo.dll
2008-09-18 21:05 62,518 a--sh--- c:\windows\system32\jufonefi.dll
2008-09-20 22:05 62,518 a--sh--- c:\windows\system32\kagetika.dll
2008-09-30 17:04 61,599 a--sh--- c:\windows\system32\kajogisi.dll
0000-00-00 00:00 68,838 a--sh--- c:\windows\system32\larifise.dll
0000-00-00 00:00 69,370 a--sh--- c:\windows\system32\logiheze.dll
2008-09-30 17:04 61,599 a--sh--- c:\windows\system32\metajeka.dll
2008-09-29 21:08 62,586 a--sh--- c:\windows\system32\miniyifu.dll
2008-09-10 20:27 86,016 a--sh--- c:\windows\system32\nehokaki.dll
2008-09-18 21:05 62,518 a--sh--- c:\windows\system32\nidawila.dll
2008-09-20 22:00 64,517 a--sh--- c:\windows\system32\pehuraba.dll
0000-00-00 00:00 64,512 a--sh--- c:\windows\system32\pimewate.dll
2008-09-23 16:44 11,264 a--sh--- c:\windows\system32\pugaloji.dll
2008-09-23 16:45 63,601 a--sh--- c:\windows\system32\pumoloze.dll
2008-09-18 21:00 64,517 a--sh--- c:\windows\system32\pupukiri.dll
2008-09-16 19:05 63,542 a--sh--- c:\windows\system32\rebonoga.dll
0000-00-00 00:00 69,370 a--sh--- c:\windows\system32\reseguse.dll
2008-09-18 21:05 62,518 a--sh--- c:\windows\system32\ruhufuga.dll
2008-09-29 21:08 62,586 a--sh--- c:\windows\system32\rulukike.dll
2008-09-16 19:00 64,517 a--sh--- c:\windows\system32\ruzukuge.dll
2008-09-16 19:05 75,776 a--sh--- c:\windows\system32\tebogore.dll
2008-09-23 16:45 63,601 a--sh--- c:\windows\system32\wotozaso.dll
2008-09-16 19:00 64,517 a--sh--- c:\windows\system32\yadegupa.dll
2008-09-30 17:04 61,599 a--sh--- c:\windows\system32\yapavasi.dll
2008-09-20 22:05 77,824 a--sh--- c:\windows\system32\yirejame.dll
0000-00-00 00:00 18,432 a--sh--- c:\windows\system32\yuguranu.dll
0000-00-00 00:00 64,512 a--sh--- c:\windows\system32\yusifabo.dll
0000-00-00 00:00 69,370 a--sh--- c:\windows\system32\zatehupo.dll
2008-09-27 11:57 64,292 a--sh--- c:\windows\system32\zihosofo.dll
2008-09-27 11:57 64,292 a--sh--- c:\windows\system32\zowogepi.dll
2008-09-23 16:45 63,601 a--sh--- c:\windows\system32\zubozedi.dll
2005-07-29 16:24 472 a--shr-- c:\windows\tuldseffta\no5GmHIInE.vbs

============= FINISH: 17:47:42.70 ===============


Here is my most recent Malwarebytes’ Anti-Malware log:

Malwarebytes' Anti-Malware 1.30
Database version: 1443
Windows 5.1.2600 Service Pack 3

1/16/2009 9:49:57 PM
mbam-log-2009-01-16 (21-49-57).txt

Scan type: Quick Scan
Objects scanned: 79764
Time elapsed: 22 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\jefugiwo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\beziyefu.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9fe19765-4580-4834-af93-4fea2faa11e0} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9fe19765-4580-4834-af93-4fea2faa11e0} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\98ab60c3 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm9b98535f (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fopatarive (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\beziyefu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\beziyefu.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\jefugiwo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\owigufej.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yezumoyu.dll (Trojan.BHO.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\beziyefu.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\jomibeyo.dll (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 17 January 2009 - 06:48 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 aoc442

aoc442
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 17 January 2009 - 12:58 PM

Thanks for the quick reply.

Here's my ComboFix log:

