Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Smitfraud, Virtumonde, And many more (the more the merrier (not))


  • This topic is locked This topic is locked
9 replies to this topic

#1 Nexis

Nexis

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 04 February 2009 - 02:44 PM

I knew I had viruses before, but they didn't bother much until I decided to try and get rid of them. A few days ago I scanned with Spybot S&D, which seemingly unearthed some demons in my computer. The scan found a total of 266 threats, including smitfraud and virtumonde, and several others I can't remember.


So far the symptoms I have are: Random freezing/crashing, nearly anything I do triggers the computer to lock up. It used to freeze up each time a Windows IE opened, so I uninstalled it, however I keep getting pop up windows that look like IE even when I'm not connected to the internet. I assume these are fake html files. The Task manager is disabled each time I start up, thankfully I know how correct that. My Background is replaced by a solid black color, with a Warning message in the middle that says "WARNING. Dangerous Spyware. Many viruses were found on your computer such as : Trojan horse, PassCapture, etc. Please check up the computer with a special software. Thank." (Bad Grammar is a dead give away.. lol). My AVG will not scan right, it says its scanning, but nothing happens, no files are scanned and it has some error when I try to start the scan. A My Documents Windows Explorer opens every 15-20 minutes, and they stack up. And, of course, my computer runs slower than a snail. Spybot won't run anymore.

I think I'm forgetting something, but oh well. I'll edit my post if I remember something else.

I did a few Kaspersky scans and saved an html file to my desktop. Would you like to see those, or the "attach" file?


Here is the DDS text:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Mom at 10:29:41.18 on Mon 02/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1414 [GMT -6:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CDBurnerXP\NMSAccess.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5287\ULiRaid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ntdll64.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Documents and Settings\Mom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: banners4u browser enhancer: {14a62309-be9e-0fc6-7bde-811fa689b777} - c:\windows\system32\dkagbceqpkdku.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7f7c4f13-07d9-d02b-9754-25e2599fbca4}: {4acbf995-2e52-4579-b20d-9d7031f4c7f7} - c:\windows\system32\lnvjjz.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5686babc-5016-4fee-bfa0-27b946a100c0} - c:\windows\system32\fccCSmNE.dll
BHO: {6f28697e-142e-420d-b398-05f1de12ef22} - c:\windows\system32\cbXRIcDw.dll
BHO: {753b307f-e589-4fe3-b849-83dd44ef3196} - c:\windows\system32\sadujoka.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: {c4331076-0367-4d9c-9ad0-ab99145e1fd6} - c:\windows\system32\fccddBtU.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: offersfortoday: {fa3365dc-c41c-28d1-d0af-fcc65eda2932} - c:\windows\system32\nsb45B.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {CAFB2180-BA09-11DC-95FF-0800200C9A66} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\documents and settings\mom\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [udcii] "c:\documents and settings\mom\local settings\application data\udcii.exe" udcii
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [izor] c:\progra~1\common~1\izor\izorm.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ULiRaid] c:\program files\uli5287\ULiRaid.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Framework Windows] frmwrk32.exe
mRun: [Bdacugo] rundll32.exe "c:\windows\Nvakelij.dll",e
mRun: [Qyinejuhediqa] rundll32.exe "c:\windows\ezuyejamiyumih.dll",e
mRunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
mRunOnce: [IERESETICONS] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe
mExplorerRun: [YYKt8QmamT] c:\documents and settings\all users\application data\zkxolgzu\nahefgbe.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\docume~1\mom\locals~1\temp\ntdll64.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/n042p/EN/install/gtdownlr.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195546075077
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195568601170
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: {7F913DF8-A360-4FD4-A29D-E9CE2BC99336} = 66.37.236.22,66.37.236.23
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: byXRijKe - byXRijKe.dll
Notify: yayyApOH - yayyApOH.dll
AppInit_DLLs: c:\progra~1\google\google~4\goec62~1.dll,c:\windows\system32\bodozanu.dll,lnvjjz.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbXRIcDw
LSA: Notification Packages = c:\windows\system32\bodozanu.dll scecli

============= SERVICES / DRIVERS ===============

R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2007-11-20 101120]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-12 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-12 26824]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-12 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-12 76040]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-11-24 822424]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-25 24652]
R3 PCX500;Cisco Wireless LAN Adapters Driver;c:\windows\system32\drivers\pcx500.sys [2008-10-27 169984]
S1 mrxsmbb;mrxsmbb;c:\windows\system32\drivers\mrxsmbb.sys --> c:\windows\system32\drivers\mrxsmbb.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-12 875288]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-5 29744]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-12-5 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-12-5 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-12-5 81288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-3-16 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-3-16 1079176]
S3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [2007-11-20 28672]

=============== Created Last 30 ================

2009-02-02 10:24 230 a------- c:\windows\system32\spupdsvc.inf
2009-02-02 10:24 66,048 a------- c:\windows\ieResetIcons.exe
2009-02-02 09:00 1 a------- c:\windows\system32\uniq.tll
2009-02-02 08:25 4 a------- c:\windows\system32\test.ttt
2009-02-02 07:29 491 a------- c:\windows\system32\win32hlp.cnf
2009-02-02 07:29 125,440 ac------ c:\windows\system32\dllcache\userinit.exe
2009-02-01 19:59 1,347 a------- c:\windows\system32\ahtn.htm
2009-02-01 19:59 4,785 a------- c:\windows\system32\warning.gif
2009-02-01 19:35 4,262 a------- c:\windows\wininit.ini
2009-02-01 19:28 125,440 a------- c:\windows\system32\ntdll64.exe
2009-02-01 19:15 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-01 19:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-01 19:09 135,168 a------- c:\windows\ezuyejamiyumih.dll
2009-02-01 19:04 <DIR> --d----- c:\docume~1\mom\applic~1\AntispywareBot
2009-02-01 18:43 41,984 a------- c:\windows\Nvakelij.dll
2009-02-01 18:43 41,984 a------- c:\windows\system32\chert5-998.exe
2009-02-01 18:28 26,112 a------- c:\windows\system32\frmwrk32.exe
2009-02-01 18:28 26,112 a------- c:\windows\system32\998.exe
2009-01-24 00:44 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-01-12 23:26 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-12 15:30 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-12 15:30 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-12 15:30 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-12 15:30 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-12 15:30 <DIR> --d----- c:\program files\AVG
2009-01-11 20:48 1,256,329 ---sh--- c:\windows\system32\sagtgoob.ini
2009-01-10 20:48 1,256,329 ---sh--- c:\windows\system32\vqhajrtf.ini
2009-01-10 14:18 <DIR> --d----- c:\windows\izor
2009-01-10 14:18 <DIR> --d----- c:\program files\common files\izor
2009-01-10 03:41 <DIR> --d----- c:\documents and settings\mom\.thumbnails
2009-01-10 03:39 <DIR> --d----- c:\documents and settings\mom\.gimp-2.6
2009-01-10 03:39 <DIR> --d----- c:\documents and settings\mom\.gegl-0.0
2009-01-09 20:52 <DIR> --d----- c:\docume~1\mom\applic~1\cogad
2009-01-09 20:43 1,256,329 ---sh--- c:\windows\system32\laxfxwlo.ini
2009-01-07 01:39 118,272 a------- c:\windows\system32\SX5363S.DLL
2009-01-07 01:39 102,400 a------- c:\windows\system32\RV32RTP.dll
2009-01-07 01:39 40 a------- c:\windows\system32\Sx5363.ini
2009-01-07 01:36 <DIR> --d----- c:\program files\SubaGames
2009-01-06 11:33 69 a------- c:\windows\NeroDigital.ini

==================== Find3M ====================

2009-02-02 07:29 125,440 a------- c:\windows\system32\userinit.exe
2008-11-30 11:30 70,691 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-27 21:49 47,598 a------- c:\windows\system32\ufxflrzdcirzeux.exe

============= FINISH: 10:30:06.76 ===============

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 05 February 2009 - 04:57 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Nexis

Nexis
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 05 February 2009 - 11:25 AM

When I try ti install Malwarebytes' Anti-Malware I get 18 error boxes that say:

"Application error"
"Exception EInvalidOp in module mbam-setup.tmp at 778500D5. Invalid floating point."


Any advice?

Edited by Nexis, 05 February 2009 - 11:30 AM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 05 February 2009 - 11:51 AM

Lets do this instead....


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Nexis

Nexis
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 05 February 2009 - 02:51 PM

Okay, I'm glad that worked, I feel like we're getting somewhere.