ComboFix 09-01-16.04 - Admin 2009-01-17 12:02:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.214 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\_005871_.tmp.dll
c:\windows\system32\_005872_.tmp.dll
c:\windows\system32\_005873_.tmp.dll
c:\windows\system32\_005874_.tmp.dll
c:\windows\system32\babopeni.dll
c:\windows\system32\bavadobu.dll
c:\windows\system32\bikujire.dll
c:\windows\system32\bilelovi.dll
c:\windows\system32\bjvtdz.dll
c:\windows\system32\bodozanu.dll
c:\windows\system32\bonhlp.dll
c:\windows\system32\bubesovo.dll
c:\windows\system32\dakegopu.dll
c:\windows\system32\dodeduru.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\falayomo.dll
c:\windows\system32\fayivani.dll
c:\windows\system32\fewuyeku.dll
c:\windows\system32\gatosisu.dll
c:\windows\system32\gezafuje.dll
c:\windows\system32\gurehavo.dll
c:\windows\system32\jehoyasi.dll
c:\windows\system32\jepewosi.dll
c:\windows\system32\jgdtgz.dll
c:\windows\system32\jijeruwa.dll
c:\windows\system32\jisizosa.dll
c:\windows\system32\joriyodo.dll
c:\windows\system32\jowutasi.dll
c:\windows\system32\kadavasu.dll
c:\windows\system32\kagetika.dll
c:\windows\system32\kajogisi.dll
c:\windows\system32\kaleguli.dll
c:\windows\system32\logiheze.dll
c:\windows\system32\lojaloke.exe
c:\windows\system32\metajeka.dll
c:\windows\system32\miniyifu.dll
c:\windows\system32\mizokaki.dll
c:\windows\system32\mupabevu.dll
c:\windows\system32\niwesiti.dll
c:\windows\system32\nusayuta.dll
c:\windows\system32\packet.dll
c:\windows\system32\pehuraba.dll
c:\windows\system32\pimewate.dll
c:\windows\system32\pohefito.dll
c:\windows\system32\poredovi.dll
c:\windows\system32\porupiri.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\pufafube.dll
c:\windows\system32\pumoloze.dll
c:\windows\system32\reditika.dll
c:\windows\system32\reseguse.dll
c:\windows\system32\riseweke.dll
c:\windows\system32\rulukike.dll
c:\windows\system32\sanezudi.dll
c:\windows\system32\setevari.dll
c:\windows\system32\sinuvili.dll
c:\windows\system32\sofalule.dll
c:\windows\system32\tofobuda.dll
c:\windows\system32\vagiluke.dll
c:\windows\system32\vuzizele.dll
c:\windows\system32\wimineja.dll
c:\windows\system32\wojunoki.dll
c:\windows\system32\wotozaso.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\yapavasi.dll
c:\windows\system32\yijowuzo.dll
c:\windows\system32\yuguranu.dll
c:\windows\system32\yusifabo.dll
c:\windows\system32\yuzizowa.dll
c:\windows\system32\zatehupo.dll
c:\windows\system32\zatoliye.dll
c:\windows\system32\zebeniki.dll
c:\windows\system32\zidanoso.dll
c:\windows\system32\zihosofo.dll
c:\windows\system32\zipemona.dll
c:\windows\system32\zowogepi.dll
c:\windows\system32\zubozedi.dll
c:\windows\Tasks\debcarmw.job
c:\windows\wiaserviv.log
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-16 18:06 . 2009-01-16 18:07 1,354,487 ---hs---- c:\windows\SYSTEM32\osohaviv.ini
2009-01-15 20:10 . 2009-01-15 20:10 1,327,740 ---hs---- c:\windows\SYSTEM32\utopuzug.ini
2009-01-15 20:10 . 2009-01-15 20:10 2,713 ---hs---- c:\windows\SYSTEM32\rozodobu.dll
2009-01-11 23:23 . 2009-01-11 23:24 1,212,876 ---hs---- c:\windows\SYSTEM32\evowovom.ini
2009-01-11 20:07 . 2009-01-11 20:07 <DIR> d-------- c:\program files\Enigma Software Group
2009-01-10 23:12 . 2009-01-10 23:12 1,212,876 ---hs---- c:\windows\SYSTEM32\omedipob.ini
2009-01-10 23:07 . 2009-01-10 23:07 1,212,876 ---hs---- c:\windows\SYSTEM32\uzaroyod.ini
2009-01-06 19:51 . 2009-01-06 19:52 1,277,739 ---hs---- c:\windows\SYSTEM32\ebaludon.ini
2009-01-06 06:05 . 2009-01-06 06:06 1,262,993 ---hs---- c:\windows\SYSTEM32\ohajeyam.ini
2009-01-05 17:12 . 2009-01-05 17:13 1,262,676 ---hs---- c:\windows\SYSTEM32\asodesil.ini
2009-01-04 23:45 . 2009-01-04 23:46 1,262,640 ---hs---- c:\windows\SYSTEM32\eworusuw.ini
2009-01-04 11:46 . 2009-01-04 11:48 1,262,640 ---hs---- c:\windows\SYSTEM32\eyezuzaj.ini
2009-01-03 14:02 . 2009-01-03 14:03 1,262,640 ---hs---- c:\windows\SYSTEM32\ohenovim.ini
2009-01-02 18:32 . 2009-01-02 18:33 1,262,640 ---hs---- c:\windows\SYSTEM32\irogired.ini
2009-01-02 01:17 . 2009-01-02 01:17 1,262,640 ---hs---- c:\windows\SYSTEM32\anenihay.ini
2009-01-01 13:17 . 2009-01-01 13:18 1,262,640 ---hs---- c:\windows\SYSTEM32\asatohas.ini
2008-12-31 21:45 . 2008-12-31 21:46 1,262,640 ---hs---- c:\windows\SYSTEM32\adufuduf.ini
2008-12-31 09:46 . 2008-12-31 09:47 1,262,640 ---hs---- c:\windows\SYSTEM32\ahedupul.ini
2008-12-30 17:09 . 2008-12-30 17:09 1,262,640 ---hs---- c:\windows\SYSTEM32\ovotabef.ini
2008-12-30 17:03 . 2008-12-30 17:06 1,262,640 ---hs---- c:\windows\SYSTEM32\uyoyewun.ini
2008-12-29 21:13 . 2008-12-29 21:14 1,262,633 ---hs---- c:\windows\SYSTEM32\ejawasiy.ini
2008-12-29 09:08 . 2008-12-29 09:10 1,262,950 ---hs---- c:\windows\SYSTEM32\ihisolel.ini
2008-12-28 12:53 . 2008-12-28 12:54 1,261,704 ---hs---- c:\windows\SYSTEM32\uyadupeh.ini
2008-12-28 00:03 . 2008-12-28 00:04 1,261,704 ---hs---- c:\windows\SYSTEM32\adiyivan.ini
2008-12-27 12:06 . 2008-12-27 12:07 1,256,005 ---hs---- c:\windows\SYSTEM32\elinukib.ini
2008-12-26 15:11 . 2008-12-26 15:12 1,685,430 ---hs---- c:\windows\SYSTEM32\aripebuk.ini
2008-12-25 22:42 . 2008-12-25 22:43 1,603,449 ---hs---- c:\windows\SYSTEM32\efirewuz.ini
2008-12-25 10:42 . 2008-12-25 10:43 1,603,449 ---hs---- c:\windows\SYSTEM32\iririmaf.ini
2008-12-24 18:02 . 2008-12-24 18:02 1,603,449 ---hs---- c:\windows\SYSTEM32\apimufuj.ini
2008-12-24 06:02 . 2008-12-24 06:03 1,603,449 ---hs---- c:\windows\SYSTEM32\ahetabew.ini
2008-12-23 16:50 . 2008-12-23 16:50 1,603,449 ---hs---- c:\windows\SYSTEM32\uyuhakum.ini
2008-12-23 16:45 . 2008-12-23 16:45 1,603,449 ---hs---- c:\windows\SYSTEM32\ilegeday.ini
2008-12-22 21:16 . 2008-12-22 21:16 1,603,449 ---hs---- c:\windows\SYSTEM32\apenikom.ini
2008-12-21 00:41 . 2008-12-21 00:41 <DIR> d--hs---- c:\documents and settings\Admin\PrivacIE
2008-12-21 00:00 . 2008-12-21 00:00 <DIR> d-------- c:\windows\ie8updates
2008-12-20 23:49 . 2008-12-20 23:51 <DIR> d--h-c--- c:\windows\ie8
2008-12-20 23:11 . 2008-12-20 23:11 1,603,449 ---hs---- c:\windows\SYSTEM32\emayivuj.ini
2008-12-20 00:01 . 2008-12-20 00:47 <DIR> d--hs---- c:\windows\TUlDSEFFTA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 07:14 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2009-01-16 23:22 --------- d-----w c:\documents and settings\Admin\Application Data\U3
2009-01-08 20:08 --------- d-----w c:\program files\LimeWire
2008-12-20 18:00 --------- d-----w c:\documents and settings\Admin\Application Data\HP
2008-12-12 22:06 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 22:47 --------- d-----w c:\documents and settings\Admin\Application Data\Twain
2008-12-01 23:32 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-01 23:32 --------- d-----w c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-01 23:32 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 23:27 --------- d-----w c:\program files\Viewpoint
2008-12-01 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-20 02:55 --------- d-----w c:\program files\Common Files\DAZ
2008-08-28 01:11 4,251 ----a-w c:\program files\mirc.ini
2008-08-28 01:11 279 ----a-w c:\program files\urls.ini
2008-08-28 00:49 44,143 ----a-w c:\program files\upload.log
2006-10-22 18:16 29,132 ---ha-w c:\program files\mirc.GID
2005-12-07 03:29 51,752 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2004-03-10 16:38 68,949 ----a-w c:\program files\ircintro.hlp
2004-03-10 16:38 30,496 ----a-w c:\program files\versions.txt
2004-03-10 16:38 229,917 ----a-w c:\program files\mirc.hlp
2004-03-10 16:38 1,937,408 ----a-w c:\program files\mirc.exe
2004-03-10 16:38 1,104 ----a-w c:\program files\readme.txt
2003-10-12 13:31 59,605 ----a-w c:\program files\sysreset.txt
2002-06-13 01:40 92,272 ----a-w c:\program files\sysreset.hlp
2002-06-13 01:40 679 ----a-w c:\program files\sysreset.cnt
2001-05-24 17:59 162,304 ----a-w c:\program files\UNWISE.EXE
2001-04-06 09:50 0 ----a-w c:\program files\page.log
2008-09-17 00:05 63,542 --sha-w c:\windows\SYSTEM32\budifene.dll
2008-09-17 00:05 63,542 --sha-w c:\windows\SYSTEM32\dofimete.dll
2008-09-17 00:00 64,517 --sha-w c:\windows\SYSTEM32\gogaduso.dll
2008-09-19 02:00 64,517 --sha-w c:\windows\SYSTEM32\gotofiba.dll
2008-09-19 02:00 64,517 --sha-w c:\windows\SYSTEM32\huvarera.dll
2008-09-19 02:05 62,518 --sha-w c:\windows\SYSTEM32\jufonefi.dll
2008-09-11 01:27 86,016 --sha-w c:\windows\SYSTEM32\nehokaki.dll
2008-09-19 02:05 62,518 --sha-w c:\windows\SYSTEM32\nidawila.dll
2008-09-23 21:44 11,264 --sha-w c:\windows\SYSTEM32\pugaloji.dll
2008-09-19 02:00 64,517 --sha-w c:\windows\SYSTEM32\pupukiri.dll
2008-09-17 00:05 63,542 --sha-w c:\windows\SYSTEM32\rebonoga.dll
2008-09-19 02:05 62,518 --sha-w c:\windows\SYSTEM32\ruhufuga.dll
2008-09-17 00:00 64,517 --sha-w c:\windows\SYSTEM32\ruzukuge.dll
2008-09-17 00:05 75,776 --sha-w c:\windows\SYSTEM32\tebogore.dll
2008-09-17 00:00 64,517 --sha-w c:\windows\SYSTEM32\yadegupa.dll
2008-09-21 03:05 77,824 --sha-w c:\windows\SYSTEM32\yirejame.dll
2005-07-29 21:24 472 --sha-r c:\windows\TUlDSEFFTA\no5GmHIInE.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 270336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-20 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-10-08 864256]

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2007-01-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\fayivani.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-02-20 21:34 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPAT.EXE"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Admin\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\1180050023\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14f6452-9ee5-11db-a8a9-000f1f7a5d30}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb4aab46-9fc9-11db-a8ab-000f1f7a5d30}]
\Shell\AutoRun\command - I:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2004-09-01 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 19:12]

2009-01-17 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
- - - - ORPHANS REMOVED - - - -

BHO-{0e3d24ce-fab7-4d70-a784-86940e9b694c} - c:\windows\system32\kolabuyu.dll
BHO-{44f7abb7-6105-4537-a4f4-fa6a4146f1d5} - c:\windows\system32\jazoloya.dll
BHO-{8DC1B6B0-2440-412F-9452-E75567372073} - c:\windows\system32\ssqPjjJy.dll
BHO-{9fe19765-4580-4834-af93-4fea2faa11e0} - c:\windows\system32\yezumoyu.dll
BHO-{be5f02e5-6bed-495b-ab69-95df1b6855d7} - c:\windows\system32\jgdtgz.dll
BHO-{d1464d74-4628-45b4-8e44-50844d04558a} - c:\windows\system32\zeladugu.dll
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
HKCU-Run-Sonic RecordNow! Deluxe - (no file)
HKLM-Run-fopatarive - c:\windows\system32\jomibeyo.dll
Notify-WgaLogon - (no file)
MSConfigStartUp-mmtask - c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MSConfigStartUp-MMTray - c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe


.
------- Supplementary Scan -------
.
uStart Page =
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
Trusted Zone: www.mozilla.com
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\3c6bc829.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 12:27:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7b,63,b0,ff,9a,2e,dd,4f,96,4c,d3,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7b,63,b0,ff,9a,2e,dd,4f,96,4c,d3,\

[HKEY_USERS\S-1-5-21-2251903013-3228833577-2004428442-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\KumasanTeam\¬0¸0§0Ă0Č0 *Č0é0¤0˘0ë0]
"Order"=hex:08,00,00,00,02,00,00,00,92,00,00,00,01,00,00,00,01,00,00,00,86,00,
00,00,00,00,00,00,78,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,66,00,36,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\PSIService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-17 12:37:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-17 17:35:48

Pre-Run: 1,543,311,360 bytes free
Post-Run: 2,684,923,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

365 --- E O F --- 2009-01-17 03:08:40



And here's a DDS log from after I ran ComboFix:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Admin at 12:48:25.03 on Sat 01/17/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.243 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mURLSearchHooks: H - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: mozilla.com\www
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\fayivani.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\3c6bc829.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-10-19 235120]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-10-19 255600]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-10-19 87664]