Here's the log:

ComboFix 09-02-04.04 - Mom 2009-02-05 13:36:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1713 [GMT -6:00]
Running from: c:\documents and settings\Mom\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mom\Application Data\AntispywareBot
c:\documents and settings\Mom\Application Data\NI.GSCNS
c:\documents and settings\Mom\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Mom\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\Mom\Application Data\SpeedRunner
c:\documents and settings\Mom\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Mom\Local Settings\Application Data\udcii.dat
c:\documents and settings\Mom\Local Settings\Application Data\udcii_nav.dat
c:\documents and settings\Mom\Local Settings\Application Data\udcii_navps.dat
c:\documents and settings\Mom\Local Settings\Temporary Internet Files\fbk.sts
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\windows\system32\998.exe
c:\windows\system32\ahtn.htm
c:\windows\system32\chert5-998.exe
c:\windows\system32\dPI19
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaytyxfskt.sys
c:\windows\system32\ENmSCccf.ini
c:\windows\system32\frmwrk32.exe
c:\windows\system32\laxfxwlo.ini
c:\windows\system32\ntdll64.exe
c:\windows\system32\pac.txt
c:\windows\system32\sagtgoob.ini
c:\windows\system32\senekaiwexjlqi.dat
c:\windows\system32\senekalhmbcvbg.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\test.ttt
c:\windows\system32\ugoyadar.ini
c:\windows\system32\uniq.tll
c:\windows\system32\UtBddccf.ini
c:\windows\system32\vqhajrtf.ini
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\fpymrrbp.job
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 23:43 . 2009-02-04 23:43 <DIR> d-------- c:\documents and settings\Mom\.housecall6.6
2009-02-04 19:44 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-02-04 19:40 . 2009-02-04 19:40 <DIR> d-------- c:\program files\Panda Security
2009-02-04 17:43 . 2008-12-12 11:33 3,060,224 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-02-02 10:28 . 2009-02-04 15:21 4,194,366 --a------ c:\windows\pfirewall.log.old
2009-02-02 10:24 . 2009-02-02 10:24 230 --a------ c:\windows\system32\spupdsvc.inf
2009-02-01 19:35 . 2009-02-01 19:49 4,262 --a------ c:\windows\wininit.ini
2009-02-01 19:15 . 2009-02-01 19:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-01 19:09 . 2009-02-01 19:09 135,168 --a------ c:\windows\ezuyejamiyumih.dll
2009-02-01 18:43 . 2009-02-01 18:43 41,984 --a------ c:\windows\Nvakelij.dll
2009-01-24 00:44 . 2009-01-30 22:50 <DIR> d-------- c:\documents and settings\Mom\Application Data\skypePM
2009-01-24 00:44 . 2009-01-24 00:44 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-01-24 00:37 . 2009-01-24 00:37 <DIR> d-------- c:\program files\Common Files\Skype
2009-01-12 15:30 . 2009-01-12 15:30 <DIR> d-------- c:\program files\AVG
2009-01-10 14:18 . 2009-01-10 14:18 <DIR> d-------- c:\windows\izor
2009-01-10 14:18 . 2009-01-12 10:25 <DIR> d-------- c:\program files\Common Files\izor
2009-01-10 03:41 . 2009-01-10 03:49 <DIR> d-------- c:\documents and settings\Mom\Application Data\gtk-2.0
2009-01-10 03:41 . 2009-01-10 03:41 <DIR> d-------- c:\documents and settings\Mom\.thumbnails
2009-01-10 03:39 . 2009-01-10 11:45 <DIR> d-------- c:\documents and settings\Mom\.gimp-2.6
2009-01-10 03:39 . 2009-01-10 03:39 <DIR> d-------- c:\documents and settings\Mom\.gegl-0.0
2009-01-09 20:52 . 2009-01-12 10:25 <DIR> d-------- c:\documents and settings\Mom\Application Data\cogad
2009-01-06 11:33 . 2009-01-30 12:34 69 --a------ c:\windows\NeroDigital.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-05 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-05 02:59 --------- d-----w c:\program files\Google
2009-02-05 02:55 --------- d-----w c:\program files\RealArcade
2009-02-05 02:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-05 02:51 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-05 02:49 --------- d-----w c:\program files\AIM6
2009-02-02 00:48 --------- d-----w c:\program files\MSN Games
2009-02-02 00:46 --------- d-----w c:\program files\WildGames
2009-02-02 00:46 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2009-01-31 04:59 --------- d-----w c:\documents and settings\Mom\Application Data\Skype
2009-01-20 16:59 --------- d-----w c:\documents and settings\Mom\Application Data\Free Download Manager
2009-01-15 06:41 --------- d-----w c:\documents and settings\Mom\Application Data\Ahead
2009-01-12 16:27 --------- d-----w c:\program files\Common Files\Adobe
2008-12-31 04:43 --------- d-----w c:\documents and settings\Mom\Application Data\AquaNox
2008-12-20 14:41 --------- d-----w c:\program files\Tencent
2008-12-20 14:41 --------- d-----w c:\documents and settings\Mom\Application Data\Tencent
2008-12-20 14:41 --------- d-----w c:\documents and settings\Mom\Application Data\QQ Games Plugin
2008-12-20 14:35 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-20 14:33 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-20 14:33 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2009-02-02 21:14 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-02-02 21:14 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-02 21:14 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-02-02 21:14 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-02-02 21:14 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-20 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"ULiRaid"="c:\program files\ULI5287\ULiRaid.exe" [2005-08-23 409600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 1537648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Bdacugo"="c:\windows\Nvakelij.dll" [2009-02-01 41984]
"Qyinejuhediqa"="c:\windows\ezuyejamiyumih.dll" [2009-02-01 135168]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-07-14 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Age of the Empires II\\age2_x1.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\Mom\\Desktop\\Halo\\halo.exe"=
"c:\\Documents and Settings\\Mom\\Desktop\\Halo\\hal.exe"=
"c:\\Documents and Settings\\Mom\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Mom\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6121:TCP"= 6121:TCP:char-server.exe
"6900:TCP"= 6900:TCP:login-server.exe
"5121:TCP"= 5121:TCP:map-server.exe

R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2007-11-20 101120]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-04 28544]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-01-25 24652]
R3 PCX500;Cisco Wireless LAN Adapters Driver;c:\windows\system32\drivers\pcx500.sys [2008-10-27 169984]
S1 mrxsmbb;mrxsmbb;c:\windows\system32\drivers\mrxsmbb.sys --> c:\windows\system32\drivers\mrxsmbb.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-16 356920]
S3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [2007-11-20 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf135383-9700-11dc-a6bb-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-02-04 c:\windows\Tasks\At1.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At10.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At11.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At12.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At13.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At14.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At15.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At16.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At17.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At18.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At19.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At2.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At20.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At21.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At22.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At23.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At24.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At25.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At26.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At27.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At28.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At29.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At3.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At30.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At31.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At32.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At33.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At34.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At35.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At36.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At37.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At38.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At39.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At4.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At40.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At41.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At42.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At43.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At44.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At45.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At46.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At47.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At48.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At5.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At6.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\At7.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At8.job
- c:\windows\system32\U54KY33a.exe []

2009-02-04 c:\windows\Tasks\At9.job
- c:\windows\system32\U54KY33a.exe []

2009-02-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-02-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1275210071-839522115-1004.job
- c:\documents and settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 22:59]

2009-01-30 c:\windows\Tasks\Norton Security Scan for Mom.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 03:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{14A62309-BE9E-0FC6-7BDE-811FA689B777} - c:\windows\system32\dkagbceqpkdku.dll
BHO-{4acbf995-2e52-4579-b20d-9d7031f4c7f7} - c:\windows\system32\lnvjjz.dll
BHO-{5686BABC-5016-4FEE-BFA0-27B946A100C0} - c:\windows\system32\fccCSmNE.dll
BHO-{6F28697E-142E-420D-B398-05F1DE12EF22} - c:\windows\system32\cbXRIcDw.dll
BHO-{753b307f-e589-4fe3-b849-83dd44ef3196} - c:\windows\system32\sadujoka.dll
BHO-{C4331076-0367-4D9C-9AD0-AB99145E1FD6} - c:\windows\system32\fccddBtU.dll
BHO-{fa3365dc-c41c-28d1-d0af-fcc65eda2932} - c:\windows\system32\nsb45B.dll
HKCU-Run-udcii - c:\documents and settings\mom\local settings\application data\udcii.exe
HKCU-Run-izor - c:\progra~1\COMMON~1\izor\izorm.exe
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKCU-Run-Aim6 - (no file)
HKLM-Explorer_Run-YYKt8QmamT - c:\documents and settings\All Users\Application Data\zkxolgzu\nahefgbe.exe
Notify-avgrsstarter - avgrsstx.dll
Notify-byXRijKe - byXRijKe.dll
Notify-dimsntfy - (no file)
Notify-yayyApOH - yayyApOH.dll


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mom\Application Data\Mozilla\Firefox\Profiles\je045j37.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 13:43:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{54a5f149-46a4-428a-b82f-e7b7b4c80309}]
@Denied: (Full) (Everyone)
"Model"=dword:00000006
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):74,9b,ac,a4,1d,d3,1a,17,07,46,7e,73,2d,8d,50,e5,d1,30,d2,72,42,
44,63,93,52,dc,e4,61,b3,90,33,c4,1b,c0,45,f7,80,00,6e,8e,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\cswGina.dll
c:\windows\system32\ACrd10SM.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\gearsec.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\CDBurnerXP\NMSAccess.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-02-05 13:49:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 19:49:27