=============== Created Last 30 ================

2009-01-17 11:29 <DIR> a-dshr-- C:\cmdcons
2009-01-17 11:26 161,792 a------- c:\windows\SWREG.exe
2009-01-17 11:26 98,816 a------- c:\windows\sed.exe
2009-01-17 11:26 <DIR> --d----- C:\ComboFix
2009-01-16 18:06 1,354,487 ---sh--- c:\windows\system32\osohaviv.ini
2009-01-15 20:10 1,327,740 ---sh--- c:\windows\system32\utopuzug.ini
2009-01-15 20:10 2,713 ---sh--- c:\windows\system32\rozodobu.dll
2009-01-11 23:23 1,212,876 ---sh--- c:\windows\system32\evowovom.ini
2009-01-11 20:07 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-10 23:12 1,212,876 ---sh--- c:\windows\system32\omedipob.ini
2009-01-10 23:07 1,212,876 ---sh--- c:\windows\system32\uzaroyod.ini
2009-01-06 19:51 1,277,739 ---sh--- c:\windows\system32\ebaludon.ini
2009-01-06 06:05 1,262,993 ---sh--- c:\windows\system32\ohajeyam.ini
2009-01-05 17:12 1,262,676 ---sh--- c:\windows\system32\asodesil.ini
2009-01-04 23:45 1,262,640 ---sh--- c:\windows\system32\eworusuw.ini
2009-01-04 11:46 1,262,640 ---sh--- c:\windows\system32\eyezuzaj.ini
2009-01-03 14:02 1,262,640 ---sh--- c:\windows\system32\ohenovim.ini
2009-01-02 18:32 1,262,640 ---sh--- c:\windows\system32\irogired.ini
2009-01-02 01:17 1,262,640 ---sh--- c:\windows\system32\anenihay.ini
2009-01-01 13:17 1,262,640 ---sh--- c:\windows\system32\asatohas.ini
2008-12-31 21:45 1,262,640 ---sh--- c:\windows\system32\adufuduf.ini
2008-12-31 09:46 1,262,640 ---sh--- c:\windows\system32\ahedupul.ini
2008-12-30 17:09 1,262,640 ---sh--- c:\windows\system32\ovotabef.ini
2008-12-30 17:03 1,262,640 ---sh--- c:\windows\system32\uyoyewun.ini
2008-12-29 21:13 1,262,633 ---sh--- c:\windows\system32\ejawasiy.ini
2008-12-29 09:08 1,262,950 ---sh--- c:\windows\system32\ihisolel.ini
2008-12-28 12:53 1,261,704 ---sh--- c:\windows\system32\uyadupeh.ini
2008-12-28 00:03 1,261,704 ---sh--- c:\windows\system32\adiyivan.ini
2008-12-27 12:06 1,256,005 ---sh--- c:\windows\system32\elinukib.ini
2008-12-26 15:11 1,685,430 ---sh--- c:\windows\system32\aripebuk.ini
2008-12-25 22:42 1,603,449 ---sh--- c:\windows\system32\efirewuz.ini
2008-12-25 10:42 1,603,449 ---sh--- c:\windows\system32\iririmaf.ini
2008-12-24 18:02 1,603,449 ---sh--- c:\windows\system32\apimufuj.ini
2008-12-24 06:02 1,603,449 ---sh--- c:\windows\system32\ahetabew.ini
2008-12-23 16:50 1,603,449 ---sh--- c:\windows\system32\uyuhakum.ini
2008-12-23 16:45 1,603,449 ---sh--- c:\windows\system32\ilegeday.ini
2008-12-22 21:16 1,603,449 ---sh--- c:\windows\system32\apenikom.ini
2008-12-21 00:41 <DIR> --dsh--- c:\documents and settings\admin\PrivacIE
2008-12-21 00:00 <DIR> --d----- c:\windows\ie8updates
2008-12-20 23:49 <DIR> -cd-h--- c:\windows\ie8
2008-12-20 23:11 1,603,449 ---sh--- c:\windows\system32\emayivuj.ini
2008-12-20 00:01 <DIR> --dsh--- c:\windows\TUlDSEFFTA

==================== Find3M ====================

2009-01-15 20:10 127,812 a--sh--- c:\windows\system32\hejivole.dll
2009-01-03 14:02 97,472 a--sh--- c:\windows\system32\rifupopi.dll
2009-01-01 13:17 100,593 a--sh--- c:\windows\system32\zumowita.dll
2008-12-31 09:45 99,140 a--sh--- c:\windows\system32\duwalafa.dll
2008-12-14 08:59 5,699,584 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 22:04 78,991 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-12 17:07 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-08 23:15 1,995 ---sh--- c:\windows\system32\tohedida.exe
2008-11-10 17:26 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-08-27 20:11 4,251 a------- c:\program files\mirc.ini
2008-08-27 20:11 279 a------- c:\program files\urls.ini
2008-08-27 19:49 44,143 a------- c:\program files\upload.log
2006-10-22 13:16 29,132 a---h--- c:\program files\mirc.GID
2005-12-06 22:29 51,752 a------- c:\docume~1\admin\applic~1\GDIPFONTCACHEV1.DAT
2004-03-10 11:38 1,937,408 a------- c:\program files\mirc.exe
2004-03-10 11:38 229,917 a------- c:\program files\mirc.hlp
2004-03-10 11:38 68,949 a------- c:\program files\ircintro.hlp
2004-03-10 11:38 30,496 a------- c:\program files\versions.txt
2004-03-10 11:38 1,104 a------- c:\program files\readme.txt
2003-10-12 08:31 59,605 a------- c:\program files\sysreset.txt
2002-06-12 20:40 92,272 a------- c:\program files\sysreset.hlp
2002-06-12 20:40 679 a------- c:\program files\sysreset.cnt
2001-05-24 12:59 162,304 a------- c:\program files\UNWISE.EXE
2001-04-06 04:50 0 a------- c:\program files\page.log
2008-09-16 19:05 63,542 a--sh--- c:\windows\system32\budifene.dll
2008-09-16 19:05 63,542 a--sh--- c:\windows\system32\dofimete.dll
2008-09-16 19:00 64,517 a--sh--- c:\windows\system32\gogaduso.dll
2008-09-18 21:00 64,517 a--sh--- c:\windows\system32\gotofiba.dll
2008-09-18 21:00 64,517 a--sh--- c:\windows\system32\huvarera.dll
2008-09-18 21:05 62,518 a--sh--- c:\windows\system32\jufonefi.dll
2008-09-10 20:27 86,016 a--sh--- c:\windows\system32\nehokaki.dll
2008-09-18 21:05 62,518 a--sh--- c:\windows\system32\nidawila.dll
2008-09-23 16:44 11,264 a--sh--- c:\windows\system32\pugaloji.dll
2008-09-18 21:00 64,517 a--sh--- c:\windows\system32\pupukiri.dll
2008-09-16 19:05 63,542 a--sh--- c:\windows\system32\rebonoga.dll
2008-09-18 21:05 62,518 a--sh--- c:\windows\system32\ruhufuga.dll
2008-09-16 19:00 64,517 a--sh--- c:\windows\system32\ruzukuge.dll
2008-09-16 19:05 75,776 a--sh--- c:\windows\system32\tebogore.dll
2008-09-16 19:00 64,517 a--sh--- c:\windows\system32\yadegupa.dll
2008-09-20 22:05 77,824 a--sh--- c:\windows\system32\yirejame.dll
2005-07-29 16:24 472 a--shr-- c:\windows\tuldseffta\no5GmHIInE.vbs