Pre-Run: 123,663,339,520 bytes free
Post-Run: 123,930,963,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

381 --- E O F --- 2009-02-05 09:03:01

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 06 February 2009 - 01:35 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\ezuyejamiyumih.dll
c:\windows\Nvakelij.dll
c:\windows\system32\U54KY33a.exe

AtJob::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{54a5f149-46a4-428a-b82f-e7b7b4c80309}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf135383-9700-11dc-a6bb-806d6172696f}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Nexis

Nexis
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 06 February 2009 - 01:41 PM

I'm sorry, I'm not sure what you mean by a HijackThis log. :/

Attached Files



#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 06 February 2009 - 01:53 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
mrxsmbb

File::
c:\windows\system32\drivers\mrxsmbb.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the ComboFix log in your next reply..





NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Post me these logs in your next reply...

1. ComboFix
2. Malwarebytes'
3. Tell me, how's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Nexis

Nexis
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 06 February 2009 - 03:03 PM

I attached the combo fix log since it was considerably longer.

Here's the scan log:

Malwarebytes' Anti-Malware 1.33
Database version: 1735
Windows 5.1.2600 Service Pack 2

2/6/2009 1:55:19 PM
mbam-log-2009-02-06 (13-55-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142217
Time elapsed: 40 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mom\Application Data\cogad (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\Nvakelij.dll.vir (Adware.BHO) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\chert5-998.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB5C451E-B901-4870-9E31-83EF89030FB8}\RP404\A0078412.exe (Rogue.Emule) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB5C451E-B901-4870-9E31-83EF89030FB8}\RP436\A0094682.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB5C451E-B901-4870-9E31-83EF89030FB8}\RP439\A0095827.dll (Adware.BHO) -> Quarantined and deleted successfully.





The computer is great now! Everything seems to work properly now, it runs smooth like it used to, I got my old cheery background back.


However, 2 days ago the power went out for a moment and when I started all my family computers back up again the ICS was disabled and I can't get it working again. This computer is our "head" computer, we have a direct line into this computer, and then a line out of this one out to a switch, then out to our other computers. I can't get the ICS enabled, I get this error message when I try:

"An error occured while internet connection sharing was being enabled. (null)"

If I got o Control Panel, Network Connections, Wireless Network Connection Properties, in the internet connection sharing area, I click "Settings" but nothing happens, and if I try to Enable ICS it gives me the above error.

Any ideas?



Edit: Can you recommend some good antivirus/malware protection? I was thinking about installing avg again, or windows defender. And, is it safe to use Spybot again? It got really bad right after I scanned with Spybot, so I'm a little paranoid about using it again.

Attached Files


Edited by Nexis, 06 February 2009 - 04:21 PM.


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 07 February 2009 - 12:15 AM

Ok.. First of all, logs look good to me.. So you are good to go...


However, 2 days ago the power went out for a moment and when I started all my family computers back up again the ICS was disabled and I can't get it working again. This computer is our "head" computer, we have a direct line into this computer, and then a line out of this one out to a switch, then out to our other computers. I can't get the ICS enabled, I get this error message when I try:

"An error occured while internet connection sharing was being enabled. (null)"

If I got o Control Panel, Network Connections, Wireless Network Connection Properties, in the internet connection sharing area, I click "Settings" but nothing happens, and if I try to Enable ICS it gives me the above error.

Any ideas?


Ah.. I'm not very good with networking stuff, I believe you better seek further assistance at our Networking forum below.. Tell them about your networking problem and tell them that we send you there :thumbup2:

http://www.bleepingcomputer.com/forums/f/21/networking/



Can you recommend some good antivirus/malware protection? I was thinking about installing avg again, or windows defender. And, is it safe to use Spybot again? It got really bad right after I scanned with Spybot, so I'm a little paranoid about using it again.


Lets keep it simple and stupid.. We just need only ONE antivirus and ONE antispyware for each computer.. Also ONE firewall would be good..

If you wish to replace all those security programs, make sure you uninstall ALL of them and then install one each..

There a lots of free antivirus/antispyware/firewall out there, but if you seek my personal recommendation, here it is..

Antivirus: Avira AntiVir Personal
[*]Avast! 4 Home Edition

Antispyware: You already have Malwarebytes' Anti-Malware

Firewall: PC Tools Firewall Plus



Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users