============= FINISH: 12:48:34.40 ===============

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 17 January 2009 - 03:41 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::

File::
c:\windows\SYSTEM32\osohaviv.ini
c:\windows\SYSTEM32\utopuzug.ini
c:\windows\SYSTEM32\rozodobu.dll
c:\windows\SYSTEM32\evowovom.ini
c:\windows\SYSTEM32\omedipob.ini
c:\windows\SYSTEM32\uzaroyod.ini
c:\windows\SYSTEM32\ebaludon.ini
c:\windows\SYSTEM32\ohajeyam.ini
c:\windows\SYSTEM32\asodesil.ini
c:\windows\SYSTEM32\eworusuw.ini
c:\windows\SYSTEM32\eyezuzaj.ini
c:\windows\SYSTEM32\ohenovim.ini
c:\windows\SYSTEM32\irogired.ini
c:\windows\SYSTEM32\anenihay.ini
c:\windows\SYSTEM32\asatohas.ini
c:\windows\SYSTEM32\adufuduf.ini
c:\windows\SYSTEM32\ahedupul.ini
c:\windows\SYSTEM32\ovotabef.ini
c:\windows\SYSTEM32\uyoyewun.ini
c:\windows\SYSTEM32\ejawasiy.ini
c:\windows\SYSTEM32\ihisolel.ini
c:\windows\SYSTEM32\uyadupeh.ini
c:\windows\SYSTEM32\adiyivan.ini
c:\windows\SYSTEM32\elinukib.ini
c:\windows\SYSTEM32\aripebuk.ini
c:\windows\SYSTEM32\efirewuz.ini
c:\windows\SYSTEM32\iririmaf.ini
c:\windows\SYSTEM32\apimufuj.ini
c:\windows\SYSTEM32\ahetabew.ini
c:\windows\SYSTEM32\uyuhakum.ini
c:\windows\SYSTEM32\ilegeday.ini
c:\windows\SYSTEM32\apenikom.ini
c:\windows\SYSTEM32\emayivuj.ini
c:\windows\SYSTEM32\budifene.dll
c:\windows\SYSTEM32\dofimete.dll
c:\windows\SYSTEM32\gogaduso.dll
c:\windows\SYSTEM32\gotofiba.dll
c:\windows\SYSTEM32\huvarera.dll
c:\windows\SYSTEM32\jufonefi.dll
c:\windows\SYSTEM32\nehokaki.dll
c:\windows\SYSTEM32\nidawila.dll
c:\windows\SYSTEM32\pugaloji.dll
c:\windows\SYSTEM32\pupukiri.dll
c:\windows\SYSTEM32\rebonoga.dll
c:\windows\SYSTEM32\ruhufuga.dll
c:\windows\SYSTEM32\ruzukuge.dll
c:\windows\SYSTEM32\tebogore.dll
c:\windows\SYSTEM32\yadegupa.dll
c:\windows\SYSTEM32\yirejame.dll
c:\windows\TUlDSEFFTA\no5GmHIInE.vbs
c:\windows\system32\fayivani.dll

Folder::
c:\documents and settings\Admin\Application Data\Twain

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

RegNull::
[HKEY_USERS\S-1-5-21-2251903013-3228833577-2004428442-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\KumasanTeam\¬0¸0§0Ă0Č0 *Č0é0¤0˘0ë0]

DirLook::
c:\documents and settings\Admin\PrivacIE
c:\windows\TUlDSEFFTA

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 aoc442

aoc442
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 18 January 2009 - 03:29 AM

New ComboFix log:

ComboFix 09-01-17.03 - Admin 2009-01-18 2:20:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.298 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\adiyivan.ini
c:\windows\SYSTEM32\adufuduf.ini
c:\windows\SYSTEM32\ahedupul.ini
c:\windows\SYSTEM32\ahetabew.ini
c:\windows\SYSTEM32\anenihay.ini
c:\windows\SYSTEM32\apenikom.ini
c:\windows\SYSTEM32\apimufuj.ini
c:\windows\SYSTEM32\aripebuk.ini
c:\windows\SYSTEM32\asatohas.ini
c:\windows\SYSTEM32\asodesil.ini
c:\windows\SYSTEM32\budifene.dll
c:\windows\SYSTEM32\dofimete.dll
c:\windows\SYSTEM32\ebaludon.ini
c:\windows\SYSTEM32\efirewuz.ini
c:\windows\SYSTEM32\ejawasiy.ini
c:\windows\SYSTEM32\elinukib.ini
c:\windows\SYSTEM32\emayivuj.ini
c:\windows\SYSTEM32\evowovom.ini
c:\windows\SYSTEM32\eworusuw.ini
c:\windows\SYSTEM32\eyezuzaj.ini
c:\windows\system32\fayivani.dll
c:\windows\SYSTEM32\gogaduso.dll
c:\windows\SYSTEM32\gotofiba.dll
c:\windows\SYSTEM32\huvarera.dll
c:\windows\SYSTEM32\ihisolel.ini
c:\windows\SYSTEM32\ilegeday.ini
c:\windows\SYSTEM32\iririmaf.ini
c:\windows\SYSTEM32\irogired.ini
c:\windows\SYSTEM32\jufonefi.dll
c:\windows\SYSTEM32\nehokaki.dll
c:\windows\SYSTEM32\nidawila.dll
c:\windows\SYSTEM32\ohajeyam.ini
c:\windows\SYSTEM32\ohenovim.ini
c:\windows\SYSTEM32\omedipob.ini
c:\windows\SYSTEM32\osohaviv.ini
c:\windows\SYSTEM32\ovotabef.ini
c:\windows\SYSTEM32\pugaloji.dll
c:\windows\SYSTEM32\pupukiri.dll
c:\windows\SYSTEM32\rebonoga.dll
c:\windows\SYSTEM32\rozodobu.dll
c:\windows\SYSTEM32\ruhufuga.dll
c:\windows\SYSTEM32\ruzukuge.dll
c:\windows\SYSTEM32\tebogore.dll
c:\windows\SYSTEM32\utopuzug.ini
c:\windows\SYSTEM32\uyadupeh.ini
c:\windows\SYSTEM32\uyoyewun.ini
c:\windows\SYSTEM32\uyuhakum.ini
c:\windows\SYSTEM32\uzaroyod.ini
c:\windows\SYSTEM32\yadegupa.dll
c:\windows\SYSTEM32\yirejame.dll
c:\windows\TUlDSEFFTA\no5GmHIInE.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\Twain
c:\windows\SYSTEM32\adiyivan.ini
c:\windows\SYSTEM32\adufuduf.ini
c:\windows\SYSTEM32\ahedupul.ini
c:\windows\SYSTEM32\ahetabew.ini
c:\windows\SYSTEM32\anenihay.ini
c:\windows\SYSTEM32\apenikom.ini
c:\windows\SYSTEM32\apimufuj.ini
c:\windows\SYSTEM32\aripebuk.ini
c:\windows\SYSTEM32\asatohas.ini
c:\windows\SYSTEM32\asodesil.ini
c:\windows\SYSTEM32\budifene.dll
c:\windows\SYSTEM32\dofimete.dll
c:\windows\SYSTEM32\ebaludon.ini
c:\windows\SYSTEM32\efirewuz.ini
c:\windows\SYSTEM32\ejawasiy.ini
c:\windows\SYSTEM32\elinukib.ini
c:\windows\SYSTEM32\emayivuj.ini
c:\windows\SYSTEM32\evowovom.ini
c:\windows\SYSTEM32\eworusuw.ini
c:\windows\SYSTEM32\eyezuzaj.ini
c:\windows\SYSTEM32\gogaduso.dll
c:\windows\SYSTEM32\gotofiba.dll
c:\windows\SYSTEM32\huvarera.dll
c:\windows\SYSTEM32\ihisolel.ini
c:\windows\SYSTEM32\ilegeday.ini
c:\windows\SYSTEM32\iririmaf.ini
c:\windows\SYSTEM32\irogired.ini
c:\windows\SYSTEM32\jufonefi.dll
c:\windows\SYSTEM32\nehokaki.dll
c:\windows\SYSTEM32\nidawila.dll
c:\windows\SYSTEM32\ohajeyam.ini
c:\windows\SYSTEM32\ohenovim.ini
c:\windows\SYSTEM32\omedipob.ini
c:\windows\SYSTEM32\osohaviv.ini
c:\windows\SYSTEM32\ovotabef.ini
c:\windows\SYSTEM32\pugaloji.dll
c:\windows\SYSTEM32\pupukiri.dll
c:\windows\SYSTEM32\rebonoga.dll
c:\windows\SYSTEM32\rozodobu.dll
c:\windows\SYSTEM32\ruhufuga.dll
c:\windows\SYSTEM32\ruzukuge.dll
c:\windows\SYSTEM32\tebogore.dll
c:\windows\SYSTEM32\utopuzug.ini
c:\windows\SYSTEM32\uyadupeh.ini
c:\windows\SYSTEM32\uyoyewun.ini
c:\windows\SYSTEM32\uyuhakum.ini
c:\windows\SYSTEM32\uzaroyod.ini
c:\windows\SYSTEM32\yadegupa.dll
c:\windows\SYSTEM32\yirejame.dll
c:\windows\TUlDSEFFTA\no5GmHIInE.vbs

.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-11 20:07 . 2009-01-11 20:07 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-21 00:41 . 2008-12-21 00:41 <DIR> d--hs---- c:\documents and settings\Admin\PrivacIE
2008-12-21 00:00 . 2008-12-21 00:00 <DIR> d-------- c:\windows\ie8updates
2008-12-20 23:49 . 2008-12-20 23:51 <DIR> d--h-c--- c:\windows\ie8
2008-12-20 00:01 . 2009-01-18 02:22 <DIR> d--hs---- c:\windows\TUlDSEFFTA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 07:18 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2009-01-16 23:22 --------- d-----w c:\documents and settings\Admin\Application Data\U3
2009-01-08 20:08 --------- d-----w c:\program files\LimeWire
2008-12-20 18:00 --------- d-----w c:\documents and settings\Admin\Application Data\HP
2008-12-12 22:06 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-01 23:32 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-01 23:32 --------- d-----w c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-01 23:32 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 23:27 --------- d-----w c:\program files\Viewpoint
2008-12-01 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-20 02:55 --------- d-----w c:\program files\Common Files\DAZ
2008-08-28 01:11 4,251 ----a-w c:\program files\mirc.ini
2008-08-28 01:11 279 ----a-w c:\program files\urls.ini
2008-08-28 00:49 44,143 ----a-w c:\program files\upload.log
2006-10-22 18:16 29,132 ---ha-w c:\program files\mirc.GID
2005-12-07 03:29 51,752 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2004-03-10 16:38 68,949 ----a-w c:\program files\ircintro.hlp
2004-03-10 16:38 30,496 ----a-w c:\program files\versions.txt
2004-03-10 16:38 229,917 ----a-w c:\program files\mirc.hlp
2004-03-10 16:38 1,937,408 ----a-w c:\program files\mirc.exe
2004-03-10 16:38 1,104 ----a-w c:\program files\readme.txt
2003-10-12 13:31 59,605 ----a-w c:\program files\sysreset.txt
2002-06-13 01:40 92,272 ----a-w c:\program files\sysreset.hlp
2002-06-13 01:40 679 ----a-w c:\program files\sysreset.cnt
2001-05-24 17:59 162,304 ----a-w c:\program files\UNWISE.EXE
2001-04-06 09:50 0 ----a-w c:\program files\page.log
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\Admin\PrivacIE ----

2009-01-17 12:51 688128 --ahs---- c:\documents and settings\Admin\PrivacIE\index.dat

---- Directory of c:\windows\TUlDSEFFTA ----

2005-07-29 16:24 472 -rahs---- c:\windows\TUlDSEFFTA\no5GmHIInE.vbs


((((((((((((((((((((((((((((( snapshot@2009-01-17_12.34.33.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-09 22:35:30 20,853,704 ----a-w c:\windows\SYSTEM32\MRT.exe
+ 2009-01-18 07:39:10 16,384 ----atw c:\windows\temp\Perflib_Perfdata_108.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 270336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-20 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-10-08 864256]

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2007-01-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-02-20 21:34 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPAT.EXE"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Admin\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\1180050023\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14f6452-9ee5-11db-a8a9-000f1f7a5d30}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb4aab46-9fc9-11db-a8ab-000f1f7a5d30}]
\Shell\AutoRun\command - I:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2004-09-01 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 19:12]

2009-01-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uStart Page =
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
Trusted Zone: www.mozilla.com
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\3c6bc829.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 03:06:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2251903013-3228833577-2004428442-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\KumasanTeam\¬0¸0§0Ă0Č0 *Č0é0¤0˘0ë0]
"Order"=hex:08,00,00,00,02,00,00,00,92,00,00,00,01,00,00,00,01,00,00,00,86,00,
00,00,00,00,00,00,78,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,66,00,36,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\PSIService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-01-18 3:14:48 - machine was rebooted [Admin]
ComboFix-quarantined-files.txt 2009-01-18 08:13:30
ComboFix2.txt 2009-01-17 17:37:07

Pre-Run: 1,364,697,088 bytes free
Post-Run: 1,326,698,496 bytes free

307 --- E O F --- 2009-01-17 23:23:37




New DDS log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Admin at 3:20:20.54 on Sun 01/18/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.229 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mURLSearchHooks: H - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: mozilla.com\www
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\3c6bc829.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-10-19 235120]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-10-19 255600]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-10-19 87664]

=============== Created Last 30 ================

2009-01-17 11:29 <DIR> a-dshr-- C:\cmdcons
2009-01-17 11:26 161,792 a------- c:\windows\SWREG.exe
2009-01-17 11:26 98,816 a------- c:\windows\sed.exe
2009-01-11 20:07 <DIR> --d----- c:\program files\Enigma Software Group
2008-12-21 00:41 <DIR> --dsh--- c:\documents and settings\admin\PrivacIE
2008-12-21 00:00 <DIR> --d----- c:\windows\ie8updates
2008-12-20 23:49 <DIR> -cd-h--- c:\windows\ie8
2008-12-20 00:01 <DIR> --dsh--- c:\windows\TUlDSEFFTA

==================== Find3M ====================

2009-01-15 20:10 127,812 a--sh--- c:\windows\system32\hejivole.dll
2009-01-03 14:02 97,472 a--sh--- c:\windows\system32\rifupopi.dll
2009-01-01 13:17 100,593 a--sh--- c:\windows\system32\zumowita.dll
2008-12-31 09:45 99,140 a--sh--- c:\windows\system32\duwalafa.dll
2008-12-14 08:59 5,699,584 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 22:04 78,991 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-12 17:07 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-08 23:15 1,995 ---sh--- c:\windows\system32\tohedida.exe
2008-11-10 17:26 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-08-27 20:11 4,251 a------- c:\program files\mirc.ini
2008-08-27 20:11 279 a------- c:\program files\urls.ini
2008-08-27 19:49 44,143 a------- c:\program files\upload.log
2006-10-22 13:16 29,132 a---h--- c:\program files\mirc.GID
2005-12-06 22:29 51,752 a------- c:\docume~1\admin\applic~1\GDIPFONTCACHEV1.DAT
2004-03-10 11:38 1,937,408 a------- c:\program files\mirc.exe
2004-03-10 11:38 229,917 a------- c:\program files\mirc.hlp
2004-03-10 11:38 68,949 a------- c:\program files\ircintro.hlp
2004-03-10 11:38 30,496 a------- c:\program files\versions.txt
2004-03-10 11:38 1,104 a------- c:\program files\readme.txt
2003-10-12 08:31 59,605 a------- c:\program files\sysreset.txt
2002-06-12 20:40 92,272 a------- c:\program files\sysreset.hlp
2002-06-12 20:40 679 a------- c:\program files\sysreset.cnt
2001-05-24 12:59 162,304 a------- c:\program files\UNWISE.EXE
2001-04-06 04:50 0 a------- c:\program files\page.log

============= FINISH: 3:20:30.00 ===============

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 18 January 2009 - 03:49 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\hejivole.dll
c:\windows\system32\rifupopi.dll
c:\windows\system32\zumowita.dll
c:\windows\system32\duwalafa.dll

Folder::
c:\windows\TUlDSEFFTA
c:\documents and settings\Admin\PrivacIE

RegLock::
[HKEY_USERS\S-1-5-21-2251903013-3228833577-2004428442-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\KumasanTeam\¬0¸0§0Ă0Č0 *Č0é0¤0˘0ë0]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 aoc442

aoc442
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 18 January 2009 - 05:43 PM

New ComboFix log:

ComboFix 09-01-17.03 - Admin 2009-01-18 16:50:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.271 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\duwalafa.dll
c:\windows\system32\hejivole.dll
c:\windows\system32\rifupopi.dll
c:\windows\system32\zumowita.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\PrivacIE
c:\documents and settings\Admin\PrivacIE\index.dat
c:\windows\system32\duwalafa.dll
c:\windows\system32\hejivole.dll
c:\windows\system32\rifupopi.dll
c:\windows\system32\zumowita.dll
c:\windows\TUlDSEFFTA

.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-11 20:07 . 2009-01-11 20:07 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-21 00:00 . 2008-12-21 00:00 <DIR> d-------- c:\windows\ie8updates
2008-12-20 23:49 . 2008-12-20 23:51 <DIR> d--h-c--- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 21:46 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2009-01-16 23:22 --------- d-----w c:\documents and settings\Admin\Application Data\U3
2009-01-08 20:08 --------- d-----w c:\program files\LimeWire
2008-12-20 18:00 --------- d-----w c:\documents and settings\Admin\Application Data\HP
2008-12-12 22:06 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-01 23:32 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-01 23:32 --------- d-----w c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-01 23:32 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 23:27 --------- d-----w c:\program files\Viewpoint
2008-12-01 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-20 02:55 --------- d-----w c:\program files\Common Files\DAZ
2008-08-28 01:11 4,251 ----a-w c:\program files\mirc.ini
2008-08-28 01:11 279 ----a-w c:\program files\urls.ini
2008-08-28 00:49 44,143 ----a-w c:\program files\upload.log
2006-10-22 18:16 29,132 ---ha-w c:\program files\mirc.GID
2005-12-07 03:29 51,752 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2004-03-10 16:38 68,949 ----a-w c:\program files\ircintro.hlp
2004-03-10 16:38 30,496 ----a-w c:\program files\versions.txt
2004-03-10 16:38 229,917 ----a-w c:\program files\mirc.hlp
2004-03-10 16:38 1,937,408 ----a-w c:\program files\mirc.exe
2004-03-10 16:38 1,104 ----a-w c:\program files\readme.txt
2003-10-12 13:31 59,605 ----a-w c:\program files\sysreset.txt
2002-06-13 01:40 92,272 ----a-w c:\program files\sysreset.hlp
2002-06-13 01:40 679 ----a-w c:\program files\sysreset.cnt
2001-05-24 17:59 162,304 ----a-w c:\program files\UNWISE.EXE
2001-04-06 09:50 0 ----a-w c:\program files\page.log
.

((((((((((((((((((((((((((((( snapshot@2009-01-17_12.34.33.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-09 22:35:30 20,853,704 ----a-w c:\windows\SYSTEM32\MRT.exe
+ 2009-01-18 21:57:24 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 270336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-20 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-10-08 864256]

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2007-01-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-02-20 21:34 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPAT.EXE"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Admin\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\1180050023\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14f6452-9ee5-11db-a8a9-000f1f7a5d30}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb4aab46-9fc9-11db-a8ab-000f1f7a5d30}]
\Shell\AutoRun\command - I:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2004-09-01 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 19:12]

2009-01-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uStart Page =
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
Trusted Zone: www.mozilla.com
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\3c6bc829.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 17:16:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2251903013-3228833577-2004428442-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\KumasanTeam\¬0¸0§0Ă0Č0 *Č0é0¤0˘0ë0]
"Order"=hex:08,00,00,00,02,00,00,00,92,00,00,00,01,00,00,00,01,00,00,00,86,00,
00,00,00,00,00,00,78,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,66,00,36,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\PSIService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-18 17:24:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-18 22:23:09
ComboFix2.txt 2009-01-18 08:14:50
ComboFix3.txt 2009-01-17 17:37:07

Pre-Run: 1,252,380,672 bytes free
Post-Run: 1,261,711,360 bytes free

209 --- E O F --- 2009-01-17 23:23:37



New DDS log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Admin at 17:28:56.39 on Sun 01/18/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.229 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mURLSearchHooks: H - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: mozilla.com\www
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\3c6bc829.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-10-19 235120]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-10-19 255600]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-10-19 87664]

=============== Created Last 30 ================

2009-01-17 11:29 <DIR> a-dshr-- C:\cmdcons
2009-01-17 11:26 161,792 a------- c:\windows\SWREG.exe
2009-01-17 11:26 98,816 a------- c:\windows\sed.exe
2009-01-11 20:07 <DIR> --d----- c:\program files\Enigma Software Group
2008-12-21 00:00 <DIR> --d----- c:\windows\ie8updates
2008-12-20 23:49 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2008-12-14 08:59 5,699,584 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 22:04 78,991 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-12 17:07 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-08 23:15 1,995 ---sh--- c:\windows\system32\tohedida.exe
2008-11-10 17:26 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-08-27 20:11 4,251 a------- c:\program files\mirc.ini
2008-08-27 20:11 279 a------- c:\program files\urls.ini
2008-08-27 19:49 44,143 a------- c:\program files\upload.log
2006-10-22 13:16 29,132 a---h--- c:\program files\mirc.GID
2005-12-06 22:29 51,752 a------- c:\docume~1\admin\applic~1\GDIPFONTCACHEV1.DAT
2004-03-10 11:38 1,937,408 a------- c:\program files\mirc.exe
2004-03-10 11:38 229,917 a------- c:\program files\mirc.hlp
2004-03-10 11:38 68,949 a------- c:\program files\ircintro.hlp
2004-03-10 11:38 30,496 a------- c:\program files\versions.txt
2004-03-10 11:38 1,104 a------- c:\program files\readme.txt
2003-10-12 08:31 59,605 a------- c:\program files\sysreset.txt
2002-06-12 20:40 92,272 a------- c:\program files\sysreset.hlp
2002-06-12 20:40 679 a------- c:\program files\sysreset.cnt
2001-05-24 12:59 162,304 a------- c:\program files\UNWISE.EXE
2001-04-06 04:50 0 a------- c:\program files\page.log

============= FINISH: 17:29:05.43 ===============

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 20 January 2009 - 06:46 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 aoc442

aoc442
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 25 January 2009 - 05:42 PM

I can use Firefox again, and haven't gotten any popups since I started using ComboFix. Thanks for your help.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3798 (20090125)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=e6185c667966414a93221ff8fb57b9f1
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-25 10:28:00
# local_time=2009-01-25 05:28:00 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=358156
# found=33
# scan_time=6074
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\babopeni.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bilelovi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bjvtdz.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bonhlp.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\budifene.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dofimete.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\duwalafa.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fewuyeku.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gurehavo.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hejivole.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jepewosi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jijeruwa.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jisizosa.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kagetika.dll.vir Win32/Agent.OOY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mizokaki.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nehokaki.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pohefito.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\poredovi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rebonoga.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\reditika.dll.vir Win32/Agent.OOY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rifupopi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sanezudi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tebogore.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vagiluke.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vuzizele.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wimineja.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\yirejame.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\zatoliye.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\zipemona.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\zumowita.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\TUlDSEFFTA\no5GmHIInE.vbs.vir Win32/Adware.ISearch application (unable to clean - deleted) 00000000000000000000000000000000

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 25 January 2009 - 05:46 PM

Looks good to me.. Lets do some cleanup....


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between combofix and /u is needed

    Posted Image


Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 aoc442

aoc442
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 27 January 2009 - 11:38 PM

AIM sometimes abruptly disconnects and reconnects, but that's not a major inconvenience. Otherwise, everything's back to normal. All my other programs seem to work fine. No more popups, trouble loading pages with Java, or disabling of my automatic updates, and my last Malwarebytes Anti-Malware scan turned up nothing.

Thank you very much for your help! :thumbup2:

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 January 2009 - 12:32 AM

AIM sometimes abruptly disconnects and reconnects


I got the similar problem at my place :thumbup2: :)


I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users